The sharing of personal data between organisations has many public and business benefits. However there is much confusion about what the law allows, particularly the General Data Protection Regulation (GDPR).
In December, the Information Commissioner’s Office (ICO) finally published its Data Sharing Code of Practice following a consultation exercise. The code does not impose any additional barriers to data sharing, but aims to help organisations comply with their legal obligations under the GDPR and the Data Protection Act 2018 (DPA 2018). In particular the code:
- updates and reflects key changes in data protection law since the last data sharing code was published
- explains new developments and their impact on data protection;
- references new areas for organisations to consider; and
- helps organisations to manage risks in sharing data, which are magnified if the quantity of data is large
There is a useful section in the code addressing some misconceptions about data sharing and barriers to sharing. It also covers some special cases, such as databases and lists, sharing information about children, data sharing in an emergency and the ethics of data sharing. Reference is also made to the provisions of the Digital Economy Act 2017 which seeks to promote data sharing across the public sector.
The code contains a section on sharing data for the purposes of law enforcement processing under Part 3 of the DPA 2018. This is an important area which organisations have not really understood as demonstrated by the recent High Court ruling that Sussex Police unlawfully shared personal data about a vulnerable teenager putting her “at greater risk.”
This is a statutory code of practice under section 121 of the DPA 2018. Under section 127, the Information Commissioner must take account of it when considering whether a Data Controller has complied with its data protection obligations in relation to data sharing. The code can also be used in evidence in court proceedings and the courts must take its provisions into account wherever relevant.
Elizabeth Denham said the COVID-19 pandemic has brought the need for fair, transparent and secure data sharing into even sharper focus:
“I have seen first-hand how sharing data between organisations has been crucial to supporting and protecting people during the response to the COVID-19 pandemic.
That includes public authorities and supermarkets sharing information to support vulnerable people shielding or health data being shared to support fast, efficient and effective delivery of pandemic responses.”
Following the code, along with other ICO guidance, will help Data Controllers to manage risks; meet high standards; clarify any misconceptions about data sharing; and give confidence to share data appropriately and correctly. In addition to the statutory guidance, the code contains some optional good practice recommendations, which aim to help Data Controllers adopt an effective approach to data protection compliance.
Alongside the code, the ICO has launched a data sharing information hub where organisations can find targeted support and resources, including:
- Data sharing myths busted
- Data sharing code: the basics for small organisations and businesses
- Data sharing FAQs for small organisations and businesses
- Case studies
- Data sharing checklists
- Data sharing request and decision forms template
- Sharing personal data with a law enforcement authority toolkit
- Guidance on sharing personal data with law enforcement authorities
- Guidance on data sharing and reuse of data by competent authorities for non-law enforcement purposes