The Information Commissioner's Office ("ICO") has launched a new code of practice relating to the sharing of personal data. The Code, published in May 2011, provides "good practice" advice and guidance to businesses across all sectors covering when, whether and how personal data may be shared and the appropriate security measures that should be taken.
The Code covers two main areas of data sharing: "systematic data sharing", where the same organisations routinely share the same sets of data for an established purpose; and "exceptional data sharing", where a one-off decision is made to release data to a third party.
Organisations must carefully consider each decision to share data taking into account the purpose of sharing the data, exactly which data needs to be disclosed and whether it would be possible to anonymise it, the risks involved (including potential harm to any data subjects) and appropriate security measures. The ICO recommends that access to data be restricted on a "need to know" basis and that measures be put in place to monitor the arrangement so that the safeguards continue to match the risks.
Under the Data Protection Act (DPA), personal data must be processed fairly. Where data sharing is envisaged, an organisation's privacy notice should make this clear, setting out information about who the data will be shared with and for what purposes. The Code states that this information must be provided when data is collected or as soon as a decision to share data is made. If data sharing is to be extensive, organisations may also need to provide more detailed information directly to those individuals affected.
In order to fulfil the DPA's requirement for appropriate technical and organisational security measures, the Code recommends that organisations review their existing data sharing arrangements to ensure that they know who has access to their data and how it will be used, that they are complying with conditions attached to data received from third parties and that the security measures they have in place are appropriate given the sensitivity of the data shared.
Organisations should also consider the effect that a security breach could have, both on the individuals concerned and on the organisation itself in terms of cost and damage to reputation.
Since a data sharing initiative may involve several parties, each with their own responsibilities and liabilities, the Code recommends that a data sharing agreement be put in place documenting the purpose and extent of data sharing as well as data accuracy, retention periods and security measures to be employed. A senior experienced person in each organisation should assume overall responsibility for ensuring compliance with the law, advising staff and making decisions about data sharing. It is also good practice for the organisations to appoint a central point of contact for any data subject access requests so that individuals are not required to make separate requests to each party.
Under the DPA, organisations must notify the ICO about the type of organisation with which it intends to share data. Organisations embarking on a new data sharing arrangement will therefore need to check their notification to determine whether it needs to be updated.
The Code contains two helpful data-sharing checklists which organisations can follow when deciding whether and how to share data, as well as case studies providing good practice examples of how the guidance can be put into practice.
Organisations should now get to grips with the Code to ensure that they are taking appropriate steps to keep their data sharing arrangements in line with the law. The Code can be found here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.