Data Sharing: The ICO’s Data Sharing Code of Practice

The Information Commissioner’s Office’s (ICO) data sharing code of practice (the Code) came into force on 5 October 2021. The new Code replaces the previous version of the data sharing code, published in 2011 under the Data Protection Act 1998.

About the Code

The Code is incorporated into law under the Data Protection Act 2018 (DPA 2018). The Code is a practical guide for individuals, organisations and businesses about how to share personal data in compliance with data protection law. It aims to give confidence to share data fairly and proportionately.

The Information Commissioner – Elizabeth Denham CBE stated:

“We have written this Data Sharing Code to give individuals, businesses and organisations the confidence to share data in a fair, safe and transparent way in this changing landscape. This code will guide practitioners through the practical steps they need to take to share data while protecting people’s privacy. We hope to dispel many of the misunderstandings about data sharing along the way.”

Data sharing covered by the Code

The Code focuses on the sharing of personal data between data controllers. Data sharing between a controller and a processor is not covered by the Code. Likewise, the disclosure of data within the same organisation, where the controller is one and the same is not covered by the Code.

Considerations for individuals, organisations and businesses.

The Code concentrates on ensuring that data controllers comply with the data protection principles and demonstrate: accountability; fairness and transparency in data sharing; have a lawful basis for sharing; share the data securely and protect the rights of the individual data subjects. The Code specifically outlines:

“When sharing data, you must follow the key principles in data protection legislation:

• • • The accountability principle means that you are responsible for your compliance, and you must be able to demonstrate that compliance.
    • You must share personal data fairly and transparently.
    • You must identify at least one lawful basis for sharing data before you start any sharing.
    • You must process personal data securely, with appropriate organisational and technical measures in place.”

Data Projection Impact Assessments (DPIA)

When deciding to share data it is recommended that the first step is to carry out a DPIA, this allows for openness and transparency. A DPIA helps assess the risks and determine whether any additional safeguards are required. It will also help document the decision-making process which can be used to demonstrate compliance to the data subject or the ICO if the data sharing is ever challenged.

What happens if you fail to comply with the Code?

A failure to act in accordance with the Code does not of itself result in a breach of the UK GDPR or the DPA 2018. However, if you are in breach of the Code and this results in a breach of UK GDPR or the DPA 2018 then this could result in enforcement proceedings. Where you are in breach of the Code you may also find it more difficult to demonstrate that the data sharing is fair, lawful and accountable and complies with the UK GDPR or the DPA 2018. Nevertheless, failure to comply with the Code does not necessarily mean you will receive a penalty if you find another way to comply.

Practical guidance

The Code provides individuals, businesses and organisations with useful practical guidance such as data sharing checklists, data sharing templates, example case studies and due diligence considerations when sharing data in connection with mergers and acquisitions.

A link to the Code can be found here.