The new code covers data sharing between data controllers (including data sharing as joint controllers). It does not deal with data sharing between a controller and its data processors.
Points to note include the following:
- Before sharing data a controller should identify its objective in sharing the data and consider whether the data sharing is necessary and achieves a benefit.
- The ICO recommends carrying out a data protection impact assessment (DPIA) even where this is not legally required, to assist in assessing any risks in the proposed data sharing and to promote public trust in the controller’s data sharing plans.
- A controller with which data is shared will become legally responsible for the data. However, the sharing controller should still take reasonable steps to ensure that the data will continue to be adequately protected by the receiving controller.
- The ICO considers it good practice to have a data sharing agreement, setting out the purpose of the data sharing; what happens to the data at each stage; standards to be met; and helping all parties to understand their roles and responsibilities.
- A data sharing agreement should also cover: the lawful basis for the data sharing (which may not be the same for different parties to the data sharing arrangement); how data subjects’ rights will be met; ensuring that data being shared is accurate; the retention or deletion of data; and procedures for dealing with the termination of the agreement.
- A data sharing agreement should be reviewed regularly and if there is a significant complaint or security breach.
- The code includes a checklist of matters to consider before sharing data, plus a template data sharing request and decision form.
Data sharing code of practice submitted to the Secretary of State on 17 December 2020. The Secretary of State will lay the code before Parliament. If, after 40 days, there are no objections the code will come into force following a further 21 days.
Authored by the pension team