New Statutory Guidance on Data Sharing
In December 2020 the Information Commissioner’s Office (‘the ICO”) published its new Data Sharing Code of Practice. The Code aims to provide practical guidance for organisations about sharing personal data in a way which complies with data protection law. The Code explicitly notes that it does not cover data sharing with processors or within an organisation (p19). Instead, it covers the broad range of circumstances in which public and private sector data controllers share personal data both by way of one-off disclosures and more long running agreements with third party data controllers and joint controllers.
The Code is important because it is published pursuant to section 121 of the Data Protection Act 2018 and as a result, if those engaged in data sharing do not comply with its guidance, they may find it more difficult to demonstrate that their data sharing is fair, lawful and accountable and complies with the UK GDPR or the DPA 2018.
While the Code runs to some 89 pages, it has a helpful quick reference guide at pages 7-9 so that organisations can easily identify the information they need. It deals with a variety of matters including data sharing and children (p61), sharing in the context of law enforcement processing (p50), and sharing personal data in databases and lists (p58).
Some other key points to note about the Code include:
1. Misconceptions dispelled (p13):
The Code notes that there are a number of common misconceptions about data sharing including that the UK GDPR and the DPA 2018 prevent data sharing, that there is little benefit to be gained from data sharing, that data can only be shared if you have a data subject’s consent and that data cannot be shared in an emergency. It explains how each of these is wrong and in particular notes that data sharing can be very beneficial in providing more efficient services which better meet people’s needs and make their lives easier and data sharing in an emergency is appropriate in order to do whatever is necessary and proportionate.
2. Deciding to share data (p21):
The Code recommends that when deciding to share personal data, as a first step organisations should carry out a Data Protection Impact Assessment (DPIA) even if they are not legally obliged to carry one out. This appears to go beyond the requirements of Article 35 UK GDPR and may disappoint some organisations who take the view that their data sharing is of a nature and scope that does not require a DPIA. Nevertheless, DPIAs do not need to be long and detailed documents and the Code is right to say that carrying one out will help organisations to assess any risks in the planned data sharing and promote public trust in data sharing plans. The DPIA will also help an organisation to understand whether it can share the data at all and if so, what steps can be taken to mitigate the risks in sharing.
3. Data Sharing Agreements (p25):
The Code emphasises that data sharing agreements are good practice especially in order to demonstrate compliance with the accountability obligations under the UK GDPR. This is because such an agreement helps all the parties to be clear about their roles, sets out the purpose of the data sharing, covers what happens to the data at each stage, and sets standards.
While it is unfortunate that the Code does not contain a template data sharing agreement, it does set out in some detail the types of issues that an agreement should address. These will include matters such as the parties to the agreement, the purpose of the data sharing, which other organisations will be involved, what types of data will be shared, what the lawful basis for sharing is, how will organisations comply with individual rights, what information governance arrangements should be in place and provisions for review of the agreements.
4. Lawfulness (p40)
In order to comply with the lawfulness principle, data controllers must ensure that the personal data they are sharing is lawful in a general sense. The Code notes that for public sector organisations this will include checking that they have a legal power to share data, which will be different from whether they have a lawful basis to do so. This is something that many public sector organisations often fail to recognise when seeking to share personal data.
In identifying a legal power, public sector organisations must look towards any express statutory obligations or statutory powers, and failing an ability to identify a legal power in these, any implied statutory powers that they may have. The Code notes that often the law regulating a public body’s activities is silent on the issue of data sharing but it may be possible to identify powers that are reasonably incidental to those which are expressly permitted in order to identify a legal power for data sharing.
Once an express or implied power is identified, most public sector organisations will rely on the public task lawful basis in Article 6 UK GDPR. For those involved in public sector data sharing, it is also worth noting that there is a very useful explainer of the Digital Economy Act 2017 framework and its codes of practice contained at a later section in the Code (p65).
For private and social sector organisations, the Code explains that they do not need to identify a specific power to share data as they will have a general ability to do so provided this does not breach the data protection legislation. However, just like public sector organisations, they must have a lawful basis and should also check whether there are any separate legal obligations such as the common law duty of confidentiality, copyright restrictions or other prohibitions on data sharing which may constrain the lawfulness of any data sharing.
