On July 16, 2019, the UK’s Information Commissioner’s Office (“ICO”) released a new draft Data sharing code of practice (“draft Code”), which provides practical guidance for organizations on how to share personal data in a manner that complies with data protection laws. The draft Code focuses on the sharing of personal data between controllers, with a section referring to other ICO guidance on engaging processors. The draft Code reiterates a number of legal requirements from the GDPR and DPA, while also including good practice recommendations to encourage compliance. The draft Code is currently open for public consultation until September 9, 2019, and once finalized, it will replace the existing Data sharing code of practice (“existing Code”).
Key practical points from the draft Code are
- As a first step to embarking on data sharing, organizations should decide whether to carry out a Data Protection Impact Assessment (DPIA). Organizations should also take into account various factors (such as the purposes of the data sharing, whether anonymization is possible, what risks may be posed to individuals, and so forth) before deciding to share personal data. A list of suggested questions to consider is provided in pp. 22-23 of the draft Code.
- It is good practice for organizations sharing personal data to put in place a data sharing agreement. Data sharing agreements should set out the purpose of the data sharing, cover what happens to the data at each stage, set standards, and clarify the roles of the parties involved. A list of suggested issues that should be addressed in a data sharing agreement is provided in pp. 26-29 of the draft Code. Organizations are also advised to keep data sharing agreements under review as a project progresses.
- In order to ensure compliance with the accountability principle, organizations should maintain records as required by data protection law. These include records of processing activities, records of privacy notices provided, records of consent obtained (where applicable), records of lawful basis for processing, and records of personal data breaches.
- When deciding to share personal data, organizations should also check to ensure they comply with any other applicable laws (e.g., human rights law, rules on public sector data sharing, and others) and consider whether it is ethical to share the data.
While the draft Code builds on the existing Code, it provides quite a bit of new information, including placeholders where additional content will be added before the document is finalized (e.g., a section on sharing data outside of the European Economic Area, as well as updated data sharing checklists and new template for data sharing request & decision forms). The draft Code includes several new sections on specific topics of interest, such as data sharing and children, data sharing in the context of M&A deals, sharing of databases and lists, data ethics and data trusts, and law enforcement processing. While checklists and other forms in Annex A and B are still forthcoming, Annex D provides a number of useful case studies applying the content of the draft Code to real-life scenarios.
After the public consultation period, which ends on September 9, 2019, the draft Code will be approved by Parliament before it becomes a statutory code of practice. Although failure to comply with the Code will not of itself be a cause of action, processing personal data in breach of the Code will usually result in a breach of the GDPR or the DPA. Also, the Code can be used as evidence in legal proceedings, and the ICO, courts and tribunals are required to take into account the provisions in the Code where relevant.