On 17 December 2020 the Information Commissioner's Office ("ICO") published a new Data Sharing Code of Practice ("Code").
This follows a public consultation on the draft Code, which was published in July 2019. The new Code replaces the ICO's previous Data Sharing Code from 2011, which was published in relation to the Data Protection Act 1998. The Code primarily addresses data sharing by controllers and guidance on how to share personal data fairly, lawfully and in compliance with the accountability principle.
The ICO is required to produce this Code under the Data Protection Act 2018, which is therefore a statutory code of practice. Once approved, the ICO is required to take the Code into account when considering whether an organisation has complied with data protection law when sharing personal data.
The Code aims to address misconceptions regarding data sharing. For example, the ICO addresses misconceptions such as the GDPR and Data Protection Act 2018 prevent data sharing. The ICO clarifies that data protection law does not prevent data sharing as long as it is approached in a fair and proportionate way. The ICO also addresses the misconception that data sharing can only occur with the data subject's consent. The ICO states most data sharing does not rely on consent. The Code states if you cannot offer a genuine choice to the individual, consent is not appropriate.
The ICO highlights the benefits of data sharing, for example in the banking sector in the context of Open Banking. The ICO also makes clear that personal data can be shared in an emergency (e.g. to protect public health) which is particularly relevant at the moment.
The ICO recommends as a first step that a data protection impact assessment is conducted when considering sharing personal data. In addition, a data sharing agreement should be in place.
Although the Code has been published it is not yet in effect. The Code was submitted to the Secretary of State on 17 December 2020. It will now need to be laid before Parliament for its approval before it comes into effect.
“This code demonstrates that the legal framework is an enabler to responsible data sharing and busts some of the myths that currently exist. “I want my code of practice to be part of a wider effort to address the technical, organisational and cultural challenges for data sharing. The ICO will be at the forefront of a collective effort, engaging with key stakeholders. I know I can count on a collective effort from practitioners and government to understand the code and work with the ICO to embed it.”