ICO publishes data sharing code of practice

The ICO has published an updated data sharing code of practice.

The Code

The original data sharing code of practice came into force in 2011. The updated code addresses the updated requirements in the GDPR (in force in the UK under the UK-GDPR) and Data Protection Act 2018. It addresses various parts of the updated data privacy laws, including transparency, lawful bases for using personal data, the new accountability principle and the requirement to record processing activities.

The updated code applies to sharing of personal data between controllers, as well as controllers giving third parties access to personal data. It does not apply to data sharing with processors, nor internal disclosures within an organisation.

The updated code contains a data sharing checklist and data sharing request and decision templates. This will assist organisations when deciding whether to share personal data and demonstrate accountability.

The ICO recommends organisations first conduct a data protection impact assessment when considering sharing personal data. In addition, it recommends a data sharing agreement is in place.

The ICO has also launched a data sharing information hub with further guidance and information. 

Next steps

The ICO submitted the updated code to the Secretary of State on 17 December 2020. It will be laid before Parliament for approval as soon as reasonably practicable and if there are no objections after 40 days of Parliament sitting, it will come into force 21 days after that.

Once Parliament approves the updated code, the ICO will use it when assessing if organisations have shared personal data lawfully.