ICO publishes new data sharing code of practice

The Information Commissioner’s Office (ICO) has published a new data sharing code of practice. The Code is a statutory code of practice which the ICO is required to produce under the Data Protection Act 2018. The ICO will consider the Code when assessing whether an organisation has complied with the law when sharing personal data.

How we got here

The first data sharing code was published by the ICO in 2011. Since then, UK data protection law has changed significantly with the introduction of the GDPR and the Data Protection Act 2018. Organisations are now under more onerous rules compared to previous data protection regimes. Additionally, in light of the COVID-19 pandemic, there has been an increase in the type of organisations which are required to comply with data sharing rules. For example, cafes, restaurants and pubs are now having to share personal data to help combat the spread of the virus. The Information Commissioner, Elizabeth Denham, has said: “I have seen first-hand how sharing data between organisations has been crucial to supporting and protecting people during the response to the COVID-19 pandemic.”

Features of the Code

The Code is intended to be a practical guide for organisations, whether in the public, private, or third sectors, on how to share personal data in compliance with UK data protection law. The focus of the Code is on data sharing between controllers – data sharing with processors is not covered. The Code also seeks to explain the benefits of data sharing whilst dispelling misconceptions and barriers to data sharing. Guidance on data sharing agreements, compliance with the data protection principles, respecting individual rights are all addressed along with good practice recommendations. The ICO has also provided updated data sharing checklists and data sharing request and decision form templates.

Next steps

The first draft of the new Code went out to public consultation in July 2019. After gathering views and evidence from a wide range of organisations, the ICO published the Code on 17 December 2020. The Code has now been submitted to the Secretary of State who is now required to lay the Code before Parliament for approval. Whilst Parliament should approve the Code as soon as reasonably practicable, it will remain before Parliament for 40 sitting days. If there are no objections, the Code will come into force 21 days after that period.

While the Code is not expected to gain approval until February 2021, it forms part of a wider initiative by the ICO to provide clear guidance on data sharing. The ICO has launched a ‘data sharing information hub’ which includes resources and support on data sharing that organisations can access to gain quick and easy information and practical guidance.

How can we help?

For further information on data sharing, please get in touch with a member of our specialist GDPR & Cyber Security team.

Latest updates from @MacRoberts