Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

At a glance

This is a statutory code of practice prepared under section 121 of the Data Protection Act 2018.

It is a practical guide for organisations about how to share personal data in a way that complies with data protection law.

It aims to give you confidence to share data fairly and proportionately.

In more detail

What is the status of this code?

This is a statutory code of practice prepared under section 121 of the Data Protection Act 2018 (DPA 2018):

"The Commissioner must prepare a code of practice which contains—

(a) practical guidance in relation to the sharing of personal data in accordance with the requirements of the data protection legislation, and

(b) such other guidance as the Commissioner considers appropriate to promote good practice in the sharing of personal data."

It was laid before Parliament on [date] and issued on [date], under section 125 of the DPA 2018. It comes into force on [date].

The code contains practical guidance on how to share data fairly and lawfully, and how to meet your accountability obligations. It does not impose any additional barriers to data sharing, but will help you comply with your legal obligations under the UK GDPR and the DPA 2018.

It also contains some optional good practice recommendations, which do not have the status of legal requirements but aim to help you adopt an effective approach to data protection compliance.

In accordance with section 127 of the DPA 2018, the Commissioner must take the code into account when considering whether you have complied with your data protection obligations when sharing data. In particular, the Commissioner will take the code into account when considering questions of fairness, lawfulness, transparency and accountability under the UK GDPR or the DPA 2018 and in the use of her enforcement powers.

The code can also be used in evidence in court proceedings, and the courts must take its provisions into account wherever relevant.

How is the code affected by the UK’s exit from the European Union?

Now the UK has left the EU, a UK version of the EU GDPR has been written into UK law as the UK GDPR to sit alongside the DPA 2018.

The EU GDPR may still apply to you if you operate in the European Economic Area (EEA) or offer goods and services to individuals or monitor the behaviour of individuals there. Rules on international transfers now apply to the flow of data to and from the EEA.

If there are any further changes to the details of the future UK regime, the Commissioner will publicise them, and will note the changes on the ICO website.

For the latest information and guidance on data protection and the UK’s position regarding the EU, see the ICO website.

What happens if we don’t comply with the code?

If you don’t comply with the guidance in this code, you may find it more difficult to demonstrate that your data sharing is fair, lawful and accountable and complies with the UK GDPR or the DPA 2018.

If you process personal data in breach of this code and this results in a breach of the UK GDPR or the DPA 2018, we can take action against you.

Tools at our disposal include assessment notices, warnings, reprimands, enforcement notices and penalty notices (administrative fines). For serious breaches of the data protection principles, we have the power to issue fines of up to £17.5 million or 4% of your annual worldwide turnover, whichever is higher.

There is no penalty if you fail to adopt good practice recommendations, as long as you find another way to comply with the law.

For more information, see the section on enforcement of this code.

What is the purpose of this code?

It provides practical guidance for organisations about sharing personal data in a way that complies with data protection law. It explains the law and promotes good practice. It dispels myths and misconceptions about data sharing.

Many organisations using this code of practice will have already shared data under the former data protection regime. The code should give you the knowledge and the confidence you need to continue sharing data under the UK GDPR and the DPA 2018 and assess how to share personal data in new projects and programmes. You should use the code to help you review and, where necessary, update ongoing data sharing arrangements.

The code of practice:

  • updates and reflects key changes in data protection law since the last data sharing code was published (in particular from the UK GDPR and the DPA 2018);
  • explains new developments and their impact on data protection;
  • references new areas for you to consider; and
  • helps you to manage risks in sharing data, which are magnified if the quantity of data is large.

Who is this code for?

The code is mainly aimed at organisations that are controllers sharing personal data. In particular, it is aimed at data protection officers (DPOs) and other individuals within organisations who are responsible for data sharing matters.

Please see the sections below on joint controllers and processors.

In the code the reader is addressed by the term ‘you’ (and by the term ‘we’ in some headings that take the form of questions). It uses this terminology to refer to organisations that are sharing data or considering doing so. The code will also be helpful to controller organisations receiving shared data.

Controllers are defined under Article 4 of the UK GDPR and section 32 of the DPA 2018 as having responsibility for deciding the “purposes and means of the processing of personal data”.

