UK ICO Issues New Draft Data Sharing Code of Practice

The mess between the data controllers under the GDPR and the UK’s Data Protection Act 2018 seems to get up to end. The reason for that is the steps undertaken by the UK’s ICO – ICO has recently issued a draft version of its statutory code of practice for sharing of personal data between controllers under the GDPR and the UK Data Protection Act 2018 (the “Draft Code”) which provides a number of practical recommendations which controllers should take into account when sharing personal data.

The Draft Code states that data sharing is defined broadly and can include where an organisation gives access to data to a third party by any means. Sharing can take place in a routine, scheduled way, or on a one-time basis.

Below is a summary of the key elements of the Draft Code:

  • Data Protection Impact Assessment (“DPIA”) – the first recommendation from ICO is that organisations prior sharing or operating in general personal data should consider whether a DPIA is required. A DPIA must be carried out where the processing is likely to result in a high risk to individuals, but the ICO recommends following the DPIA process even where an organisation is not legally required to do so. In fact, the ICO recommends that a DPIA (used as a flexible and scalable tool) be carried out for any other major projects involving sharing personal data or plans for routine data sharing, even if there is no specific “high risk” indicator. Examples provided by the Draft Code include: (i) data matching; or (ii) any processing of records where there is a risk of harm to individuals in the event of a data breach (e.g., whistleblowing).
  • Data Sharing Agreements – the Draft Code states that, as an indicator of accountability, it is good practice to have a data sharing agreement in place that sets out the purpose of the sharing, covers what is to happen to the data at each stage, sets standards and helps the parties be clear about their respective roles. The ICO is clear that such agreement does not have a prescribed form and this should be governed by the scale and complexity of the sharing in question. Adhering to such agreements does not grant an indemnity from regulatory action but the ICO states that it will take such agreements into account if it were to receive a complaint. The Draft Code also makes it clear data sharing agreements should be reviewed on a regular basis.
  • The Draft Code also sets out, as good practice, what should be included in the agreement, including: (i) the purpose of the initiative (i.e., why it is necessary, the specific aims and the benefits to individuals or society) in precise terms; (ii) which organisations are involved including contact details for the DPO and other key members of staff; (iii) procedures for including additional organisations and removing those no longer involved; (iv) when joint controllers the responsibilities of each controller; (v) what data is being shared; (vi) what is the lawful basis for sharing data, including any special category or criminal offence data along with the conditions for processing; (vii) procedures for compliance with individuals’ GDPR rights (including that all controllers remain responsible for compliance even if certain tasks are allocated by the agreement); and (viii) detailed information governance procedures (i.e., detailed advice on what datasets can be shared, making sure data is accurate, security arrangements, retention and deletion, accuracy and timescales for assessing ongoing effectiveness etc.).
  • The Draft Code suggests organisations may also want to consider including in the data sharing agreement as an appendix or annex: (i) a summary of the key legislative provisions; (ii) if consent is the legal basis, a model consent form; and (iii) a diagram to show how to decide whether to share the data. The Draft Code proposes to include example request and decision forms in the final publication stage, together with updated data sharing checklists.
  • M&A Due Diligence Considerations – the Draft Code is clear that where data is being transferred to a different controller as part of a transaction, organisations should proceed carefully with regard to data sharing, and the Draft Code must be considered as part of the due diligence process. This includes establishing the purposes for which the data was originally obtained and the lawful basis for sharing it. This considerations will apply to both the controller sharing the data and the controller receiving the data in the context of a transaction. The data sharing, and all data processing that proceeds from the sharing, should also be documented.
  • Databases and Lists – the Draft Code also acknowledges that the transfer of databases or lists of individuals is a form of data sharing. It is the responsibility of the recipient controller to satisfy themselves about the integrity of the data supplied to it, including checking: (i) the source of the data; (ii) the lawful basis on which it was obtained; (iii) records of consent, if relevant; (iv) a copy of the privacy information given at the time of collection (including that it was in compliance with Article 14 of the GDPR); and (v) the data is accurate and up to date and not excessive, amongst other considerations. These considerations will also apply in an M&A context (e.g., where the acquisition involves the purchase of the target company’s customer database or the sharing of a list of employees).
  • Sharing data outside the EEA – this particular sub-topic is not addressed by the Draft Code and the ICO confirms it will provide more guidance on this element in the context of data sharing in due course.

The Draft Code is currently out for public consultation until Monday 9 September 2019.


Disclaimer: The content of this article is intended to provide a general guide to the subject matter, it is not a legal advice and should not be treated as one. Specialist advice should be sought about your specific circumstances.


65 thoughts on “UK ICO Issues New Draft Data Sharing Code of Practice

  1. Pingback: vagragenericaar.org

  2. Pingback: doctor7online.com

  3. Pingback: tadalafil 20 mg

  4. Pingback: buy ciprofloxacin online

  5. Pingback: viagra 100mg for sale

  6. Pingback: albuterol without dr prescription usa

  7. Pingback: viagra prices

  8. Pingback: naltrexone 50 mg buy online

  9. Pingback: viagra 20mg

  10. Pingback: viagra 50mg

  11. Pingback: viagra 50mg

  12. Pingback: ed pills gnc

  13. Pingback: top erection pills

  14. Pingback: cheap ed pills

  15. Pingback: buy cialis

  16. Pingback: rx pharmacy

  17. Pingback: walmart pharmacy

  18. Pingback: cialis visa

  19. Pingback: vardenafil online pharmacy

  20. Pingback: levitra online

  21. Pingback: order levitra

  22. Pingback: best viagra alternatives over counter

  23. Pingback: slot games online

  24. Pingback: cheap cialis

  25. Pingback: slot machine games

  26. Pingback: cheap generic viagra

  27. Pingback: casino games online

  28. Pingback: doubleu casino online casino

  29. Pingback: cash loan

  30. Pingback: careprost buy online

  31. Pingback: www.cialis.com

  32. Pingback: cash advance online

  33. Pingback: online payday loans

  34. Pingback: cialis to buy

  35. Pingback: best online casino real money

  36. Pingback: online casinos

  37. Pingback: buy cheap viagra online us

  38. Pingback: online blackjack paypal canada

  39. Pingback: Bovada

  40. Pingback: online blackjack for mac

  41. Pingback: cialis buy

  42. Pingback: viagra 25mg

  43. Pingback: 5 mg cialis

  44. Pingback: cialis internet

  45. Pingback: viagra prices

  46. Pingback: online casino gambling

  47. Pingback: casino

  48. Pingback: best real casino online

  49. Pingback: sildenafil dosage

  50. Pingback: canadian viagra

  51. Pingback: generic viagra canada

  52. Pingback: can i buy viagra online

  53. Pingback: generic viagra online

  54. Pingback: tadalafil online

  55. Pingback: viagra prices

  56. Pingback: otc viagra

  57. Pingback: brand viagra

  58. Pingback: where to buy viagra online

  59. Pingback: generic viagra pills

  60. Pingback: best online pharmacy for viagra

  61. Pingback: order propecia

  62. Pingback: viagra pills

  63. Pingback: cheap cialis online

  64. Pingback: where to buy generic viagra online forum

  65. Pingback: buy sildenafil

Comments are closed.