Data Sharing Code of Practice: SCL Response

January 6, 2011

In October 2010, the Information Commissioner’s Office launched a consultation on a statutory code of practice on the sharing of personal data. The draft Code sets out a model of good practice for public, private and third sector organisations, and covers routine data sharing as well as one-off instances where a decision is made to release data to a third party.

SCL’s Privacy and Data Protection Group, led by Nicola Fulford of Bristows, has put together a response which highlights a number of defects in the draft Code and makes constructive suggestions for improvement.

The response is available in full from the panel opposite. A recurring feature of the response is that it points up the ICO’s focus on public sector issues which, the response suggests, clouds some of the guidance that is applicable in the private sector. The Group recommend that the final version of the Code distinguishes more clearly between the data protection requirements for public authorities and those for private controllers. 

Concern is also expressed about a lack of clarity in the draft Code in its use of the term ‘data sharing’. That concern focuses especially on the suggestion that data sharing can cover the passing of information from one part of an organisation to another part of the same organisation, such as the release of information for HR to payroll: ‘We are concerned about the huge practical implications which would arise if the Code also applied to data flows within an organisation. We therefore strongly recommend that the ICO clarifies that the Code applies to data sharing between different legal entities only‘. 

The ambit of the draft Code, which purports to cover sharing and disclosure, is also commented upon and it is suggested that the final version of the Code should make clearer distinctions and more precisely define its scope. Confusion within group companies is highlighted as one current source of confusion about whether there is data sharing, with the potential for inadvertent breach of the DPA; the response suggests that an explanation of the need for a data sharing protocol within the context of a group would be a valuable addition to the Code. 

The response includes a number of concrete and detailed suggestions for improving the clarity of the Code. It also suggests that more guidance should be made available to the receiver of the data – the draft Code focuses largely on the sender – and that the Code would benefit from some coverage of the need to undertake due diligence: ‘It would also be helpful if the Code said something about the need to undertake due diligence on third party data recipients (i.e. for principle 7 compliance), and the potential consequences of not doing so – for example, if a data recipient abuses data it received, could the data sharer‘s failure to undertake appropriate due diligence of the recipient before sharing data constitute “recklessness” for the purposes of issuing a monetary penalty notice?