The ICO has published a new code of practice entitled the ‘Data Sharing Code’. The code came into force on October 5th 2021, after being published on September 14th 2021. DLA Piper provides a good overview of the new code of practice, a summary of which can be found below, however if you wish to read their article on the code, you can find it here.

The code’s aim is to provide guidance for organisations on how to share personal data in compliance with the relevant data protection legislation, including how to share data legally and fairly, as well as how to meet the obligations that data protection law imposes on organisations. Whilst the new code isn’t new law itself, it is still a code of practice that should be followed. The ICO have stated that following the new code isn’t a legal requirement, however they will take the code into account when establishing whether an organisation has adhered to data protection laws or not. The code can also be used in court as evidence, so we therefore recommend that your organisation familiarise themselves with the new code and follow its practices in your processes. 

The DLA Piper details the main areas the the code covers, which I’ll summarise below:

 

1. Data sharing between controllers.

• Where processors and controllers are concerned, the code only covers data sharing between controllers, and not between controllers and processors.

 

2. Data Protection Impact Assessments

• The ICO suggests in the new code that even when an organisation isn’t required to, they should take out a Data Protection Impact Assessment when entering thinking about sharing data, to ensure that they are aware of the risks it poses, and are able to take the necessary steps to mitigate that risk. The code also states that controllers should decide whether sharing the data would provide a benefit before they decide to do so.

3. Data Sharing Agreements

• The Code states that it is good practice for organisations (and mandatory for joint controllers) to have Data Sharing Agreements in place, and that the agreements must set out certain things about the data that is being shared. The agreement must state what happens to the data in each step, the roles and responsibilities for each party to the agreement, as well as the standards that they must adhere to. The Code also has model forms that organisations can use, as well as diagrams that show organisations how to decide whether to share data or not. When assessing any complaints, the ICO has stated that they will take any data sharing agreements into consideration.

4. Accountability

• The new code expresses the importance the ICO puts on accountability, stating that organisations entering into a data sharing agreement must comply with UK GDPR and the DPA, and the burden to prove this compliance is placed on the organisation. The code says that ways that this can be done include having data protection policies that adopt a “data protection by design and default” approach, and taking additional steps as they may be required. 

5. Fairness and Transparency in Data Sharing

• In this section, the ICO also stresses the importance of fairness and the need for organisations to think about what is the ‘right’ thing to do when thinking about sharing data. Data subjects must be made aware of the fact that their data is being shared in an easy to find and easy to understand format. Transparency is key here, and people must know what is happening with their data, with organisations only using people’s data in a proportionate way, and not in a way that would have any detrimental impact on the data subject. The code also mentions that organisations should think ethically about how they are sharing people’s data, and whether it is the ‘right’ thing to do.

6. Security

• Whilst it is true that when an organisation shares data with another organisation, the one receiving the data has a legal obligation to ensure the security of the data they receive, the sharing organisation should still take steps to ensure that when they share data, it will be safe. The types of things your organisation can do to fulfil this requirement are things like ensuring security standards are included in any data sharing agreements, and making sure that the recipient organisation is aware of the sensitivity and types of data that is being shared with them. The code also states that any issues revolving around the continued security of data after it is shared should be resolved before your organisation actually shares that data.

7. Data Subjects Rights

• Data Subjects must be able to access and exercise their rights easily, and your policies and procedures must reflect this. The policies that you provide data subjects must outline clearly what their rights are and how they exercise them. In situations where there are multiple organisations using people’s data, the code recommends that data subjects are provided with one contact point which will assist them in their rights to the totality of their data across all of the relevant organisations. Where data is processed automatically, extra steps must be taken according to the Code, such as carrying out a DPIA, as well as explaining to users that they are permitted to request human intervention and challenge any decisions. In these circumstances, your organisation must also take steps to mitigate any errors and biases in any systems.

8. M&A Transactions

• The Code also outlines the steps that may be needed to be taken if data is being shared as a result of a merger or acquisition. More details about this can be found on the DLA Piper article.

9. Sharing personal data in databases and lists

• The Code states that when data is shared on databases or lists, it is the responsibility of the recipient to ensure that they are satisfied with the integrity of the information they have received, and to do the relevant checks. These checks would include being aware of the source of the information, the lawful basis upon which it was obtained, as well as being aware of what subjects were told that their data was being shared. They must also check the privacy information that was supplied when the data was taken, as well as validating the dates and times the data was collected etc.

 10. Children’s Data

• The main area that will concern schools in particular is how the code details the manner in which children’s data is used and shared. The Code states that extra care should be taken where children’s data is concerned. Children’s data should only be shared when there is a demonstrable ‘compelling reason’ to do so, and the child’s best interests should always be of the highest importance. DPIA’s should also be carried out when sharing this type of data to ensure the rights of children are upheld, and any risks are mitigated. Due diligence checks should also always be carried out on the organisation that will be in receipt of children’s data.

As you may be able to imagine, the Code goes into much more detail than can be included in an article, so if you wish to go over some of the finer details, you can find the full Data Sharing Code here.