On 17 December 2020, the Information Commissioner’s Office (ICO) published its new Data Sharing Code of Practice (“Code“), a practical guide for organisations on how to share personal data in compliance with the data protection law. The Code replaces the ICO’s previous Data Sharing Code published in 2011 under the Data Protection Act 1998. It should be noted that the Code only covers sharing of personal data between controllers (with a focus on data sharing between separate controllers); sharing data with processors or within an organisation is not within the scope of the Code. Annex C of the Code provides useful case studies of organisations sharing personal data and there is a handy checklist that pulls together the key steps that organisations need to take when establishing data sharing.
The ICO acknowledges that data sharing has benefits for society as a whole and sometimes it can be more harmful not to share data – the role of data sharing during the pandemic through enabling Test and Trace and assisting vulnerable patients is a pertinent example. In that regard, the ICO explains that the legal framework is an “enabler to responsible data sharing” and clarifies some of the myths that currently exist (e.g. data can only be shared with data subjects’ consent). The Code will assist organisations to balance the risks and benefits of data sharing and implement it in a way that is fair, transparent and proportionate.
In this article, we explain the key takeaways from the Code, although in our view the Code formalises current practices that we see and have already adopted when advising on data sharing agreements and requirements, and does not add anything unusual or new.
1. Data protection principles
Like with any type of processing activity, organisations must follow the data protection principles of the General Data Protection Regulation (GDPR) when sharing personal data. The Code explains in detail how these principles apply in the context of data sharing. For example, organisations must think about how they can demonstrate that they have complied with the GDPR when sharing data (i.e. “the accountability principle”), check that data is transferred in a secure manner (“security principle”) and ensure that individuals know what is happening to their data (“transparency principle”).
2. Data Protection Impact Assessments (DPIA) and Data Sharing Agreements (DSA)
Organisations are required to carry out a Data Protection Impact Assessment (“DPIA“) for sharing of data that is “likely to result in a high risk to individuals”. This is typically triggered where the processing involves, for example, use of innovative technology, profiling individuals on a large scale, processing biometric data and matching data or combining datasets from different sources.
Even where a DPIA is not required, the Code recommends that organisations carry it out anyway especially if data sharing forms part of a major project or routine data sharing is involved. A DPIA can assist organisations to identify risks and assess the proportionality of the proposed data sharing and furthermore promote the data subject’s trust in the organisations’ processing of data.
The Code states that a data sharing agreement (“DSA“) between the parties sharing data can form a major part of the compliance with the accountability principle under GDPR, although it is not mandatory. A DSA can assist organisations to justify the data sharing, demonstrate that the relevant issues have been considered and documented and, as a whole, provides a framework to comply with the data protection principles. The Code provides a detailed breakdown of the types of information a DSA should include.
Whilst having a DSA does not provide immunity from breaching the law, the ICO will take into account the existence of any relevant DSA when assessing any complaint it receives about an organisation’s data sharing activities.
3. Data sharing as part of merger or restructure
The Code provides a concise set of action items for organisations to consider as part of data sharing in the context of a merger or a change in organisational structure, which means that data is transferred to a different organisation. For example, organisations should follow the general rules around data sharing as explained in the Code and comply with the GDPR principles, seek technical advice before sharing data where different systems are involved and consider when and how data subjects will be informed about what is happening. This is likely in response to the increasing value attributed to data as a significant asset in business sales.
4. Transfer of Databases
Even outside of mergers and acquisitions, businesses trade data. Transfer of databases or lists of individuals from organisations such as data brokers or marketing agencies is a form of data sharing, whether for money or other consideration, and whether for profit or not. The Code explains that organisations receiving the data must carry out the appropriate enquiries and checks to ensure that databases or lists they are receiving is being shared in compliance with the data protection law and be able to respond to any complaints about them. Some of these action items include confirming the source of the data, checking the details of the privacy notice that was given to individuals and ensuring that the data received is not excessive or irrelevant. The Code adds that it is good practice to have a written contract with the organisation supplying the data.
5. Data sharing in an emergency
In a chapter surely inspired by the pandemic, the Code states that in an emergency, organisations should go ahead and share data as is necessary and proportionate. Examples of emergency situations include preventing serious physical harm to a person and protection of public health. The Code specifically references tragedies over recent years such as the Grenfell Tower fire, major terrorist attacks in London and Manchester, and the crisis arising from the coronavirus pandemic as examples of how urgent or rapid data sharing can make a real difference to public health and safety. In these situations, it might be more harmful not to share data than to share it. In that regard, organisations should factor in the risks involved in not sharing data.
As part of complying with the accountability principle, organisations should document the assessment of any urgent data sharing they have carried out. If written records could not be drafted at the time the data sharing took place, then this should be done retrospectively.