The code is also aimed at controllers sharing data under the law enforcement processing regime (Part 3 DPA 2018), and between the UK GDPR/Part 2 DPA 2018 and Part 3 DPA 2018. There is a separate section about this, but the code includes references to some Part 3 provisions throughout to highlight significant differences. If you are one of these controllers, you should still read the whole of this code, which distinguishes between the regimes where appropriate.

Much of the advice is applicable to public, private and social sector organisations. Some of the code is necessarily focused on sector-specific issues. However, the majority of the code applies to all data sharing, regardless of its scale and context.

Reading and understanding this code and adopting its practical recommendations will give you confidence to collect and share personal data in a way that is fair, transparent and in line with the rights and expectations of the people whose information you are sharing.

The code will help you identify what you need to consider before you share personal data and clarify when it is appropriate for you to do so.

Common misconceptions about data sharing

The code also clears up misconceptions about data sharing and barriers to sharing.

It is true that data sharing can sometimes be a complex activity. But for some organisations the perceived risks of getting it wrong - in the shape of reputational damage or enforcement action by the regulator - outweigh the benefits that can be gained from data sharing, leading to missed opportunities for innovation and improved public services.

However, data protection law is an enabler for fair and proportionate data sharing, rather than a blocker. It provides a framework to help you make decisions about sharing data.

Many of the requirements of data protection law simply place on a statutory footing the good practice that you will already have followed, or plan to follow.

The key question is often not whether you can share data, but how.

For example:

Misconception
The UK GDPR and the DPA 2018 prevent us from sharing data.

Reality
This is mistaken. Data protection law does not prevent data sharing, as long as you approach it in a fair and proportionate way. If you were able to share data lawfully under the former data protection regime, it is likely that you are able to continue to do so now. While there are some differences, the new legislation helps you to ensure you are sharing data in a way that promotes trust and transparency.

 

Misconception
There is little benefit to be gained from data sharing.

Reality
Data sharing brings significant benefits to your organisation, to individuals and to society at large. Done well, it helps government, public, social sector and commercial organisations to deliver modern, more efficient services which better meet people’s needs and make their lives easier. It can also identify people at risk, help protect them from harm and address problems before they have a significant adverse impact.

 

Misconception
We can only share data with people’s consent.

Reality
Most data sharing does not rely on consent as the lawful basis.
If you cannot offer a genuine choice, consent is not appropriate. Public authorities, employers and other organisations in a position of power over individuals should avoid relying on consent unless they are confident they can demonstrate it is freely given.

 

Misconception
We can’t share data in an emergency.

Reality
You can share data in an emergency; you should do whatever is necessary and proportionate. Examples of an emergency situation are the risk of serious harm to human life, the protection of public health, or the protection of national security. Please see our section on this topic later in the code. Where possible you should plan ahead and put contingencies in place.

The benefits of data sharing

The code highlights the benefits that sharing personal data can bring to everyone: society, organisations, and individuals, whether as citizens or consumers.

Data sharing can help public bodies and other organisations to fulfil their functions and deliver modern, efficient services that make everyone’s lives easier. It can help keep the vulnerable safe at times of crisis, and help to produce official statistics, research and analysis for better decision-making for the public good.

Conversely, not sharing data can mean that everyone fails to benefit from these opportunities; and in some instances the chance is missed to assist people in need, whether in urgent or longer-term situations.

Example

In the banking sector, Open Banking enables businesses to offer services to customers using their personal data.
For example, a fintech company can offer a service helping a customer to save, by automatically transferring money from their account to savings every month based on an analysis of their spending.

This use of their personal data benefits the customer by increasing their savings and reducing inconvenience for them. This all takes place within a framework that protects the customer’s privacy.

It benefits the bank because it allows it to benchmark products against competitors and reach new customers more easily, and provides evidence for anti-fraud prevention checks and customer verification, which is also in the public interest.

 

Example

A local area set up an integrated care record to share patient records between health and social care staff. This sharing between public and social sectors resulted in:

  • a more holistic picture about a patient’s health;
  • coordinated and safer care across the region;
  • better decision-making around a patient’s care; and
  • patients only having to tell their story once.

