17 Dec 2020
On 17 December 2020 the ICO published its updated Code of Practice on Data Sharing, which is statutory guidance under section 121 of the Data Protection Act 2018.
The code focuses on ‘controller to controller’ sharing of personal data, rather than the fundamentally different situation of a controller using another organisation to process its data (i.e. 'data processing').
The code aims to "give individuals, businesses and organisations the confidence to share data in a fair, safe and transparent way in this changing landscape".
The code will be welcomed by charities and other organisations, confronted with difficult decisions about how to share the data of beneficiaries and staff.
The code makes the following general points:
- data protection law facilitates data sharing when approached in a fair and proportionate way
- data protection law is an enabler for fair and proportionate data sharing rather than a blocker. It provides a framework to help you make decisions about sharing data
- data sharing has benefits for society as a whole
- sometimes it can be more harmful not to share data
It reminds controllers to comply with the data protection principles when sharing personal data and that they should demonstrate accountability; ensure fair and transparent processing; have at least one lawful basis for sharing the data; and process it securely using appropriate organisational and technical measures.
One interesting area covered is 'Urgent processing".
Health, Social Care and Charity organisations in particular might encounter urgent or emergency situations that demand rapid decisions about whether or not to share personal data. The ICO makes it clear that, in an emergency, controllers should go ahead and share data as is necessary and proportionate. Not every urgent situation is an emergency, but an emergency could involve:
- preventing serious physical harm to a person;
- preventing loss of human life;
- protecting public health;
- safeguarding vulnerable adults or children;
- responding to an emergency; or
- an immediate need to protect national security
Among other topics covered, are data protection impact assessments, childrens' data, law enforcement, sharing data sets and data sharing agreements.
Data controllers who are planning a project or who are asked to share data on an ad hoc basis are advised to consider the ICO’s new Code before proceeding. Failure to follow good practice will not in itself lead to enforcement action, but compliance with the Code will help to ensure that data controllers stay on the right side of the law.
If you have a data sharing conundrum or are confused as to whether you are sharing or using a data processor - Exigia can help.