Sharing personal data with other data protection ‘controllers’ is a regular activity for most organisations and their Data Protection Officers (DPOs); whether it is between local authorities and the health service or the local police; between employers and central government; or, between a private company and a trading partner. The publication of the ICO’s new draft Code of Practice on Data Sharing (16 July 2019) is, therefore, a significant development (https://ico.org.uk/media/about-the-ico/consultations/2615361/data-sharing-code-for-public-consultation.pdf).
The Code is currently out for consultation. There is much in it that is welcome, and it locates data sharing clearly within the context of the GDPR and Data Protection Act 2018 (DPA 2018). On some points, however, Data Protection Officers or their colleagues might wish to consider putting in responses.
It is suggested that the following features of the draft Code may be particularly welcome:
- The Code is clear that it concerns sharing between controllers only (page 4). Unlike its predecessor, it no longer seeks also to include movements of data within a controller (eg from one department to another) which previously caused much confusion. The new Code also makes clear (page 19) that it does not apply to what is sometimes incorrectly described as ‘sharing’ of data with a processor. It is now clear that GDPR, Article 28 governs that relationship, and that it falls outside data sharing.
- There are several helpful examples of ‘misconceptions’ with the GDPR, such as that data protection prevents sharing (pages 12-13).
- The importance of a Data Protection Impact Assessment (DPIA) before many sharing arrangements is usefully explained. Examples of proposed sharing which should, in the ICO’s view, be preceded by a DPIA include (page 21):
- data matching
- ‘invisible’ processing (where the data come from a third party, and the controller considers it to be impossible or disproportionate to inform the data subject in a Privacy Notice)
- processing where there is a risk of harm from a data breach (eg data arising from whistleblowing, or social care records).
- There is helpful reassurance in the Code about one-off emergency sharing, provided it is necessary and proportionate (page 18; see also page 81).
- Under a heading of ‘Governance’, there is a list of steps recommended before sharing (eg checking the accuracy and compatibility of datasets); although this is less fully-explained than in the current Code (page 28).
There are useful new sections on:
- mergers (page 70)
- sharing lists and databases (page 73)
- sharing of children’s data. (Caution is necessary. A DPIA is recommended, and the controller must consider the best interests of the child – pages 77-79)
The interesting concept of ‘data trusts’ is also introduced, in a section on the ethics of sharing. These are structures, which are currently being piloted, to give stewardship of data to a third party in order to enable access by new technologies (such as Artificial Intelligence), with the aim of retaining trust in the processing (page 85).
The Code as a whole is written in a straightforward style; although it is perhaps not quite so accessible as its predecessor. With the adoption of significant monetary penalties for breaches of the GDPR, some may detect a heavier emphasis on enforcement (pages 88-90).
There may, however, be a concern that – like its predecessor - there is no template (or outline) of a Data Sharing Agreement; notwithstanding that such arrangements remain the principal vehicle recommended by the ICO with which to conduct sharing (pages 25-26). Such agreements are obviously as various as their subject matter; but many will nonetheless have a number of features in common. From discussions with practitioners, many have been unclear about the appropriate format for a Data Sharing agreement, or the best level of detail. One or more partial templates would assist in overcoming an understandable hesitation over drafting quasi-legal documents. There is a list of headings (on page 26), as in the current Code, but such a list has been considered in a number of previous discussions with practitioners not to offer sufficient guidance. The ICO should, it is suggested, consider providing a template, or at last an outline, of some likely common elements or partial variants; as well as fuller guidance on their potential content.
Other areas where there may be views in response might include:
- The Code does include a definition (or description) of data sharing, which is an improvement on the statutory definition in DPA 2018, s 121(5) (‘the disclosure of personal data by transmission, dissemination or otherwise making it available’, which conveys very little); but it is still arguably too narrow. The ICO’s version (‘giving personal data to a third party, by whatever means; and includes when you give a third party access to personal data on or via your IT systems’) helpfully emphasises that giving access amounts to sharing. Read strictly, however, this description still does not refer to the receipt of data as constituting participation in ‘sharing’; nor to two-way transmission (although some of the examples are of this type). A fuller explanation of the scope of sharing would be useful. The description also does not appear until page 16 of the Code, leaving room for uncertainty beforehand.
- The text of one of the ‘misconceptions’ could be read as giving the impression that consent will form a lawful basis for sharing more often than is likely to be the case. Its description of the extent of such reliance (‘Not always’) is confusing since, as the subsequent text makes clear, the majority of sharing will rest on another lawful basis (page 13).
- There is a reference to the need to impose restrictions on onward sharing, without discussing the lack of a power to do so (so that in practice it is a matter for agreement); or how this should be approached (page 23, 2nd bullet).
- Guidance on sharing outside the European Economic Area (EEA) is to follow ‘in due course’, with a general cross-reference to the ICO’s site (page 24). This is disappointing, given the current timetable for Brexit, and the fact that legislation (at least concerning transitional arrangements, the transmission of data from the UK, and the territorial jurisdiction of the GDPR/DPA 2018 after Brexit) is already in place. (See SI 2019/419, and amendments to respectively GDPR, Article 3 and DPA 2018, s 207).
- A short section on lawful bases for processing special category or criminal data is confusing. It does not explain sufficiently how the ‘conditions’ in DPA 2018, Schedule 1 (effectively expanded or additional lawful bases to those in Article 9) are intended to work; omitting the important group on ‘Substantial Public Interest’ processing (pages 39-40). Another section on the processing of criminal data under the GDPR to a law enforcement body is similarly confusing (pages 64-66); needing a clearer and less technical explanation of how ‘Article 10’ processing of such data works under DPA 2018, s 10(5) and Schedule 1. Both underline too the urgent need for ICO guidance on the DPA 2018.
- The need in the public sector for legal powers to share is downplayed; whereas one of the strengths of the previous Code was its emphasis on this point. In the draft, the description of an implied power to share as having to be ‘laid down by law’ (while not needing to be ‘an explicit statutory provision’) is likely to be confusing to those without experience in implying such powers (page 59, 2nd bullet).
- Cross-references to issues on the ICO site are often general rather than to specific links (eg pages 17, 24, 37, 45, 66, 75).
The draft new Code is almost twice the length of the current one. It is tied closely to the GDPR and DPA 2018. As well as being an obligation in DPA 2018, s 121(1), it meets a clear need to clarify the impact of the two measures on data sharing, and to emphasise that sharing is not a separate branch of data protection, as people often assume (ie the same rules apply to data sharing, as to other forms of processing). Both its greater length, and its more technical language in places, however, may limit to some degree its accessibility to non-specialists; which has been a valuable feature of the current Code.
The opportunity exists with the consultation (although awkwardly timed over the summer) for DPOs or their colleagues to assess the draft Code, and offer views on any issues which seem from their experience to be significant.
Comments are invited by 9 September 2019, via a survey on the ICO’s website, or by email or post.
Damien Welfare specialises in Information Law, and is the author of Cornerstone on Information Law (Bloomsbury, 2019), a one-volume guide for practitioners to Data Protection, Freedom of Information, and the Environmental Information Regulations. The book is fully up to date with the regulations (SI 2019/419) enacted to apply after Brexit; while also describing the data protection law before Brexit, or if it does not occur.
Use code BPLCILBL15 at checkout for a 15% discount.