ICO Publishes New Data Sharing Code of Practice

Today the ICO has released a new version of the data-sharing code of practice, originally issued in 2011.

The updated code explains and advises on changes to data protection legislation, where these changes are relevant to data sharing. It will address many aspects of new legislation including transparency, lawful bases for processing, the accountability principle, and the requirement to record processing activities.

After the ICO’s clampdown on AdTech and the raft of other substantial legislation regarding data that has passed since the last regulation, there are significant changes to recommended practices of which businesses should be made aware.

Similarly, the code of practice will influence how businesses subject to ICO investigations are treated. In lieu of caselaw, recommended practices as outlined in regulator-issued guides will be the reference point for good practices.

Provision for the code was included in the Data Protection Act 2018, which was designed to mirror the EU’s GDPR regulation. The code addresses many aspects of the new legislation including transparency, lawful bases for using personal data, the new accountability principle and the requirement to record processing activities.

The full Code of Practice is available here.

ICO Chief Commissioner Elizabeth Denham said:

“This code demonstrates that the legal framework is an enabler to responsible data sharing and busts some of the myths that currently exist. “I want my code of practice to be part of a wider effort to address the technical, organisational and cultural challenges for data sharing. The ICO will be at the forefront of a collective effort, engaging with key stakeholders. I know I can count on a collective effort from practitioners and government to understand the code and work with the ICO to embed it.”

The Code Summarised

The rules are designed to act as “an enabler for fair and proportionate data sharing, rather than a blocker”. When considering sharing data, the code of practice says:

• You must comply with data protection law;
• You should assess the risks using a Data Protection Impact Assessment (DPIA);
• It is good practice to have a data sharing agreement.

If you have a valid reason, you can share personal data with another organisation. But to do this and comply with data protection law, it’s important that you know what this valid reason is. The data protection term for this reason is the ‘lawful basis’. The lawful basis that’s right for you will depend on the reason you want or need to share the data. You should make a record of your lawful basis either on paper or electronically.

When sharing data, you must follow the key principles in data protection legislation:

• The accountability principle means that you are responsible for your compliance, and you must be able to demonstrate that compliance.
• You must share personal data fairly and transparently.
• You must identify at least one lawful basis for sharing data before you start any sharing.
• You must process personal data securely, with appropriate organisational and technical measures in place.

You can share data in an emergency. Examples of an emergency situation are the risk of serious harm to human life, or the immediate need to protect national security.

You may only share children’s data if you can demonstrate a compelling reason to do so, taking account of the best interests of the child.

How to Data Share

When sharing data with another organisation, only necessary information is allowed to be shared, and even then only in a secure manner.

Whilst it can change depending on what type of personal data is being held, the ICO has written a basic guide covering some practical ways to keep your IT systems safe and secure.

Some security measures are common sense, for example, locking cabinets and ensuring the windows and doors of workplaces are secure. Strong passwords and anti-virus software also should be commonplace.

Other measures might take a little more thought and planning, such as training staff on how to spot suspicious emails and making sure data isn’t held for too long a period.

This last point can be difficult, as there aren’t any set time limits in data protection law because it depends on circumstances.

It can change depending on why people’s personal information was collected in the first place and the reason an organisation is processing it, known in data protection law as the lawful basis for processing.

Even if a business is in good health, it’s good practice to draw up a plan for what should happen to any personal data if an organisation stops trading. This could include:

• the personal data you’ll need to keep;
• why you’ll need to keep that data, such as for tax reasons or other legal obligations;
• how and where the data will be stored securely, either by you or a third-party organisation;
• how the data can be accessed if needed;
• how long you need to keep the data;
• your plans for ensuring the data stays accurate where necessary; and
• how you’ll destroy the data securely when the time comes.

Alongside the code, the ICO has launched a data-sharing information hub where organisations can find tools and resources to help them implement safe data-sharing procedures.

The code also outlines the considerations businesses will need to make in transferring data between the EU and UK post-Brexit.

For further information on this, you should familiarise yourself with the DMA’s Brexit Toolkit, which has information about all methods of data transfer, regardless of whether a deal is reached or not.

You can also find this information and more by listening back to the DMA Policy and Legal team’s recent webinar on Brexit and data flows.

Marketers have a period of time before the code comes into force. The Secretary of State for DCMS, Oliver Dowden, will need to lay the code before Parliament for its approval as soon as possible within a 40 day period. If there are no objections, it will come into force 21 days after that.