The ICO’s Data Sharing Code of Practice comes into force on 5 October 2021. It was laid before Parliament on 18 May 2021 and issued on 14 September 2021 under the DPA (Data Protection Act) 2018. Its goal is to enable responsible data sharing by setting up best practices.
How to achieve responsible data sharing? What should be in a data sharing agreement? When do you need a data sharing agreement? These questions will be answered thanks to the ICO Data Sharing Code example.
Responsible data sharing
Data sharing means sending data, receiving data, or both. So, it can lead to many economic and social benefits, including more significant growth, technological innovations, and the delivery of more efficient and targeted services.
Information Commissioner Elizabeth Denham said the COVID-19 pandemic brought the need for fair, transparent and secure data sharing into even sharper focus. She said:
“I have seen first-hand how sharing data between organisations has been crucial to supporting and protecting people during the response to the COVID-19 pandemic.”
What should be in a data sharing agreement?
Most organisations carry out data sharing, whether between organisations within the group or with external third parties. However, if the data being shared by an organisation is “personal data”, additional steps need to be taken to ensure the sharing of such personal data is lawful.
Data sharing agreements identify the parameters which govern the collection, transmission, storage, security, analysis, re-use, archiving, and destruction of data.
According to the ICO, a data sharing (or transfer) agreement should include details about:
- the parties’ roles
- the purpose of the data sharing
- what is going to happen to the data at each stage
The ICO Data Sharing Code
The new ICO’s Data Sharing Code replaces the previous code from 2011, published in relation to the Data Protection Act 1998. The new Code primarily addresses data sharing by controllers and guidance on sharing personal data fairly, lawfully and in compliance with the accountability principle. Information Commissioner Elizabeth Denham said:
“We have written this Data Sharing Code to give individuals, businesses and organisations the confidence to share data in a fair, safe and transparent way in this changing landscape. This code will guide practitioners through the practical steps they need to share data while protecting people’s privacy. We hope to dispel many of the misunderstandings about data sharing along the way.”
The regulator will also increase its engagement with organisations to help them understand the code and promote the benefits of sharing data.
TrustArc advice on data sharing
Before any data sharing, it is essential to establish:
- the identity of and the relationship between the parties
- the type of personal data being shared
- the legal grounds for sharing such personal data
- where the relevant parties are based.
Furthermore, organizations need to ensure that any data sharing is properly documented, including in the Register of Processing Activities. Unlawful data sharing can have enormous consequences and fines. It could lead to bad publicity and its adverse impact on brand value, consumer confidence and business profit.
TrustArc can help you ensure your data sharing arrangement is compliant with the data protection legislation in the UK or the country your organisation is based. With PrivacyCentral, TrustArc helps you meeting data regulation standards successfully. Click here to schedule a PrivacyCentral demo.