The ICO Data Sharing Code: resolving misconceptions

There are huge benefits of data sharing, for example facilitating access to wider pools of data which leads to innovation and technological advancements. We have seen this first hand during the COVID-19 pandemic, when measured data sharing between organisations enabled the roll-out of new technologies under tight time constraints, such as the NHS Test and Trace service.

That said, often organisations have misconceptions about the law that governs personal data sharing between controllers. One key reason for this is that unlike the relationship between controller and processor, the UK GDPR does not set out a list of requirements for contracts between two or more controllers, so there can be uncertainty about the provisions that should be included if a contract is put in place. At times organisations are also unclear about when it is lawful to share personal data. This leads to avoidance of data sharing opportunities in fear of getting the decision wrong.

In response to the uncertainty the ICO has published a new Data Sharing Code of Practice (the “Code”). On 18th May 2021 the Code was laid before Parliament for 40 sitting days, after which it will come into force, provided that it receives no objections.  

The aim of the Code is to assist organisations to navigate the legal framework and unlock the benefits of data sharing.

What to expect from the Code

The Code covers the sharing of personal data between two or more controllers, whether this be on a routine or one-off basis.

The Code is far wider than just providing guidance on data sharing agreements themselves (although it does provide a helpful list of what to include within these). It addresses the full data sharing process, starting with the initial decision of whether or not it is appropriate to share personal data.

The Code recommends that controllers carry out a Data Protection Impact Assessment (DPIA) to assist with this initial decision, regardless of whether they are otherwise obliged to under the UK GDPR.

As with other codes and guidance published by the ICO, the Code includes a number of helpful real life examples, to enable businesses and organisations to draw analogies and make decisions.

The legal effect of the Code

The Code will be a statutory code of practice issued under the Data Protection Act 2018. But what does this mean in practice?

Once in force the ICO will be required to take the Code into consideration when determining whether an organisation has complied with data protection laws.

This also means that consulting the Code and documenting the steps taken in accordance with the Code, is a prudent way to demonstrate compliant and responsible personal data sharing.

The Code goes a long way to break down misconceptions around personal data sharing and will hopefully foster collaboration between organisations, where previously there may have been a reluctance to explore data sharing in the absence of succinct user-friendly guidance.  

For more information on the article above please contact Hannah Pettit.

Send us a message