Last week, the Information Commissioner's Office (ICO) published its new code of practice on data sharing. The code of practice has been prepared under the Data Protection Act and it provides key practical advice for organisations sharing data "whether by way of one-off disclosure or as a part of a large-scale data sharing arrangement."
The new code of practice is an updated version of the draft code of practice published in October, and it now includes a quick reference data sharing checklist as well as practical case studies from various sectors that can be used by organisations seeking to establish whether they are legally justified to share information, and indeed how to share that information securely.
Following many well publicised personal data breaches by local authorities, schools and universities, and NHS bodies, the ICO's data sharing guidance comes as a welcome addition to the UK data protection regime and it will assist public and private organisations to adopt some of the practical approaches to data sharing. As the Information Commissioner, Christopher Graham, stated: "the public rightly want to remain in control of who is using their information and why, and they need to feel confident that it is being kept safe."
The code provides guidance on a number of issues such as what information should be shared; how and when it should be shared; whether data sharing poses any risks on the individual; and whether the organisations objectives could be achieved without having to share the information. It also looks at the data processing procedure and gives advice on the issuing of privacy notices to individuals as a way of communicating why the information is being shared and who is it going to be shared with.
One of the most important aspects of data sharing addressed by the ICO is security. The Data Protection Act requires that organisations adopt adequate technical and organisational measures so that they can share data without running the risk of breaching data protection laws. The level of these security measures will depend on the nature and sensitivity of the data in question, and the code of practice provides a useful checklist for organisations to reflect upon before any data is shared.
So, why should organisations be giving consideration to the new code of practice?
According to Christopher Graham, "adopting its good practice recommendations will help organisations to work together to make the best use of the data they hold to deliver the highest quality of service." Secure and justified data sharing will mitigate the risk of breaching the data protection laws, whilst increasing protection for members of the public. And, if the new guidance is implemented appropriately, there should be a better understanding for organisations as to when data can be shared and how, as well as enhanced public trust in those holding personal information.
Disclaimer
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.