ICO issues the long awaited data sharing code of practice for consultation

• United Kingdom

• Privacy, data protection and cybersecurity

26-07-2019

The ICO has launched a public consultation on its new draft data sharing code of practice. The consultation period ends on 9 September 2019. It is an update of the previous code, to align it with GDPR so as to address transparency, lawful bases for processing, the new accountability principle and the requirement to record processing activities. It aims to give practical advice and guidance on how to share data safely and fairly. The final code is due for launch this autumn.

The vast majority of organisations share personal data in some way. This code focuses on sharing between data controllers, which occurs in a wide range of scenarios. Examples of when it will be of particular interest include the context of sharing with purchasers and bidders during M&A, sharing by administrators with purchasers in a distress sale, sharing of member data between pensions trustees, sponsoring employers, and actuaries (whether joint controllers or independent controllers), intra-group sharing between companies of staff and/or customer details, and sharing with credit reference agencies and fraud prevention agencies. In fact, any sharing from one controller to another controller – no matter the circumstance.

The GDPR doesn’t contain express requirements on contractual arrangements for sharing between controllers, other than joint controllers, so having this code in place should help with greater understanding as to requirements to comply with accountability in this regard.

There are (or will be) useful Annexes (not all of which are populated yet) including data sharing checklists, template data sharing request and decision forms and case studies on (amongst others) sharing with CRAs, sharing between public sector bodies, sharing for research purposes, sharing required by law, and sharing between HMRC and Companies House using the Digital Economy Act 2017 powers.

The draft code explains the law and provides examples of good practice. Following it will enable organisations to manage risks, clarify misconceptions, and share data in confidence.

It also builds in the structure put in place in the Digital Economy Act 2017, addressing sharing in the public sector.

This will be a statutory code once adopted (the ICO must prepare it because of the DPA 2018) and if controllers do not comply with it they may find it more difficult to demonstrate that their data sharing is fair, lawful and accountable and that it complies with the GDPR and the DPA 2018. Here is how the ICO puts it: ‘If you process personal data in breach of this code and this results in a breach of the GDPR or DPA we can take action against you’.

Read on to find out more.

In a nutshell, what does the draft Code say?

The Code runs to 100+ pages. Here is a speed read of some key themes:

• As a first step – consider data protection by design. Decide whether you need a DPIA (data protection impact assessment). As a reminder – a DPIA is required where the processing is likely to result in high risk to individuals. In the Code, the ICO recommends a DPIA when sharing data with another controller even where not legally required.

• If you’re relying on the lawful basis of legitimate interests consider an LIA (Legitimate interests assessment).

• Follow all of the core principles in the GDPR. What does this mean in practice, for instance from the discloser controller’s point of view? Be fair and transparent to the individuals whose data is affected; ensure there is a lawful reason for the sharing (legitimate interests is likely to be key here for many organisations – though not public authorities; extra lawful reasons are needed for sharing of sensitive data); only share reasonable and proportionate data that is necessary for a specified, explicit and legitimate purpose and check the purpose is not incompatible with the purposes for which the data was originally collected; only share adequate, relevant and necessary data which is accurate and up to date; security of the sharing is paramount (as is security at the recipient); take steps to prevent the recipient to retain it longer than necessary (including steps in the data sharing agreement); and make sure you can demonstrate your compliance with all these principles.

• On that point - it is good practice to have a data sharing agreement to clearly define (and limit) the purpose of the sharing (i.e. confine the use by the recipient as far as you possibly can), to be clear about the parties’ roles (i.e. are the disclosers/recipients independent controllers or joint controllers or both), and to cover what is to happen to the data at each stage. We (Eversheds Sutherland) would suggest, in particular, being clear about what happens to the data when the purpose is fulfilled (does the recipient want a copy of the data back or will it simply be erased/destroyed?) This all helps towards accountability.

• Make sure that the data subjects can exercise their individual rights with ease and have policies and procedures in the data sharing arrangement to address this.

• If a merger or acquisition or other change in organisational structure means a company has to transfer data to a different controller (asset purchases/sales in particular) data sharing must be careful and form part of due diligence.

• Transfer of databases or lists of individuals is a form of sharing. For instance, sharing by data brokers.

