ICO introduces new Data Sharing Code of Practice

Last year, the Information Commissioner’s Office published a new data sharing code of practice (Code), which the Secretary of State has now laid it before Parliament. Assuming there are no objections from Parliament, this new Code will come into force in July 2021.

The Code’s executive summary includes a reminder of the key principles of data protection:

• The accountability principle – controllers and processors are responsible for compliance with the law and must be able to demonstrate their compliance.
• Personal data must only be shared fairly and transparently, meaning appropriate privacy information should be given to data subjects explaining who you may share their data with and why.
• You must identify at least one lawful basis for sharing data before you share it.
• Personal data must only be processed securely, with appropriate organisational and technical measures in place.

The Accountability Principle:

The accountability principle requires you to take responsibility for what you do with personal data. It also requires you to take responsibility for being compliant with the other UK GDPR principles, being:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality

Taking responsibility requires you to put in place appropriate measures and keep records, to demonstrate your compliance with the above principles. Such measures might include adopting and implementing data protection policies, putting written contracts in place with the organisations you share data with or that process data on your behalf, recording and reporting personal data breaches, appointing a data protection officer, and carrying out data protection impact assessments.

Ultimately, the accountability principle puts the onus of ensuring your compliance with UK GDPR on you, preventing you from offloading responsibility and blame onto other bodies or persons.

Fair and Transparent Sharing:

Personal data must only be used in a way that is fair. You must not share this data in a manner which is unduly detrimental, unexpected or misleading to the persons concerned.

To ensure that your data sharing is fair, you should make sure to consider how the sharing may impact the individuals concerned and should only share data in ways that they would reasonably expect. You should be able to justify any adverse impact or unexpected sharing to the persons in question. You must not deceive or mislead people when collecting their personal data. Instead, you should be clear, open and honest with people from the start about how you will share their personal data, and who you might share it with.

Identifying a Lawful Basis for Sharing:

You must have a valid lawful basis in order to share personal data. The lawful basis must be determined before you share the data, and it is advisable to record the basis before sharing. Your privacy notice should include your lawful basis for the sharing of data, as well as the reason(s) for sharing it.

The six lawful bases are:

• Consent: the individual has given clear consent for you to share their personal data for a specific purpose.
• Contract: the sharing of the data is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
• Legal obligation: the sharing is necessary for you to comply with the law.
• Vital interests: the sharing is necessary to protect someone’s life.
• Public task: the sharing is necessary for you to perform a task in the public interest or for your official functions, and this task or function has a clear basis in law.
• Legitimate interests: the sharing is necessary for your legitimate interests, or for a third party’s legitimate interests, unless there is a good reason to protect the individual’s person data which overrides those legitimate interests.

Secure Processing of Personal Data:

The requirement to process personal data securely by means of appropriate technical and organisational measures puts an obligation on you to consider things like risk analysis, organisational policies, and other physical and technical measures. You may consider the costs of implementation when deciding what measures to take, but the measures must be appropriate to your circumstances and the risk your processing poses. The ICO has worked with the National Cyber Security Centre to develop an approach that can be used to assess what measures are appropriate for you. The ICO recommends using pseudonymisation and encryption, where appropriate.

The measures implemented must ensure the confidentiality, integrity and availability of your systems and services and the personal data you process. They must also enable you to restore access and availability to personal data promptly, in the event of a physical or technical incident. You also need to ensure that you have processes in place to test the effectiveness of your measures, and to introduce improvements in the event that they are found wanting.

Conclusion:

The ICO will take the Code into account when using its enforcement powers in relation to a potential breach of the UK GDPR. However, the Code should not be viewed as just an ICO enforcement tool. It is also a comprehensive source of guidance for all organisations engaging in data sharing.

The Code should make it easier for organisations to understand their obligations when it comes to the sharing of data, particularly when coupled with the ICO’s new data sharing information hub which provides various resources to be used in conjunction with the Code, including FAQs, checklists, and case studies.

You can view the Code here. The data sharing information hub is available here.