Data Sharing code of Practice

avatar
Created by
Patrick Forrest

Cards (251)

  • This is a statutory code of practice made under section 121 of the Data Protection Act 2018
  • Data sharing code of practice
    A practical guide for organisations about how to share personal data in compliance with data protection law
  • The code aims to give organisations confidence to share data fairly and proportionately
  • Data protection law
    Facilitates fair and proportionate data sharing when approached in the right way
  • Data protection law provides a framework to help organisations make decisions about sharing data
  • Data sharing has benefits for society as a whole, and sometimes it can be more harmful not to share data
  • When considering sharing data
    1. You must comply with data protection law
    2. Assess the risks using a Data Protection Impact Assessment (DPIA)
    3. Have a data sharing agreement
  • Key principles in data protection legislation to follow when sharing data
    • Accountability
    • Fairness and transparency
    • Lawfulness
    • Security
    • Allowing individuals to exercise their rights
  • You can share data in an emergency, as is necessary and proportionate
  • You may share children's data if you can demonstrate a compelling reason to do so, taking account of the best interests of the child
  • The government has devised a framework for the sharing of personal data, for defined purposes across the public sector, under the Digital Economy Act 2017 (DEA)
  • Now the UK has left the EU, the GDPR (which we refer to in this code as the EU GDPR) has been written into UK law as the UK GDPR, to sit alongside the DPA 2018
  • The ICO upholds information rights in the public interest and will use its powers in a targeted and proportionate manner
  • What you need to do or consider
    • Identify your objective in sharing the data
    • Be clear as to what data you are sharing
    • Consider the benefits and risks of sharing and not sharing
    • Carry out a Data Protection Impact Assessment (DPIA)
    • Put in place a data sharing agreement
    • Ensure you follow the data protection principles
    • Check your data sharing is fair and transparent
    • Identify at least one lawful basis for sharing the data before you start sharing it
    • Put in place policies and procedures that allow data subjects to exercise their individual rights easily
    • Be clear about sharing data under the law enforcement processing provisions
    • Demonstrate a compelling reason if you are planning to share children's data
    • Share data in an emergency as is necessary and proportionate
    • Document your decisions about the data sharing
    • Put in place quality checks on the data
    • Arrange regular reviews of the data sharing arrangement
    • Agree retention periods and make arrangements for secure deletion
  • This code contains practical guidance on how to share data fairly and lawfully, and how to meet your accountability obligations
  • The code can be used in evidence in court proceedings, and the courts must take its provisions into account wherever relevant
  • If you don't comply with the guidance in this code, you may find it more difficult to demonstrate that your data sharing is fair, lawful and accountable
  • The ICO can take enforcement action against you if you process personal data in breach of this code and this results in a breach of the UK GDPR or the DPA 2018
  • The code is mainly aimed at organisations that are controllers sharing personal data, in particular data protection officers and other individuals responsible for data sharing matters
  • The code also applies to controllers sharing data under the law enforcement processing regime (Part 3 DPA 2018), and between the UK GDPR/Part 2 DPA 2018 and Part 3 DPA 2018
  • The code is also aimed at controllers sharing data under the law enforcement processing regime (Part 3 DPA 2018), and between the UK GDPR/Part 2 DPA 2018 and Part 3 DPA 2018
  • Much of the advice is applicable to public, private and social sector organisations. Some of the code is necessarily focused on sector-specific issues. However, the majority of the code applies to all data sharing, regardless of its scale and context
  • Reading and understanding this code and adopting its practical recommendations will give you confidence to collect and share personal data in a way that is fair, transparent and in line with the rights and expectations of the people whose information you are sharing
  • The code will help you identify what you need to consider before you share personal data and clarify when it is appropriate for you to do so
  • Data protection law is an enabler for fair and proportionate data sharing, rather than a blocker. It provides a framework to help you make decisions about sharing data
  • Many of the requirements of data protection law simply place on a statutory footing the good practice that you will already have followed, or plan to follow
  • The key question is often not whether you can share data, but how
  • Data sharing brings significant benefits to your organisation, to individuals and to society at large. Done well, it helps government, public, social sector and commercial organisations to deliver modern, more efficient services which better meet people's needs and make their lives easier. It can also identify people at risk, help protect them from harm and address problems before they have a significant adverse impact
  • Most data sharing does not rely on consent as the lawful basis. If you cannot offer a genuine choice, consent is not appropriate. Public authorities, employers and other organisations in a position of power over individuals should avoid relying on consent unless they are confident they can demonstrate it is freely given
  • You can share data in an emergency; you should do whatever is necessary and proportionate. Examples of an emergency situation are the risk of serious harm to human life, the protection of public health, or the protection of national security
  • The code covers data sharing by controller organisations (organisations that determine how personal data is used) under two separate regimes: general processing under the UK GDPR, which has to be read together with Part 2 of the DPA 2018; and law enforcement processing under the law enforcement provisions in Part 3 of the DPA 2018
  • The code also covers data sharing between the two regimes
  • Most data sharing is likely to be under the UK GDPR and Part 2 of the DPA 2018 because it involves sharing data that is not law enforcement or intelligence personal data, but where provisions differ we clarify this as far as possible
  • The code also discusses data sharing for defined purposes across the public sector under the Digital Economy Act 2017
  • The code is complementary to other ICO guidance and codes of practice about data protection. It assumes knowledge of key data protection terms and concepts
  • The code will highlight particular instances when it would be useful for you to refer to such guidance
  • You will find it helpful to use the data protection impact assessment (DPIA) process along with the code when considering sharing data
  • You can find more on DPIAs later in the code
  • There is a wide range of exemptions relating to matters such as crime and taxation, certain regulatory functions, journalism, research and statistics, and archiving in the public interest
  • The benefits for you in adopting the recommendations in the code may include: greater trust in you by the public and customers, whose data you may want to share; an improved understanding of whether and when it is appropriate to share personal data; greater confidence within your organisation that you are sharing data appropriately and correctly; the confidence to share data in a one-off situation or in an emergency; a reduced reputational risk when sharing data; more robust, demonstrable compliance with the law; and better protection for individuals whose data you are sharing