At a glance
The code covers the sharing of personal data between organisations that are controllers.
It includes when you give access to data to a third party, by whatever means.
Data sharing can take place in a routine, scheduled way or on a one-off basis.
When needed, you can share data in an urgent or emergency situation.
In more detail
- Data sharing between controllers
- Sharing data with a processor is not covered by the code
- “Data sharing” within an organisation is not covered by the code
- Data sharing covered by the code
- Routine data sharing
- Ad hoc or one-off data sharing
- Data pooling
The code focuses on the sharing of personal data between controllers, ie where separate or joint controllers determine the purposes and means of the processing of personal data, as defined in UK GDPR Article 4(7).
If a controller asks another party to process personal data on its behalf, for the purposes of the UK GDPR the other party is a “processor”, as defined in Article 4(8) of the UK GDPR. The UK GDPR draws a distinction between a controller sharing personal data with another controller, and a processor processing personal data on behalf of a controller.
Article 28 of the UK GDPR lays down requirements that must be in place between a controller and processor, in order to protect the rights of the data subject. These requirements include a written contract and guarantees about security. Under the UK GDPR a processor must only process personal data on documented instructions from the controller. A processor has its own liabilities and responsibilities both under the contract and the UK GDPR.
This type of processing arrangement is outside the scope of this code, but further information is available on the ICO website.
The code does not apply to the disclosure of data within the same organisation, where the controller is one and the same. The movement of data by one part of an organisation to another part - by the controller to itself - is not data sharing. The other obligations under data protection law obviously still apply, however.
There is no formal definition of data sharing within the legislation, although the scope of this code is defined by section 121 of the DPA 2018 as “the disclosure of personal data by transmission, dissemination or otherwise making it available”. This includes:
- providing personal data to a third party, by whatever means;
- receiving personal data as a joint participant in a data sharing arrangement;
- the two-way transmission of personal data; and
- providing a third party with access to personal data on or via your IT systems.
For the purposes of this code, data sharing does not include providing data access to employees or contractors, or with processors such as third-party IT processors. Please read the paragraphs later in this section on sharing data with processors.
The following examples illustrate a range of data sharing types within the scope of the code:
- a one-way or reciprocal exchange of data between organisations;
- an organisation providing another organisation with access to personal data on its IT system for a specific research purpose;
- several organisations pooling information and making it available to each other or to a third party or parties;
- data sharing on a routine, systematic basis for an established purpose;
- one-off, exceptional or ad hoc data sharing; and
- one-off data sharing in an urgent or emergency situation.
Examples of real-life data sharing activities
- a bank disclosed personal data about its employees to an anti-fraud body;
- a primary school passed details about a child showing signs of harm to the police and social services;
- the police and Border Force exchanged information about individuals thought to be involved in serious crime;
- a supermarket gave information about a customer’s purchases to the police following an allegation of shoplifting;
- a secondary school provided information about its pupils to a research company for research purposes; and
- a multi-agency network group regularly exchanged information about individuals for safeguarding or social care purposes.
The code only applies to sharing personal data. Neither the UK GDPR, the DPA 2018, nor this code, applies to sharing information that does not constitute personal data. Some sharing doesn’t involve personal data; for example, if an organisation is sharing information that cannot identify anyone (anonymous information; please refer to the ICO website for forthcoming guidance on anonymisation).
These are two examples of data sharing, one of which is subject to the UK GDPR and the second which is not.
A travel business collects data on individual travel movements. Prior to sharing with third parties, it removes directly identifiable information such as name or address from the data. In this case, it is still personal data as it is very likely that an individual could be identified by combining the data with other available information; for example, social media accounts. This will be considered personal data under the UK GDPR.
However, if the travel business shares high-level aggregate statistics with third parties, for example: “on Fridays, for a particular journey there are 130% fewer passengers than on Tuesdays”, no individual can be identified. Therefore this would qualify as anonymous information and is not personal data under the UK GDPR.
The position is different for pseudonymised data. Data which has undergone pseudonymisation is defined in the UK GDPR as data that can no longer be attributed to a data subject without the use of additional information. If you have pseudonymised the data according to the definition of the UK GDPR, such that the additional information could be used to re-identify a data subject within that data, then you must treat the pseudonymised data as personal data.
It is common to consider data sharing as falling into two main types of scenario:
- data sharing on a frequent and/or regular basis, also known as routine or ‘systematic’ data sharing, where the same data sets are regularly shared between the same organisations for an established purpose; and
- exceptional, one-off decisions to share data for a purpose that is ad hoc, unexpected or due to an urgent situation or an emergency.
Different approaches apply to these two scenarios, and the code reflects this. Most of the code concentrates on routine data sharing.
This is data sharing done on a regular basis in a routine, pre-planned way. It generally involves sharing data between organisations for an established purpose - perhaps with standardised data structures and values - at regular, scheduled intervals.
For example, a group of organisations might make an arrangement to share or pool their data for specific purposes, again on a frequent and/or regular basis.
If you are carrying out this type of data sharing, you should establish rules and agree procedures in advance.
It is good practice to formalise your data sharing through a data sharing agreement. However in some instances you may decide, or be asked, to share data in ad hoc situations that are not covered by any routine arrangement or agreement. It is still possible to share data in this situation, but you should carefully assess the risks every time. We recommend that you make plans to cover such contingencies.
Sometimes you may have to make a decision quickly about data sharing in conditions of real urgency, or even in an emergency situation. You should not be put off from data sharing in a scenario like this; in an urgent situation you should assess the risk and do what is necessary and proportionate. Please see the section later in this code on Data sharing in an urgent situation or in an emergency.
Data pooling is a form of data sharing where organisations decide together to pool information they hold and make it available to each other, or to different organisations, for a specific purpose or purposes. The organisations should consider whether they are separate or joint controllers.
If the organisations are joint controllers, under Article 26 of the UK GDPR they must enter into a formal, transparent arrangement setting out agreed roles and responsibilities for complying with the UK GDPR. For more details, you should refer to the guidance on controllers and processors on the ICO website.