On July 16, 2019, the UK’s Information Commissioner’s Office (“ICO”) released a new draft Data sharing code of practice (“draft Code”), which provides practical guidance for organizations on how to share personal data in a manner that complies with data protection laws.  The draft Code focuses on the sharing of personal data between controllers, with a section referring to other ICO guidance on engaging processors.  The draft Code reiterates a number of legal requirements from the GDPR and DPA, while also including good practice recommendations to encourage compliance. The draft Code is currently open for public consultation until September 9, 2019, and once finalized, it will replace the existing Data sharing code of practice (“existing Code”).

Key practical points from the draft Code are

  • As a first step to embarking on data sharing, organizations should decide whether to carry out a Data Protection Impact Assessment (DPIA). Organizations should also take into account various factors (such as the purposes of the data sharing, whether anonymization is possible, what risks may be posed to individuals, and so forth) before deciding to share personal data. A list of suggested questions to consider is provided in pp. 22-23 of the draft Code.
  • It is good practice for organizations sharing personal data to put in place a data sharing agreement. Data sharing agreements should set out the purpose of the data sharing, cover what happens to the data at each stage, set standards, and clarify the roles of the parties involved.  A list of suggested issues that should be addressed in a data sharing agreement is provided in pp. 26-29 of the draft Code.  Organizations are also advised to keep data sharing agreements under review as a project progresses.
  • In order to ensure compliance with the accountability principle, organizations should maintain records as required by data protection law. These include records of processing activities, records of privacy notices provided, records of consent obtained (where applicable), records of lawful basis for processing, and records of personal data breaches.
  • When deciding to share personal data, organizations should also check to ensure they comply with any other applicable laws (e.g., human rights law, rules on public sector data sharing, and others) and consider whether it is ethical to share the data.

While the draft Code builds on the existing Code, it provides quite a bit of new information, including placeholders where additional content will be added before the document is finalized (e.g., a section on sharing data outside of the European Economic Area, as well as updated data sharing checklists and new template for data sharing request & decision forms).  The draft Code includes several new sections on specific topics of interest, such as data sharing and children, data sharing in the context of M&A deals, sharing of databases and lists, data ethics and data trusts, and law enforcement processing.  While checklists and other forms in Annex A and B are still forthcoming, Annex D provides a number of useful case studies applying the content of the draft Code to real-life scenarios.

After the public consultation period, which ends on September 9, 2019, the draft Code will be approved by Parliament before it becomes a statutory code of practice.  Although failure to comply with the Code will not of itself be a cause of action, processing personal data in breach of the Code will usually result in a breach of the GDPR or the DPA.  Also, the Code can be used as evidence in legal proceedings, and the ICO, courts and tribunals are required to take into account the provisions in the Code where relevant.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Sam Jungyun Choi Sam Jungyun Choi

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such…

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such as AI, digital health, and autonomous vehicles.

Sam is an expert on the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act, having advised on these laws since they started to apply. In recent years, her work has evolved to include advising companies on new data and digital laws in the EU, including the AI Act, Data Act and the Digital Services Act.

Sam’s practice includes advising on regulatory, compliance and policy issues that affect leading companies in the technology, life sciences and gaming companies on laws relating to privacy and data protection, digital services and AI. She advises clients on designing of new products and services, preparing privacy documentation, and developing data and AI governance programs. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.