5. Security (p43):
The Code outlines how data protection law requires data controllers to process personal data securely, with appropriate organisational and technical measures in place. Accordingly, when sharing personal data, organisations must ensure that there are “appropriate” security measures in place bearing in mind the nature, scope, context and purpose of the sharing.
Importantly, the Code makes it clear that although organisations you share personal data with will have their own security obligations, you should still take reasonable steps to ensure that the data you share will continue to be protected with adequate security by the recipient organisation. This is an important reminder as many organisations often share personal data and take the view that once they have shared the personal data lawfully, this is where their obligations end.
Instead, the Code explains that organisations should endeavour to ensure that the recipient complies with the security requirements by (1) ensuring the recipient understands the nature and sensitivity of the information, (2) having a set of agreed security standards in a data sharing agreement and (3) resolving any difficulties such as different IT systems and procedures or different marking systems before the data is shared.
6. Individual Rights (p45):
A data sharing agreement should have policies and procedures that allow data subjects to exercise their individual rights, such as their rights to access, erasure and rectification. Details of how to exercise these rights must be set out in the privacy information issued to individuals. When data has been shared across a number of organisations, it is good practice to provide a single point of contact for individuals to exercise their rights. However, they must be permitted to choose to exercise their rights against any controller they wish.
7. Templates (p74):
In arguably the most useful section of all, the Code has in its Annexes a number of helpful templates. Organisations should use these templates when data sharing in order to demonstrate compliance both with the Code and more generally with their UK GDPR and DPA 2018 obligations. At Annex A there is a data sharing checklist. This provides a step-by-step guide to deciding whether to share personal data.
Annex B contains a data sharing request form template and a data sharing decision form template. For organisations considering entering into data sharing agreements, these could be usefully included as annexes to such agreements. Finally, at Annex C there are a number of carefully worked through case studies. These provide a helpful insight into the types of issues that may crop up in the context of data sharing and how these can be resolved.
While the Code’s detail and comprehensiveness is to be welcomed, there are some important and surprising areas in which it is either silent or at least too muted.
First, there is a sparsity of guidance on international data sharing which is of particular concern to many organisations post Schrems II and Brexit. Save for a modest paragraph at p11 explaining that organisations should review their safeguards for transferring data to the EEA post Brexit, the Code provides no guidance whatsoever on this very significant and complex area of data sharing. While the Code includes a link to the ICO’s website guidance on international transfers, it is difficult to understand why the Code itself is so parochial in nature when the reality of data sharing for many public sector and private organisations is that it will invariably involve cross-border transfers.
Second, there is no analysis of the additional processing conditions which are to be met when sharing special category or criminal offence data. This is exactly the type of data which many public sector organisations involved in the fields of housing, social care and crime and regulatory enforcement, share on a regular or once off basis. Further insight into the ICO’s views on the processing conditions in Schedule 1 DPA 2018 would have been very welcome, particularly as there is still only very limited case law to assist organisations in understanding the scope of these conditions.
Finally, the Code does not mention the three-page section that was contained in the 2019 draft Code on “Data Ethics and Data Trusts”. Its removal is not explained and is surprising given the growing importance of data ethics as emphasised in the recent publication of the National Data Strategy and in the establishment of the Centre for Data Ethics and Innovation (CDEI) in 2017 which has recently commented with approval on the successful local government use of data during the COVID-19 pandemic.
One explanation may be that the inclusion of a data ethics section does not necessarily sit easily within a Code which has a statutory footing and which accordingly must be followed by data controllers when sharing data. Perhaps the ICO took the view that detailed consultation on data ethics more broadly should be undertaken before introducing any ethical guidance into a statutory code. In this regard, the ICO consultation on the role of data ethics in complying with the GDPR recently closed on 8 January 2021.
Hopefully through this consultation the ICO will ensure that data ethics informs any guidance it provides in the future. In the meantime, those sharing personal data should bear in mind that although ‘data ethics’ is not included in the Code, in many respects the Code’s fairness and transparency obligations of treating individuals fairly, sharing data in a reasonable and proportionate manner and telling individuals what is being done with their data, mirror those that any future ethical framework for data sharing may require.