On 17 December 2020 the ICO published its Code of Practice on Data Sharing. The code is statutory guidance under section 121 of the Data Protection Act 2018.
The code includes helpful and empowering guidance which will undoubtedly be of assistance to all data controllers including charities. It expressly covers disclosures to law enforcement agencies; the sharing of safeguarding information about both children and adults with public sector agencies; and data sharing to facilitate research. It provides guidance on how organisations should approach both routine and one-off data sharing.
The code focuses on ‘controller to controller’ sharing, rather than circumstances in which data is shared from a controller to a processor or within an organisation. While legal obligations govern processing in those circumstances, controllers should look elsewhere for guidance on how to fulfil their duties.
The Information Commissioner explains that the code is intended “to give individuals, businesses and organisations the confidence to share data in a fair, safe and transparent way in this changing landscape.” The ICO hopes to “dispel many of the misunderstandings about data sharing” and to demonstrate “that the legal framework is an enabler to responsible data sharing and busts some of the myths that currently exist.” There certainly appears to be a desire to counter any ‘computer says no’ reputation and to give organisations the confidence to share data fairly and proportionately.
The code will be welcomed by charities which are often confronted with difficult decisions about how to share the data of beneficiaries and staff. Below are some of the key takeaways for the sector.
The code makes the following overarching points:
- data protection law facilitates data sharing when you approach it in a fair and proportionate way;
- data protection law is an enabler for fair and proportionate data sharing rather than a blocker. It provides a framework to help you make decisions about sharing data;
- data sharing has benefits for society as a whole;
- sometimes it can be more harmful not to share data.
It reminds and guides controllers on how to comply with the data protection principles when sharing data. Controllers must demonstrate accountability; ensure fair and transparent processing; have at least one lawful basis for sharing the data; and process the personal data securely with appropriate organisational and technical measures in place.
Data Protection Impact Assessments (DPIAs)
The code provides guidance on when controllers should complete a DPIA. Although controllers are obliged to carry out a DPIA for data sharing that is likely to result in a high risk to individuals, the ICO recommends that they are used as a useful, flexible and scalable tool even where controllers are not legally obliged to conduct one.
Used in this way at the outset of a project, the DPIA can help you to identify the lawful basis of process and ensure that the processing is compliant with the data protection principles. If it is difficult to reconcile the processing with these, the DPIA will provide a timely indicator that the project itself may need to be reviewed.
Law enforcement processing
The code emphasises that data protection law does not prevent appropriate data sharing when it is necessary to protect the public, to support ongoing policing activities, or in an emergency. While requests by law enforcement agencies must be reasonable and the necessity for the request should be explained to the organisation, the ICO clearly wants to give confidence to organisations that they can share data for law enforcement purposes in compliance with the GDPR and the Data Protection Act 2018.
Law enforcement processes are defined as: “the purposes of the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”.
The code also provides guidance on sharing special category and criminal conviction data with competent authorities such as the police and the additional safeguards that the legislation imposes in those circumstances.
Charities might occasionally encounter urgent or emergency situations in which decisions about whether or not to share personal data need to be taken quickly. The ICO is clear that, in an emergency, controllers should go ahead and share data as is necessary and proportionate. Not every urgent situation is an emergency but an emergency will include:
- preventing serious physical harm to a person;
- preventing loss of human life;
- protection of public health;
- safeguarding vulnerable adults or children;
- responding to an emergency; or
- an immediate need to protect national security.
A failure to share data might, in certain circumstances, cause significantly more harm than sharing the data. The code notes:
“Tragedies over recent years such as the Grenfell Tower fire, individual instances of self-harm, major terrorist attacks in London and Manchester, and the crisis arising from the coronavirus pandemic have illustrated the need for joined-up public services responses where urgent or rapid data sharing can make a real difference to public health and safety. In these situations, it might be more harmful not to share data than to share it. You should factor in the risks involved in not sharing data to your service.”
Processing relating to children
The code includes a section dedicated to sharing children’s personal data. Particular care must be taken when processing children’s data. The United Nations Convention on the Rights of the Child, from which the code quotes, declares that: “In all actions concerning children, whether undertaken by public or private social welfare institutions, courts of law, administrative authorities or legislative bodies, the best interests of the child shall be a primary consideration.”
A few key takeaways from this section include:
- the privacy information you provide must be clear and presented in plain, age-appropriate language;
- consent is not the only lawful basis to use. Other lawful bases might be more appropriate;
- if you are relying on consent, you must consider the competence of the child to give their own consent, and whether that consent is freely given (for example, whether there is an imbalance of power which is likely to invalidate the consent);
- you should also consider the child’s competence if you are relying on the lawful basis that the sharing is necessary for the performance of a contract.
In addition, the code provides helpful guidance on sharing data sets, data sharing agreements and data protection considerations associated with due diligence when sharing data following mergers and acquisitions.
Charity data controllers who are planning a project or who are asked to share data on an ad hoc basis are advised to consider the ICO’s new guidance before proceeding. While a failure to follow good practice will not lead to enforcement action, compliance with the practical guidance set out in the code will help to ensure that data controllers stay on the right side of their legal obligations.