The UK Information Commissioner's Office ("ICO") proposed a draft statutory code of practice on data sharing. Comments on the draft code must be submitted by September 9, 2019.
The draft code, along with other ICO guidance, includes an outline of how organizations should handle personal data-sharing practices, such as when a third party is given access to such data. The draft code also includes guidance on risk management processes, best practices and misconceptions about data sharing.
In the draft code, the ICO states, organizations are required to:
- assess whether there is a legal obligation to implement a Data Protection Impact Assessment ("DPIA");
- follow key principles of data protection legislation when sharing data;
- demonstrate compliance with the EU General Data Protection Regulation ("GDPR") or UK Data Protection Act ("DPA") pursuant to the accountability principle;
- provide "at least one lawful basis for sharing data" before commencing;
- share personal data in a "fai[r] and . . . transparent manner," in which the affected individuals are notified, notwithstanding certain exemptions;
- process personal data securely, pursuant to data protection law;
- identify a "lawful basis" for sharing data to comply with the lawfulness principle;
- ensure that considerations are taken for data sharing during a merger, acquisition or organizational structure change as part of due diligence;
- comply with data protection law when transferring databases or lists of individuals (a form of data sharing); and
- adhere to the DPIA when sharing children's personal data that is at a higher risk of endangering children's rights and freedoms.
Best Practices and Clarifications
Additionally, the proposed code would require organizations to create a data-sharing agreement to help demonstrate accountability pursuant to the GDPR. The ICO states that, in a data-sharing agreement, there must be policies and procedures in place to ensure that "data subjects" (i.e., those from whom the data originated) are able to "exercise their individual rights with ease."
The ICO notes that, while most data sharing falls under Part 2 of the DPA ("General Processing"), data sharing by a "competent authority" is subject to Part 3 of the DPA ("Law Enforcement Processing"), which has a separate framework. According to the ICO, a "competent authority" is defined by an entity that either (i) falls under Schedule 7 of the DPA or (ii) "exercise[s] public authority or public powers for law enforcement purposes."
The ICO also clarified a few misconceptions, saying that:
- data protection does not prevent data sharing but seeks to balance the risks and benefits of data sharing if it is either (i) "in the public interest" or (ii) "proportionate, in the case of sharing for commercial reasons";
- the GDPR is not introducing additional barriers, noting that if an organization was able to legally share data under the former regime, it should still be able to do so;
- data sharing that is "[d]one well" benefits both government and commercial organizations;
- organizations are not always required to obtain individual consent before sharing data; and
- data may be shared in an emergency scenario.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.