 

Example

A private day nursery collected information about the behaviour of an adult towards a child in its care and found a concerning pattern.

The nursery shared this information with local authority safeguarding leads to protect the child and others, and to investigate the adult’s behaviour.

 

Example

Several health professionals from different organisations and care businesses were involved in providing health and social care to a group of older adults. By exchanging information about recent changes in behaviour from one of the clients, they identified a pattern of evidence indicating the person might be a victim of abuse. To ensure the safeguarding of the person, they shared this information with the person’s social worker for further investigation.

How should we use this code?

The code covers data sharing by controller organisations (organisations that determine how personal data is used) under two separate regimes:

  • general processing under the UK GDPR, which has to be read together with Part 2 of the DPA 2018; and
  • law enforcement processing under the law enforcement provisions in Part 3 of the DPA 2018.

It also covers data sharing between the two regimes.

Most data sharing is likely to be under the UK GDPR and Part 2 of the DPA 2018 because it involves sharing data that is not law enforcement or intelligence personal data, but where provisions differ we clarify this as far as possible. The main body of the code therefore applies to processing under the UK GDPR and Part 2 of the DPA 2018. There is a separate section in this code on law enforcement processing under Part 3 of the DPA 2018 that describes the differences in more detail, but controllers carrying out that type of processing should still read the whole of the code.

While the code does not cover the details of data sharing under the intelligence services regime in Part 4 of the DPA 2018, it is relevant to that regime, subject to the specific provisions of Part 4.

The code also discusses data sharing for defined purposes across the public sector under the Digital Economy Act 2017.

The code is complementary to other ICO guidance and codes of practice about data protection. It assumes knowledge of key data protection terms and concepts. While the code stands as your guide to data sharing, it does not seek to reproduce other ICO guidance, and you might need at times to refer to guidance on the ICO website or contact our helpline. The code will highlight particular instances when it would be useful for you to refer to such guidance.

In particular, you will find it helpful to use the data protection impact assessment (DPIA) process along with the code when considering sharing data. Some or all of the DPIA questions are likely to help you when you are assessing whether it is appropriate to share data, and whether it would be in compliance with the law. You can find more on DPIAs later in the code.

Another area where you will find it helpful to refer to detailed ICO guidance is in checking whether an exception, exemption or restriction applies in your circumstances, under the UK GDPR or the DPA 2018.

For instance, if an exemption applies under the DPA 2018, you may not have to comply with all the usual rights and obligations. There is a wide range of exemptions relating to matters such as crime and taxation, certain regulatory functions, journalism, research and statistics, and archiving in the public interest.

Using the code

The code is divided into sections headed by each topic, and there are links to content in the guide to Navigating the data sharing code, and throughout the code to help you find your way around it.

As stated above, you will find it helpful to refer to other information and guidance. Because the code is statutory and is not readily updatable, any hyperlinks to guidance, tools and further information from the ICO or other sources are contained in boxes headed “Further reading”. These links do not form part of the code.

To clarify any unfamiliar terms and acronyms, you may also wish to refer to the Glossary towards the end of the code.

We have used examples in the code to illustrate the law and good practice. You can find longer case studies in Annex C.

In addition to linking to sources of information outside the code (for example, links to guidance, such as on conducting a DPIA) the code contains tools for you to use:

  • The guide to Navigating the data sharing code directs you to the section of the code that you need.
  • Annex A is a checklist to help you decide whether or not to share data.
  • Annex B contains template data sharing request and decision forms.

Further reading

Guide to data protection
Guide to Law Enforcement Processing
Guidance on exemptions
Further resources and support are available on the ICO data sharing information hub.

Why should we use the data sharing code?

The benefits for you in adopting the recommendations in the code may include:

  • greater trust in you by the public and customers, whose data you may want to share;
  • an improved understanding of whether and when it is appropriate to share personal data;
  • greater confidence within your organisation that you are sharing data appropriately and correctly;
  • the confidence to share data in a one-off situation or in an emergency;
  • a reduced reputational risk when sharing data;
  • more robust, demonstrable compliance with the law; and
  • better protection for individuals whose data you are sharing.

Further reading

Controllers and processors