On 17 December 2020, the UK Information Commissioner’s Office (ICO) published its new Data Sharing Code of Practice, as required under the Data Protection Act 2018 (DPA18).
The new Code provides practical guidance for controllers that share personal data with other controllers on how to ensure that data sharing complies with applicable data protection requirements. The new Code is a statutory code and updates the ICO’s previous data sharing code, which was published in 2011. The ICO has also instigated a new data sharing information hub which provides further support for organizations involved in data sharing.
The new Code notes that organizations must adhere to certain key data protection principles when sharing personal data, including ensuring accountability and demonstrable compliance, fair and transparent personal data sharing, reliance on lawful bases for personal data sharing and maintenance of appropriate personal data security.
The Code explores many aspects of personal data sharing, including data protection impact assessments (which the ICO recommends as best practice, even in situations where these are not legally required) and personal data sharing agreements, which are also regarded as good practice. The Code also stresses that the data protection rights of individuals should be respected in situations where personal data is shared.
Among other things, the ICO considers personal data sharing in emergency situations and sharing the personal data of children (which should only be considered if there is a compelling reason to do so, taking into account the child’s best interests). The Code explores issues regarding the sharing of personal data as part of due diligence in the context of mergers and acquisitions and the sharing of databases and lists and also considers when exemptions to compliance with certain data protection obligations may apply in the context of personal data sharing.
The ICO aims to clarify various common misconceptions about data sharing (such as the often held, but mistaken belief that personal data can only be shared with the relevant data subjects’ consent) and emphasizes the many benefits of data sharing when carried out in a fair and proportionate way. The Code also includes certain helpful tools for use by data controllers when sharing data (e.g. template data sharing requests and decision forms).
The new Code and additional resources should provide welcome clarity and pragmatic guidance for businesses on how to share personal data with other organizations in a fair, safe, transparent and, above all, compliant way.