ICO draft Data Sharing Code of Practice

What changes does the Information Commissioner’s Office (ICO) plan to make to the Data Sharing Code of Practice?

The key takeaway

The ICO’s consultation on updating the Data Sharing Code of Practice finished in September. While acknowledging that updates are needed to reflect the GDPR and the Data Protection Act (DPA) 2018, the ICO also commented that “the foundations do not need replacing”. This is a useful steer for organisations in predicting how the finalised updated Code will look. 

The background

The Data Sharing Code of Practice was first published in 2011. As such, an update is certainly due, especially following the implementation of the GDPR and the DPA 2018. Indeed, the consultation and any subsequent updates to the Code are actually required under s121 of the DPA 2018. 

Before the Code was drafted, in August 2018, the Information Commissioner launched a call for views so people and organisations could help shape the new Code. The ICO published a summary of responses to that call for views. Many of the opinions offered coalesced around the same broad themes:

• Scope: respondents agreed that the Code should be brought up to date;
• Balance: respondents commented on the need to recognise the benefits of sharing personal data and protecting personal data;
• Confidence: there were comments on the dangers of a “culture of risk aversion”;
• Guidance: respondents asked for more guidance on ad hoc/exceptional types of data sharing;
• Relevance: respondents placed emphasis on the significance of technological developments relevant to their operations.

The stated aim of the draft Code is to “give [organisations] the knowledge and the confidence [they] need to continue sharing data under the GDPR and the DPA”.

The draft Code

The ICO clearly took on board the feedback from respondents. The new Code addresses some common misconceptions about data sharing, namely that data protection should not prevent organisations or people from sharing data. 

More broadly, it is clearly a Code for 2019 and beyond. A key piece of advice is to work towards “data protection by design and default”. The draft recommends that organisations do this by putting measures in place to:

• implement the data protection principles in an effective manner; and
• safeguard individual rights.

While the draft Code runs to over 100 pages, the general advice seems to be to follow the key principles of the GDPR. 

Why is this important?

The current Data Sharing Code of Practice has been a useful tool for organisations seeking to abide by their obligations under the law. However, both the nature of data-sharing and the law around it are changing rapidly and the fact that a new Code is forthcoming is good news. 

Any practical tips? 

It’s important to remember that the Draft Data Sharing Code is just that – a draft. It has not been finalised and the consultation was geared towards hearing and collating a broad range of views.

Organisations should remain attuned to further developments, and read and act on the final Data Sharing Code of Practice when it is published. 

More widely, organisations should of course have the requisite data protection measures in place already. The ICO’s Guide to Data Protection is a useful primer, but for more substantial projects (eg those requiring a Data Protection Impact Assessment (DPIA)), legal advice should almost always be sought.