On 7 October 2010, the Information Commissioner’s Office (ICO) published a draft statutory Code of conduct for the sharing of personal data under its powers under Sections 52A and 52D of the Data Protection Act 1998 (DPA). The ICO is conducting a consultation on the content of the proposed Code. The Code will have statutory effect and, whilst it does not impose additional legal obligations and is not intended to be an authoritative statement of the law, it is designed to be used in evidence in legal proceedings and this is not limited to proceedings under the DPA.
The Draft Code
The draft Code is divided into 12 sections.
Data Sharing and The Law
This section looks at powers and obligations of data-sharers grouped into individuals and public and private sector organisations.
Deciding to Share Personal Data
This section prompts the data owner to consider the reasons for sharing data, the information that needs to be shared, the criteria for sharing and whether the objective could be achieved without sharing data.
Fairness, Transparency and Consent
The draft Code draws a distinction between situations in which users would expect data to be shared and those in which datasharing would be unexpected or each has different requirements for fairness and transparency.
This section sets out a series of good-practice measures that data controllers should follow, including assessing the value, sensitivity or confidentiality of the data and affording appropriate security.
The Code urges data sharers to undertake privacy impact assessments and encourages organisations to enter into data sharing agreements in order to set out a common set of rules to be adopted. The Code states that such agreements should be reviewed regularly, particularly where information is to be shared on a large scale or a regular basis.
This section details subject access rights, individuals’ rights to object to use of data that causes them substantial, unwarranted damage or distress and their rights to have queries or complaints about the sharing of their data dealt with.
ICO’s Powers and Penalties
The Code sets out the ICO’s powers in respect of compliance and enforcement, including Information Notices, requesting undertakings, Enforcement Notices and monetary penalties of up to £500,000 for serious contravention of the data protection principles.
Notification Under the DPA
This section provides a reminder that where several organisations share data, each one must be clear about the personal data for which it is responsible and include that information on its notification.
Freedom of Information
This section refers public sector data sharers to information on the ICO website about their obligations under the Freedom of Information Act 2000 and also to the INSPIRE Regulations 2009.
Things to Avoid
The list of things to avoid includes misleading individuals about whether their data is to be shared, sharing excessive or irrelevant information, needlessly sharing personal information, not taking reasonable steps to ensure that information is accurate before sharing it, using incompatible systems that result in the loss or degradation of the personal data, and having inadequate security.
Suggested Contents of Data Sharing Protocol
This section sets out guidance about the purpose of the data sharing initiative, the organisations that will be involved, the data to be shared, the basis for sharing, access and individuals’ rights and information governance.
The Code ends with nine case studies applying the good practice principles to real life scenarios including commercial, public and private sector, healthcare and law enforcement (i.e., sensitive personal data).
The consultation seeks to understand whether the draft Code strikes the right balance between recognising the benefits of sharing personal data and the need to protect it, whether it is clear and understandable, adequately covers different types of data sharing, and whether the ICO’s powers and penalties are explained clearly enough together with their relevance to data sharing. The Data Sharing Code of practice consultation closes on 5 January 2011.
The DPA has been much misunderstood but has also been the subject of some well-founded criticism, for example in relation to police forces that have been hampered by an inability to share data effectively due to misguided application of its provisions. This has resulted in a negative perception of the Act as pointless red tape and the new Code, if it is well used, may go some way towards redressing this.