ICO publishes new Data Sharing Code of Practice

January 5, 2021

The Information Commissioner’s Office has published its Data Sharing Code of Practice.

Section 121 of the Data Protection Act 2018 requires the ICO to produce a statutory code of practice that provides practical guidance on data sharing. A previous data sharing code was published in 2011 under the Data Protection Act 1998. 

The new code addresses many aspects of the legislation including transparency, lawful bases for using personal data, the accountability principle and the requirement to record processing activities. It also contains some optional good practice recommendations, which do not have the status of legal requirements but aim to help organisations to adopt an effective approach to data protection compliance.

The code of practice:

  • updates and reflects key changes in data protection law since the last data sharing code was published (in particular from the GDPR and the DPA 2018);
  • explains new developments and their impact on data protection;
  • references new areas to be considered; and
  • helps organisations to manage risks in sharing data, which are magnified if the quantity of data is large.

In accordance with section 127 of the DPA 2018, the Commissioner must take the code into account when considering whether organisations have complied with their data protection obligations when sharing data. In particular, the Commissioner will take the code into account when considering questions of fairness, lawfulness, transparency and accountability under the GDPR or the DPA 2018 and in the use of her enforcement powers.

The code can also be used in evidence in court proceedings, and the courts must take its provisions into account wherever relevant. 

Much of the advice applies to public, private and social sector organisations. Some of the code is necessarily focused on sector-specific issues. However, the majority of the code applies to all data sharing, regardless of its scale and context.

The code is mainly aimed at organisations that are controllers sharing personal data. In particular, it is aimed at data protection officers and other individuals within organisations who are responsible for data sharing matters.

Alongside the code, the ICO has launched a data sharing information hub where organisations can find targeted support and resources. It is also encouraging organisations that are developing products and services that support complex data sharing in the public interest to apply for its regulatory Sandbox. The ICO also plans to increase its engagement with organisations to help them understand the code and promote the benefits of sharing data.

Next steps

The ICO submitted the Data Sharing Code of Practice to the Secretary of State on 17 December 2020. The Secretary of State will now need to lay the code before Parliament for its approval as soon as is reasonably practicable. Once the code has been laid it will remain before Parliament for 40 sitting days. If there are no objections, it will come into force 21 days after that.