About this code
- This is a statutory code of practice made under section 121 of the Data Protection Act 2018.
- It is a practical guide for organisations about how to share personal data in compliance with data protection law. It aims to give you confidence to share data fairly and proportionately.
Data protection law enables fair and proportionate data sharing
- Data protection law facilitates data sharing when you approach it in a fair and proportionate way.
- Data protection law is an enabler for fair and proportionate data sharing, rather than a blocker. It provides a framework to help you make decisions about sharing data.
- This code helps you to balance the benefits and risks and implement data sharing.
- Data sharing has benefits for society as a whole.
- Sometimes it can be more harmful not to share data.
- When considering sharing data:
- you must comply with data protection law;
- we recommend that you assess the risks using a Data Protection Impact Assessment (DPIA); and
- it is good practice to have a data sharing agreement.
- When sharing data, you must follow the key principles in data protection legislation:
- The accountability principle means that you are responsible for your compliance, and you must be able to demonstrate that compliance.
- You must share personal data fairly and transparently.
- You must identify at least one lawful basis for sharing data before you start any sharing.
- You must process personal data securely, with appropriate organisational and technical measures in place.
- In your data sharing arrangement, you should have policies and procedures that allow data subjects to exercise their individual rights easily.
- You can share data in an emergency, as is necessary and proportionate. Examples of an emergency situation are the risk of serious harm to human life, or the immediate need to protect national security.
- You may share children’s data if you can demonstrate a compelling reason to do so, taking account of the best interests of the child.
- The government has devised a framework for the sharing of personal data, for defined purposes across the public sector, under the Digital Economy Act 2017 (DEA).
UK exit from the European Union
- Now the UK has left the EU, the GDPR (which we refer to in this code as the EU GDPR) has been written into UK law as the UK GDPR, to sit alongside the DPA 2018.
- For the latest information and guidance on data protection and the UK’s position in relation to data protection and the EU, see the ICO website.
- The ICO upholds information rights in the public interest. Our focus is to help you carry out data sharing in a compliant way. We will always use our powers in a targeted and proportionate manner, in line with our regulatory action policy.