On 17 December 2020, the UK’s DPA (“ICO UK”) announced publishing its new Data Sharing Code of Practice (“the Code”) along with a suite of new resources, which aim to provide practical advice to businesses and organizations on how to carry out responsible data sharing.
In a nutshell, the Code covers the sharing of personal data between controllers but does not apply to data sharing with processors or within the same organization. In particular, the Code outlines what controllers need to consider when deciding to share data, including carrying out a Data Protection Impact Assessment (“DPIA”) when the data sharing is likely to result in a high risk to individuals. In addition, the Code notes that, although not mandatory, having a data sharing agreement in place is a good practice. In this respect, it is recommendable for such an agreement to include, among others, the purpose of the data sharing, the lawful basis of the sharing, the types of data intended for sharing, and the way of handling the data subjects’ access requests.
The ICO UK submitted the Code of Practice to be laid before Parliament for its approval. Once the code has been laid, it will remain before Parliament for 40 sitting days, and if there are no objections, it will come into force 21 days after that.
Alongside the code, the ICO UK launched a data sharing information hub where targeted support and resources are available, including data sharing FAQs for small organizations and businesses, case studies, data sharing checklists, and related template documents.