October 13, 2021
On 05 October 2021 the UK Information Commissioner (ICO) confirmed that the new Data Sharing Code of Practice has come into force. This is meant to be a practical guide for organisations so they can share personal data (information that can or could be used to identify someone) in a way that complies with the law and is fair to the data subject (the person who can or could be identified).
Organisations who share personal data and especially, those organisations who make decisions about the purpose of sharing and who to share that personal data with.
That’s likely to be most (if not all) of businesses, because personal data is defined widely in UK data protection law. Personal data can cover any piece of information which is used to identify a living person (either on its own or at the point it is combined with other information). This includes information such as names, addresses, online identifiers, payment details etc. Most businesses are likely to make decisions about how it shares some information about it staff, customers and/or suppliers.
Not quite, but it was required by UK data protection law to help organisations comply with data protection law. Where the ICO checks whether an organisation has complied with its duties under data protection laws (for example, because the ICO is considering enforcement action), it must now consider whether that organisation has followed recommendations set out in the code. So complying with the code will be a good indication your organisation is complying with data protection law.
The data sharing code is a pretty lengthy document but easy enough to navigate on the ICO’s website. It mainly focuses on sharing between organisations that make decisions about how they use personal data. Both the ICO and the data protection laws refers to the relationship between the parties as "controller to controller", a term that might trigger a bit of head scratching. If the terms in this new code of practice have left you feeling bewildered, never fear, we have a data protection term breakdown here.
The new code covers topics such as:
Quite a lot! As discussed above, the code focusses on parties who are both making decisions about how to share and use the personal data (as opposed to one party just acting on the other’s instructions or carrying out a specific task).
It brings a lot of topics together which were previously relevant for sharing personal data but existed in other places, and has some useful documents your business can use in the Code’s appendices (e.g. handy checklists and templates). These documents are a great starting point, because you can be confident you’re following the suggested wording of the regulator.
Where your business is sharing personal data, it is sometimes mandatory to have a data sharing agreement (for example, where one organisation makes the decisions about the personal data and the other organisation is required to follow the decision maker’s instructions, also known as a controller-processor relationship).
If both organisations share personal data but can independently make decisions about how they use or share that personal data, then although a data sharing agreement is not legally required it is still a very good idea. As mentioned above, this is where the ICO refers to “controller to controller” sharing and this means that the parties aren't tied to specific instructions about how they use the personal data. For example, they choose how long to keep the personal data or use it for their own business reasons.
In this scenario the code still states that a data sharing agreement or similar document is good practice. This should cover the parties’ lawful reasons for sharing the data, what the personal data is, what security is required, whether any sensitive personal data is shared and how the organisations will work together if an individual wants to exercise their legal rights.
No. It is a common misconception that you need consent for data sharing. There are times when consent may be the most appropriate lawful way to share personal data (for instance, where you attend a conference and consent to your details being shared with the other delegates) but often businesses should rely on other lawful reasons to share personal data. For example, sharing payment information with a payment provider is required to allow a transaction to process which would fall under the lawful basis for “necessary for the completion of a contract”.
The new code re-iterates the importance of identifying the correct lawful reason to share personal data but if you would like to read about other lawful reasons to share data, the ICO has published a guide here.
The code isn’t law on its own but whether your organisation follows the code is a good indication as to whether you are complying with UK data protection law. The ICO will consider the code in any enforcement action.
Enforcement action can be serious. The ICO has the power to issue fines of up to £17.5 million or 4% of your annual worldwide turnover, whichever is higher and any breach or failure to comply with data protection laws can cause serious reputational issues for your business.
The new code is a free to use along with all the other useful guidance on the ICO website. However, if you would like some specialist help, we have a number of data protection experts that can help you! Just get in touch here.
We’re the experts in getting data on your good side. Find out more about our data protection offering here.