The UK’s Information Commissioner’s Office (“ICO”) has recently issued a draft version of its statutory code of practice for sharing of personal data between controllers under the GDPR and the UK Data Protection Act 2018 (“DPA”) (the “Draft Code”) which provides a number of practical recommendations which controllers should take into account when sharing personal data.
First, it should be noted that the ICO can take into account compliance with such statutory codes when assessing whether an organisation has complied with its data sharing obligations including when considering principles of fairness, lawfulness, transparency and accountability. It will therefore be important for organisations to take the guidance contained in this Draft Code, once finalized, into account, as a method of helping to demonstrate compliance with the GDPR. The Draft Code also contains a number of good practice recommendations, which whilst not legally binding, may offer some helpful suggestions for implementing the ICO’s guidance in practice.
The Draft Code is clear that data sharing is defined broadly and can include where an organisation gives access to data to a third party by any means. Sharing can take place in a routine, scheduled way, or on a one off basis. We set out a summary of some of the Draft Code’s key takeaways below:
- Data Protection Impact Assessment (“DPIA”) – the ICO considers that as a first step, ahead of sharing personal data, organisations should consider whether a DPIA is required. A DPIA must be carried out where the processing is likely to result in a high risk to individuals, but the ICO recommends following the DPIA process even where an organisation is not legally required to do so. In fact, the ICO recommends that a DPIA (used as a flexible and scalable tool) be carried out for any other major projects involving sharing personal data or plans for routine data sharing, even if there is no specific “high risk” indicator. Examples provided by the Draft Code include: (i) data matching; or (ii) any processing of records where there is a risk of harm to individuals in the event of a data breach (e.g., whistleblowing).
- Data Sharing Agreements – the Draft Code states that, as an indicator of accountability, it is good practice to have a data sharing agreement in place that sets out the purpose of the sharing, covers what is to happen to the data at each stage, sets standards and helps the parties be clear about their respective roles. The ICO is clear that such agreement does not have a prescribed form and this should be governed by the scale and complexity of the sharing in question. Adhering to such agreements does not grant an indemnity from regulatory action but the ICO states that it will take such agreements into account if it were to receive a complaint. The Draft Code also makes it clear data sharing agreements should be reviewed on a regular basis.
- The Draft Code also sets out, as good practice, what should be included in the agreement, including: (i) the purpose of the initiative (i.e., why it is necessary, the specific aims and the benefits to individuals or society) in precise terms; (ii) which organisations are involved including contact details for the DPO and other key members of staff; (iii) procedures for including additional organisations and removing those no longer involved; (iv) when joint controllers the responsibilities of each controller; (v) what data is being shared; (vi) what is the lawful basis for sharing data, including any special category or criminal offence data along with the conditions for processing; (vii) procedures for compliance with individuals’ GDPR rights (including that all controllers remain responsible for compliance even if certain tasks are allocated by the agreement); and (viii) detailed information governance procedures (i.e., detailed advice on what datasets can be shared, making sure data is accurate, security arrangements, retention and deletion, accuracy and timescales for assessing ongoing effectiveness etc.).
- The Draft Code suggests organisations may also want to consider including in the data sharing agreement as an appendix or annex: (i) a summary of the key legislative provisions; (ii) if consent is the legal basis, a model consent form; and (iii) a diagram to show how to decide whether to share the data. The Draft Code proposes to include example request and decision forms in the final publication stage, together with updated data sharing checklists.
- M&A Due Diligence Considerations – the Draft Code is clear that where data is being transferred to a different controller as part of a transaction, organisations should proceed carefully with regard to data sharing, and the Draft Code must be considered as part of the due diligence process. This includes establishing the purposes for which the data was originally obtained and the lawful basis for sharing it. This considerations will apply to both the controller sharing the data and the controller receiving the data in the context of a transaction. The data sharing, and all data processing that proceeds from the sharing, should also be documented.
- Databases and Lists – the Draft Code also acknowledges that the transfer of databases or lists of individuals is a form of data sharing. It is the responsibility of the recipient controller to satisfy themselves about the integrity of the data supplied to it, including checking: (i) the source of the data; (ii) the lawful basis on which it was obtained; (iii) records of consent, if relevant; (iv) a copy of the privacy information given at the time of collection (including that it was in compliance with Article 14 of the GDPR); and (v) the data is accurate and up to date and not excessive, amongst other considerations. These considerations will also apply in an M&A context (e.g., where the acquisition involves the purchase of the target company’s customer database or the sharing of a list of employees).
- Sharing data outside the EEA – this particular sub-topic is not addressed by the Draft Code and the ICO confirms it will provide more guidance on this element in the context of data sharing in due course.
The Draft Code is currently out for public consultation until Monday 9 September 2019.