Privacy & Information Security Law Blog

On December 17, 2020, the UK Information Commissioner’s Office (“ICO”) published its Data Sharing Code of Practice (the “Code”), in accordance with its obligation to do so under the Data Protection Act 2018 (the “DPA”).

The Code contains practical guidance in relation to the sharing of personal data in accordance with the UK General Data Protection Regulation (“UK GDPR”) and the DPA. The Code addresses data sharing between controllers, rather than between controllers and processors, which is covered by separate guidance issued by the ICO.

The Code addresses several matters, including:

• issues that controllers should consider when deciding when and how to share personal data, what personal data will be shared and what due diligence should be carried out prior to sharing personal data;
• agreements relating to the sharing of personal data, when such agreements are required and what provisions they should contain;
• compliance with data protection principles when sharing personal data, including fairness and lawfulness, transparency, data minimization and accountability;
• the available lawful bases for sharing personal data and special category personal data, and the circumstances in which sharing may be appropriate;
• implementation of appropriate security measures;
• the rights of individuals under the UK GDPR in the context of personal data sharing arrangements; and
• guidance in relation to a number of specific issues that often arise in the context of personal data sharing arrangements, including sharing personal data relating to children and sharing personal data contained in databases and lists for marketing purposes.

The Code itself is not legally binding; any failure to adhere to the Code does not itself constitute a violation of the UK GDPR or the DPA. However, the Code is admissible as evidence in UK legal proceedings. UK courts and tribunals must take into account any relevant provisions of the Code when determining any question that is addressed by provisions of the Code. Accordingly, businesses that share personal data in the UK are urged to adhere to the terms of the Code when doing so.

Alongside the Code, the ICO has also launched a data sharing information hub that includes a number of additional resources relating to data sharing, such as a due diligence checklist for sharing personal data, a template form that controllers may use to document decisions to share personal data and a number of case studies that relate to data sharing arrangements.

Before the Code becomes legally effective, it will need to be approved by the UK Parliament. Once the Code has been laid before Parliament, Parliament will have 40 days to object or propose amendments to the Code. If there are no objections or amendments, the Code will come into effect 21 days after that period.

Update: The UK Government laid the ICO’s Data Sharing Code of Practice before Parliament on May 18, 2021. It will lay before Parliament for 40 sitting days before coming into force.