The Information Commissioner’s Office (the ICO) has published a new Data Sharing Code of Practice, which came into force on 5 October 2021. The Code provides practical guidance and best practice recommendations for businesses when they’re sharing personal data. According to the ICO, the new Code ‘aims to give businesses and organisations the confidence to share data in a fair, safe and transparent way’.
As a statutory code of practice, the Code is not new law, but the ICO must take compliance with it into account when considering whether a business has breached its data protection obligations. Failure to comply with data protection law can not only damage your business’s reputation, but it can also lead to hefty fines of up to £17.5 million or 4% of your global annual turnover, whichever is higher. It’s therefore a good idea to make sure you’re familiar with when the Code applies and what measures it recommends as best practice.
To get you started, we’ve highlighted five key takeaways:
1. The Code is concerned with data sharing between data controllers
The Code covers the sharing of personal data between data controllers and does not cover data sharing with processors. Remember that data processors are only permitted to share data if they are authorised to do so by the data controller.
For guidance on the difference between data controllers and data processors, see Data protection obligations.
2. Carry out a Data Protection Impact Assessment as a first step
The Code recommends that data controllers carry out a Data Protection Impact Assessment (DPIA) before sharing any personal data, even though it is not always legally required. A DPIA helps you to assess the benefits and risks of your proposed data sharing.
For further guidance about carrying out a DPIA see Data protection impact assessments.
3. Put a data sharing agreement in place
The Code recommends putting in place a data sharing agreement, even though this is not a legal requirement (unless you are both ‘joint controllers’, which means you jointly determine how the data will be processed, rather than processing it independently of each other). A data sharing agreement is an agreement entered into between two data controllers, which sets out the parties’ rights and obligations when they share data with each other.
Bear in mind that you are legally required to put a data processing agreement in place when sharing personal data with a data processor (rather than another data controller).
For further guidance about data agreements, see Data processing agreements and data sharing agreements.
4. Data protection compliance is key
When you are sharing personal data, the Code reinforces that you must comply with your data protection obligations at all times and be able to demonstrate that compliance. This includes:
- ensuring you have a lawful basis for sharing the data;
- putting in place appropriate internal data protection policies;
- keeping suitable records to demonstrate your compliance with data protection law;
- providing transparent privacy information to individuals about how you will be sharing their personal data;
- ensuring personal data is processed securely at all times; and
- having appropriate procedures in place to allow individuals to exercise their data subject rights.
To find out more, see Key obligations when sharing personal data.
5. Make it easy for individuals to assert their data rights
Individuals have various rights in relation to any personal data you hold about them (known as data subject requests), and the Code reinforces that you must make it easy for them to exercise those rights. For example, the Code recommends that you provide a single point of contact for individuals to send their requests to.
The Code also recommends that you think about how you will deal with complaints or other queries from individuals about your data sharing practices, and use such feedback to inform your ongoing data sharing.
For further guidance about data subject requests, see Individuals’ access to personal data.
Interested in finding out more? Our Q&A contains detailed guidance on sharing personal data, which incorporates best practice recommendations from the ICO; access it for free here.
Before joining Sparqa Legal as a Senior Legal Editor in 2017, Frankie spent five years training and practising as a corporate disputes and investigations lawyer at leading international law firm Hogan Lovells. As legal insights lead, Frankie regularly contributes to Sparqa Legal’s blog, writing content across employment law, data protection, disputes and more.