• Sharing of children’s data needs particular caution. A DPIA is compulsory if there is likely to be high risk to their rights and freedoms.

• Sharing in an emergency situation can (of course) happen as long as it’s necessary and proportionate (and based on vital interests).

Some common misconceptions: what does the ICO say on these?

• Data protection does not prevent data sharing. It’s all about approaching it in a sensible and proportionate way particularly if the sharing is for commercial reasons.

• The GDPR is not a barrier to data sharing. The main different between GDPR and the ‘old regime’ as applied to data sharing is that the disclosing controller now has to be accountable for its decision to share (see ‘data sharing agreement’ above, as one was towards accountability).

• Consent is needed where the impact on individuals might override your own interests in sharing. If you have a good reason for the sharing (and if you’ve properly balanced all the issues) you can usually share without a consent. Extra care is needed if sensitive data is at issue – then explicit consent might well be needed.

Are there any other nuggets in the Code?

Here is a selection:

• Data pooling (where organisations decide together to pool information and make it available to each other or to different organisations) – the ICO suggests the organisations responsible for the sharing would be regarded as joint controllers under Article 26 GDPR.

• For routine data sharing (i.e. at scheduled intervals), distinct from ad hoc or one-off data sharing, rules and procedures should be established and agreed in advance.

• Consider who will have access after the sharing and impose restrictions on the original recipient around this.

• The risks posed to the individuals is paramount for consideration.

• A data sharing agreement does not in itself provide any form of protection from action under GDPR or other law. However the ICO will take this into account if it receives a complaint about the data sharing.

• Don’t forget the role of the DPO (if you have one) in data sharing arrangements. The DPO must be closely involved.

• The disclosing controller ‘should take reasonable steps to ensure the data [being shared] will continue to be protected…by the recipient organisation.’ This is a lot easier to do, we suggest, where the recipient is a professionally regulated organisation, more difficult in e.g. an M&A scenario if you are the seller.

What about M&A?

Pages 70-72 expressly refer to sharing in M&A. There is little that is new here. We suggest these types of issues are likely to already be known about to lawyers advising on the deals, and to buyers/sellers used to dealing with M&A. There are useful reminders for the seller (or the other organisation sharing data with a different controller in the deal) to consider when and how it will inform individuals about what is happening, to satisfy itself by seeking technical advice before sharing where different systems are involved, and to document the data sharing for audit trail.

What should be included in a data sharing agreement:

• The purpose for sharing (why it’s necessary and what it will achieve) should be documented in precise terms.

• All the organisations involved in the sharing and include contact details for their DPO (if they are required to have one) or other key contacts.

• Include procedures for adding more organisations into the arrangement and for excluding original recipients/disclosing organisations.

• Explain the types of data intended for sharing. The ICO says ‘this may need to be quite detailed because in some cases it will be appropriate to share only certain details held in a file about an individual…it may be appropriate in some cases to attach permissions to certain data items so only particular members of staff are allowed to access them…’

• If you are using consent as a lawful basis for the sharing, the agreement should provide a model consent form and address what happens if consent is withdrawn or withheld.

• Set out procedures for dealing with individual rights and access.

• Document the lawful basis for sharing of sensitive data.

As a general rule, we would also suggest including commitments around compliance with GDPR. The draft Code does not refer to this.

Data sharing agreements should, the ICO says, be reviewed on a regular basis if the sharing is not one-off. Changes in circumstances or the rationale for the data sharing may arise at any point.

What about anonymization before sharing?

There is nothing new on this. You should anonymise if you can reasonable achieve the purpose in this less intrusive way. It is not proportionate or appropriate to share personal data if anonymous data will suffice.

What if you provide access or visibility instead of sending the data?

It’s still a form of sharing and the Code applies.

What about sharing with service providers?

This isn’t the subject matter of the Code unless those providers are controllers. Disclosing personal data to a processor is not what is meant by ‘sharing’ in this context. That type of disclosure does not need to have a lawful reason any different from that on which the processing at the controller is based. Its processor is an extension of its own processing (in effect) because of the written processor terms required to be in place.

Where can I access the draft code?

Click here for the updated draft code.

You can respond to the consultation via the ICO’s online survey, or you can download the document and email datasharingcode@ico.org.uk.