The New ICO Data Sharing Code of Practice

beatriz-perez-moya-XN4T2PVUUgk-unsplash

The sharing of personal data between organisations has many public and business benefits. However there is much confusion about what the law allows, particularly the General Data Protection Regulation (GDPR).

In December, the Information Commissioner’s Office (ICO) finally published its Data Sharing Code of Practice following a consultation exercise. The code does not impose any additional barriers to data sharing, but aims to help organisations comply with their legal obligations under the GDPR and the Data Protection Act 2018 (DPA 2018). In particular the code:

  • updates and reflects key changes in data protection law since the last data sharing code was published 
  • explains new developments and their impact on data protection;
  • references new areas for organisations to consider; and
  • helps organisations to manage risks in sharing data, which are magnified if the quantity of data is large

There is a useful section in the code addressing some misconceptions about data sharing and barriers to sharing. It also covers some special cases, such as databases and lists, sharing information about children, data sharing in an emergency and the ethics of data sharing. Reference is also made to the provisions of the Digital Economy Act 2017 which seeks to promote data sharing across the public sector.

The code contains a section on sharing data for the purposes of law enforcement processing under Part 3 of the DPA 2018. This is an important area which organisations have not really understood as demonstrated by the recent High Court ruling that Sussex Police unlawfully shared personal data about a vulnerable teenager putting her “at greater risk.”

This is a statutory code of practice under section 121 of the DPA 2018. Under section 127, the Information Commissioner must take account of it when considering whether a Data Controller has complied with its data protection obligations in relation to data sharing. The code can also be used in evidence in court proceedings and the courts must take its provisions into account wherever relevant.

Elizabeth Denham said the COVID-19 pandemic has brought the need for fair, transparent and secure data sharing into even sharper focus:

“I have seen first-hand how sharing data between organisations has been crucial to supporting and protecting people during the response to the COVID-19 pandemic.

That includes public authorities and supermarkets sharing information to support vulnerable people shielding or health data being shared to support fast, efficient and effective delivery of pandemic responses.”

Following the code, along with other ICO guidance, will help Data Controllers to manage risks; meet high standards; clarify any misconceptions about data sharing; and give confidence to share data appropriately and correctly. In addition to the statutory guidance, the code contains some optional good practice recommendations, which aim to help Data Controllers adopt an effective approach to data protection compliance.

Alongside the code, the ICO has launched a data sharing information hub where organisations can find targeted support and resources, including:

  • Data sharing myths busted 
  • Data sharing code: the basics for small organisations and businesses
  • Data sharing FAQs for small organisations and businesses
  • Case studies  
  • Data sharing checklists 
  • Data sharing request and decision forms template  
  • Sharing personal data with a law enforcement authority toolkit
  • Guidance on sharing personal data with law enforcement authorities
  • Guidance on data sharing and reuse of data by competent authorities for non-law enforcement purposes

Ibrahim Hasan will be presenting a one hour webinar on the new data sharing code. These and other GDPR developments will also be discussed in detail in our online GDPR update workshop.

So we have a Brexit Trade Deal. What now for GDPR and international transfers?

blur cartography close up concept
Photo by slon_dot_pics on Pexels.com

So finally the UK has completed a trade deal with the EU which, subject to formal approval by both sides, will come into force on 1st January 2021. The full agreement has now been published and answers a question troubling data protection officers and lawyers alike.

Internation Transfers

On 1st January 2021, the UK was due to become a third country for the purposes of international data transfers under the EU GDPR. This meant that the lawful transfer of personal data from the EU into the UK without additional safeguards (standard contractual clauses etc) being required would only have been possible if the UK achieved adequacy status and joined a list of 12 countries. This was proving increasingly unlikely before the deadline and would have caused major headaches for international businesses.

The problem has been solved albeit temporarily. Page 406 and 407 of the UK-EU Trade and Cooperation Agreement contains provisions entitled, “Interim provision for transmission of personal data to the United Kingdom.” This allows the current transitional arrangement to continue i.e. personal data can continue to flow from the EU (plus Norway, Liechtenstein and Iceland) to the UK for four months, extendable to six months, as long as the UK makes no major changes to its data protection laws (see UK GDPR below). This gives time for the EU Commission to consider making an adequacy decision in respect of the UK, which could cut short the above period. Will the UK achieve adequacy during these 4-6 months? Whilst there is much for the EU to consider in such a short time, I suspect that pragmatism and economic factors will swing the decision in the UK’s favour.

The UK GDPR

Despite the last minute trade deal, on 1st January 2021 The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 will still come fully into force. These regulations will amend GDPR and retitle it as “UK GDPR”. The amendments are essentially a tidying up exercise. The UK GDPR also deals with post Brexit international data transfers from the UK. More here.

These and other GDPR developments will be discussed in detail in our online GDPR update workshop. 

Whilst staff are still working from home, what better time to train them on GDPR and keeping data safe. Our  GDPR  Essentials  e  learning course can help you do this in less than 45 minutes. 

%d bloggers like this: