Data Sharing Code of Practice goes before UK Parliament
What does the Data Sharing Code of Practice (the Code) mean for companies that deal with personal data?
The key takeaway
The Code does not mark a huge leap from the previous data sharing code, but it serves as a helpful and useful guide for organisations to help ensure compliance when sharing any personal data with third parties.
In May 2021 the UK government placed the Code before Parliament for consideration as a statutory code of practice under s.121 of the Data Protection Act 2018. The Code is a practical guide for organisations about how to share personal data in compliance with data protection law. Unless amended or rejected by Parliament, the Code will come into force after 40 sitting days.
The Code has been in development with the UK government and the Information Commissioner (ICO) for some time, but finally has reached its apparent final form. The last data sharing code was published almost 10 years ago, and the Code now seeks to update it to reflect key changes in data protection laws and the ways in which organisations share and use personal data.
The Code compiles all of the practical considerations that companies need to take into account when sharing personal data with other parties, bringing together existing items of ICO guidance in relation to ensuring a legal basis has been satisfied for said transfers, and supplementing this with new guidance.
The updated Code is lengthy, so the following is a flavour only of some of the useful practical guidance it provides:
- conducting data impact assessments: organisations should conduct these when considering sharing personal data, allowing for the assessment of risks of the sharing of data to be identified and safeguards to be put in place where needed
- clarification on the responsibility of the disclosing party for the recipient’s processing of personal data: the Code attempts to clarify the extent to which an independent controller, which discloses personal data to another controller, is responsible for the recipient’s processing of that personal data. The Code notes that an organisation should not provide personal data to another if it does not have visibility over the measures, they are taking to protect the data during the process
- due diligence in data sharing during M&A: the Code notes that the parties involved in a M&A transaction need to ensure that due diligence extends to examining issues pertaining to the transfer/sharing of personal data in connection with that transaction, and
- sharing of personal data in databases and lists: recipients of a database or list of personal data from another party have the responsibility to establish the provenance or integrity of the data they receive, and ensuring that all compliance obligations have been met prior to exploiting or otherwise using the data.
The Code also briefly discusses guidance on automated decision-making and the difference between anonymised data and pseudonymised data, and how these need to be dealt with in a data sharing context.
Why is this important?
The ICO, Elizabeth Denham, said the publication of the Code was not a conclusion, but a milestone, and that it “demonstrates that the legal framework is an enabler to responsible data sharing and busts some of the myths that currently exist”. As such, it is a highly useful tool for organisations in ensuring that their data sharing arrangements are above board, both currently and moving forwards.
Any practical tips?
Remember to consult the Code when considering any data sharing arrangements, as well as the ICO’s data sharing information hub. The latter provides targeted support and resources, including:
- data sharing myths busted
- data sharing code: the basics for small organisations and businesses
- data sharing FAQs for small organisations and businesses
- case studies
- data sharing checklists
- data sharing request and decision forms template
- sharing personal data with a law enforcement authority toolkit
- guidance on sharing personal data with law enforcement authorities, and
- guidance on data sharing and reuse of data by competent authorities for non-law enforcement purposes.