On 18 May 2021, the Government published its response following its consultation on the National Data Strategy launched in September 2020. With a foreword referring to 'data as the great opportunity of our time', and stressing the need to 'rebalance' the data narrative from one focused on risks and on privacy, to one that 'unleashes the power of data' across the UK economy and society, the Government outlines a number of 'missions' and objectives for creating an environment of data-led innovation.
At the same time, and in recognition of the contribution that data sharing arrangements have played during the COVID-19 crisis, the Government has announced that the Information Commissioner's Office's (ICO) Data Sharing Code has been laid before Parliament for 40 sitting days. Barring any objections to the Code during that period, it will then come into force 21 days later.
Overview and status of the Data Sharing Code
Publication of the Code comes some 10 years since the ICO published its first data sharing code – during which time there have been significant changes to the data protection framework through the application of the GDPR, and also developments in the ways in which organisations share data, and the technologies available to do so.
That said, much of the guidance in the Code reflects the ICO's prior guidance and common sense practice. It contains practical guidance for organisations which will assist in ensuring that data sharing is done in a way that is fair and proportionate and in compliance with data protection law. It also contains some optional good practice recommendations which are not legal requirements, but which the ICO considers promote an effective approach to data protection compliance. At the same time, the ICO is also keen within its Code to dispel a number of myths around data sharing practices - in particular, the misconception that GDPR prevents data sharing, or only allows it where there is consent.
The Code is a statutory code of practice and the ICO must therefore take the Code into account when considering whether there has been compliance with data protection obligations when sharing data. A Court must also take the Code into account where relevant, and it can be used in evidence in court proceedings. However, whilst significant fines can be issued for serious breaches of data protection laws, in practice, it seems very likely that the ICO will reserve enforcement action for the most egregious breaches of data protection law arising through data sharing.
Key principles in the Code
- Scope: The Code focuses on sharing of personal data between controllers. It therefore does not cover sharing data with a processor (which should be subject to a data processing agreement) or within an organisation. It covers both routine/systematic data sharing and also exceptional, one-off data sharing projects, as well as data pooling.
- Data Protection Impact Assessments: When deciding to share personal data, controllers must consider first whether data sharing will achieve a benefit and that data sharing is necessary. Whilst it is not mandatory to do so (unless the data sharing is likely to result in a high risk to individuals), the Code recommends that a Data Protection Impact Assessment (DPIA) is carried out in order to assess (and then mitigate) any risks in the data sharing, and also to promote public trust in that sharing.
- Data Sharing Agreements: It is also good practice (but again not mandatory, other than in a joint controller situation) to have a data sharing agreement in place which sets out the purpose of the data sharing, explains what will happen to the data at each stage, sets standards, and provides a clear framework in relation to the parties' respective roles and responsibilities. The ICO will consider whether there is a data sharing agreement in place when assessing any data sharing arrangements, for example, following a complaint.
- Responsibility for compliance: The Code provides a reminder that each controller is responsible for their own compliance with UK GDPR and the Data Protection Act 2018 and must be able to demonstrate that compliance. Documenting data sharing (i.e., through a DPIA and/or data sharing agreement) will ensure effective accountability. Similarly, each controller is responsible for the security of the data, but an organisation sharing data should also take reasonable steps to ensure that the data shared will continue to be protected with adequate security by the recipient organisation.
- Approach to data sharing:
- Data sharing must be done fairly, proportionately, and in a transparent manner. One basic question to ask, from an ethical perspective, is: is it right to share this data?
- Data sharing must both:
- be lawful in a general sense – is there a legal power to share data, and are there any additional legal requirements that need to be met?
- have at least one lawful basis under UK GDPR and the Data Protection Act 2018.
- Individuals' rights: The data sharing arrangements must encompass policies and procedures that allow data subjects to exercise their individual rights easily, and this must be communicated to them (for example, privacy notices should make clear which organisation to contact; the Code suggests a single point of contact is good practice). Individuals have additional rights where automated decision-making is involved and a DPIA must be carried out where the data sharing arrangements involve solely automated decision-making, including profiling, which produces legal effects concerning the individual or significantly affects them.
- Mergers and acquisitions: The Code provides some brief guidance on data sharing arising from a merger or acquisition or other change in organisational structure, when data may need to be transferred to a different organisation. The data sharing must be considered as part of the due diligence, and the Code provides a checklist of issues to consider:
- Establish what data is being transferred
- Identify the purposes for which the data was originally obtained
- Establish the lawful basis for sharing the data
- Comply with the data processing principles – especially lawfulness, fairness and transparency
- Document the data sharing
- Seek technical advice where different systems are involved
- Consider when and how to inform data subjects
When managing shared data following a change of controller, check data records are accurate and up to date, document what is done with the data, adhere to a consistent retention policy and ensure appropriate security is in place
- Sharing personal data in databases and lists: When receiving personal data in databases and lists, the recipient organisation is responsible for complying with data laws and must therefore satisfy itself as to the integrity of the data. Information must be provided to data subjects in relation to data sharing. The ICO's Direct Marketing code will also be relevant (this code is still awaited in its final form).
- Children's data: Extra care must be taken when sharing children's data – controllers must be able to demonstrate a compelling reason to do so, taking account of the best interests of the child. Again, a DPIA will ensure proper risk assessment and mitigation.
The ICO has described the Data Sharing Code as a milestone in its ongoing work in this area, stressing that it should not be perceived as the conclusion to the project. One area in particular under current review concerns the framework and practices concerning pseudonymised and anonymised data. The Code covers pseudonymised (data is that can no longer be attributed to an individual without the use of additional information), but not anonymised data.
In March 2021, the ICO published a blog confirming that it would be updating the Data Sharing Code of Practice in relation to issues around anonymisation and pseudonymisation, and will be exploring the role that privacy enhancing technologies might play. As part of this analysis, the ICO will review the legal framework around anonymisation and provide best practice guidance. On 28 May 2021, it issued a call for views (closing on 28 November 2021) on the first chapter of its anonymisation, pseudonymisation and privacy enhancing technologies draft guidance – further chapters will be issued in the coming months before the final guidance will be consulted on at the end of 2021.