What is the new Data Sharing Code of Practice (“the Code”) and what do businesses need to know about it?

The Information Commissioner’s Office (“ICO”) published a new Data Sharing Code of Practice (“the Code”) on 17 December 2020.

Once approved by Parliament, it will be a statutory code of practice under the Data Protection Act 2018. As a result, the ICO is required to take the Code into account when considering whether an organisation has complied with data protection law when sharing personal data.

What is the new Data Sharing Code of Practice?

The Code replaces the ICO’s 2011 Data Sharing Code issued under the Data Protection Act 1998. It provides guidance on how to share personal data fairly, lawfully and in accordance with the accountability principle which is at the core of data protection compliance. It recognises the importance of data sharing to the public and private sector and its ability to achieve growth and technological innovation and improved service delivery.

The Code is designed to give practical guidance for organisations on how to share personal data safely.

What’s changed?

The ICO has confirmed that personal data can be shared in an emergency (e.g. to protect public health) which is of use during the current pandemic.

Information Commissioner Elizabeth Denham has said the COVID-19 pandemic brought the need for fair, transparent and secure data sharing into even sharper focus. She was quoted saying, “I have seen first-hand how sharing data between organisations has been crucial to supporting and protecting people during the response to the COVID-19 pandemic. That includes public authorities and supermarkets sharing information to support vulnerable people shielding or health data being shared to support fast, efficient and effective delivery of pandemic responses.”

It is worth noting however, that whilst the ICO recognises the importance and benefit of sharing personal data (particularly in an emergency situation) and does not want data protection legislation to be seen as a barrier to sharing data, they will still expect appropriate steps to be taken to ensure the data is shared in a fair, transparent and secure way.

Next Steps

A Privacy Impact Assessment (or DPIA or PIA for short) is always the starting point when considering the sharing of personal data.

A Privacy Impact Assessment should:

  • Describe the processing you are undertaking and the intended/desired outcomes of your processing;
  • Assess the nature and sensitivity of the data being processed; and
  • Consider the nature of your relationship with the data subject.

This information will allow you to assess the necessity and proportionality of the processing activity. Wherever risks to the data subject’s rights are identified, the Privacy Impact Assessment should set out how those risks will be addressed or mitigated.

It is also important to ensure that a robust data sharing agreement detailing the arrangements for the data sharing is put in place between the relevant parties.

If you need help with putting these measures in place please get in touch.