Data sharing gets new code of practice

The new Code of Practice offers guidelines on when data can be shared and how it should be protected and also includes information on data sharing laws. There’s also advice on remaining transparent and avoiding common mistakes, and a summary checklist that can be used as a quick reference guide to sharing information.

The code is published under s52 of the Data Protection Act 1998 and although it is not legally binding, it does add detail and guidance around how to interpret the ‘bare minimum requirements’ of the DPA in this area. The approach suggested by the code is therefore recommended practice but, if not followed, data controllers - you, your business or someone controlling information on your behalf – could face harsh sanctions if any DPA breach is considered by the ICO or the courts.

The code is relevant to all data controllers and covers not only regular or permanent data sharing but also one-off instances of data sharing, such as single third party requests and disclosures. The code is designed to facilitate data sharing, but also to ensure that such disclosures comply with the DPA.

When does it apply?
The code applies to the sharing of personal data between 'data controllers'. Data controllers are organisations that are in control of personal data and decide on the purposes and the manner in which it will be used.

Data controllers may share personal data with other organisations that act as their data processors. Data processors only hold personal data on behalf of the data controller, not in their own right, and can only use the personal data in accordance with instructions imposed on them by the data controller.

Disclosures from data controllers to data processors are not covered by the code and are regulated separately under the DPA.

Examples of when the code will apply include when an on line provider wants to disclose personal data about an employee to an anti-fraud body, or when a retail group shares customer details in a pool, or when personal details are shared in the context of a proposed merger or acquisition, say under TUPE.

In these cases both the recipient and the provider of the personal information are data controllers as they are both making decisions regarding how that personal information will be used and are ‘controlling’ the data.

What can be shared?
Generally, information can be shared, provided this does not breach the DPA or other applicable laws. According to the code, organisations should consider whether they are justified in sharing information in the first place.

You must be able to demonstrate you have clear reasons for sharing data and a clear objective on what sharing data will achieve. If only certain pieces of data need to be shared in order to achieve these objectives then sharing all of the information that you hold will not be necessary.

Special rules will apply to sensitive personal data, such as on health, or confidential information. Explicit consent to disclosure may be required in such cases. Where sharing personal information may involve it being sent to or viewed from outside the European Economic Area, special rules on data transfers will also have to be met.

Informing individuals
When sharing personal information, such use must be ‘fair’ by law in that the individual concerned should reasonably expect it. It is therefore good practice to provide a privacy notice to such individuals which, as a minimum, states the name and details of the relevant data controller, why they are going to share the data, what data is involved and who they are going to share the data with.

You should normally provide a privacy notice when you first collect a person’s personal data. If you have already collected their personal data, then you need to provide them with the information above as soon as you decide you are going to share their data, or as soon as possible afterwards.

Organisations involved in data sharing should work together to ensure the individuals concerned know who has, or will have, their data and what it is being used for, or will be used for. The responsibility for doing this falls to the organisation that collected the data initially.

In some cases, organisations may be exempt from ensuring the disclosure is ‘fair’, such as where the police request details for an investigation and informing the individual concerned would be likely to prejudice their investigation.

Lawful data sharing
Disclosure of personal data, which is at the heart of all data sharing, is a form of processing and must be lawful by in all cases by meeting a condition under Schedule 2 DPA. If sensitive personal data is involved, it also needs to meet a condition under Schedule 3 DPA.

In most cases, it will be essential to consider whether the legitimate interests of the disclosing party and/or receiving party could be achieved other than by the proposed data sharing.

Where it cannot there must be no unwarranted prejudice to the rights, freedoms and interests of the affected individuals. The use of data in relation to data sharing must also always comply with the data protection principles, which all data controllers are legally bound to comply with under the DPA.

Practical issues
It is good practice to have a data sharing agreement in place that includes a common set of rules to be adopted by the various organisations involved in a data sharing operation. It should be reviewed regularly, particularly where information is to be shared on a large scale, or on a regular basis.

The data sharing agreement should cover issues such as the purpose of sharing data, data quality, data security, retention of data, procedures for dealing with access requests, queries and complaints and sanctions for failing to comply with the agreement.

The data sharing arrangement should also address practical problems such as defining which data sets can be shared, ensuring appropriate security measures and safeguards are in place and conducting a sampling exercise periodically to make sure information stored is accurate.

When sharing information, organisations should also record what information was shared and for what purpose, who it was shared with, when it was shared, the justification for sharing and whether the information was shared with or without consent.

Data controllers must also check whether their notification with the ICO is affected by data sharing arrangements.

If your notification becomes inaccurate or incomplete because you are sharing data on a basis not listed in your notification, you must inform the Information Commissioner as soon as possible (within 28 days) or you will commit a criminal offence.

Liz Fitzsimons is a senior associate at Eversheds