On July 16, 2019, the UK’s Information Commissioner’s Office (“ICO”) released a new draft Data sharing code of practice (“draft Code”), which provides practical guidance for organizations on how to share personal data in a manner that complies with data protection laws.  The draft Code focuses on the sharing of personal data between controllers, with a section referring to other ICO guidance on engaging processors.  The draft Code reiterates a number of legal requirements from the GDPR and DPA, while also including good practice recommendations to encourage compliance. The draft Code is currently open for public consultation until September 9, 2019, and once finalized, it will replace the existing Data sharing code of practice (“existing Code”).

Key practical points from the draft Code are

  • As a first step to embarking on data sharing, organizations should decide whether to carry out a Data Protection Impact Assessment (DPIA). Organizations should also take into account various factors (such as the purposes of the data sharing, whether anonymization is possible, what risks may be posed to individuals, and so forth) before deciding to share personal data. A list of suggested questions to consider is provided in pp. 22-23 of the draft Code.
  • It is good practice for organizations sharing personal data to put in place a data sharing agreement. Data sharing agreements should set out the purpose of the data sharing, cover what happens to the data at each stage, set standards, and clarify the roles of the parties involved.  A list of suggested issues that should be addressed in a data sharing agreement is provided in pp. 26-29 of the draft Code.  Organizations are also advised to keep data sharing agreements under review as a project progresses.
  • In order to ensure compliance with the accountability principle, organizations should maintain records as required by data protection law. These include records of processing activities, records of privacy notices provided, records of consent obtained (where applicable), records of lawful basis for processing, and records of personal data breaches.
  • When deciding to share personal data, organizations should also check to ensure they comply with any other applicable laws (e.g., human rights law, rules on public sector data sharing, and others) and consider whether it is ethical to share the data.

While the draft Code builds on the existing Code, it provides quite a bit of new information, including placeholders where additional content will be added before the document is finalized (e.g., a section on sharing data outside of the European Economic Area, as well as updated data sharing checklists and new template for data sharing request & decision forms).  The draft Code includes several new sections on specific topics of interest, such as data sharing and children, data sharing in the context of M&A deals, sharing of databases and lists, data ethics and data trusts, and law enforcement processing.  While checklists and other forms in Annex A and B are still forthcoming, Annex D provides a number of useful case studies applying the content of the draft Code to real-life scenarios.

After the public consultation period, which ends on September 9, 2019, the draft Code will be approved by Parliament before it becomes a statutory code of practice.  Although failure to comply with the Code will not of itself be a cause of action, processing personal data in breach of the Code will usually result in a breach of the GDPR or the DPA.  Also, the Code can be used as evidence in legal proceedings, and the ICO, courts and tribunals are required to take into account the provisions in the Code where relevant.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Sam Jungyun Choi Sam Jungyun Choi

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous…

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous vehicles. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Sam advises leading technology, software and life sciences companies on a wide range of matters relating to data protection and cybersecurity issues. Her work in this area has involved advising global companies on compliance with European data protection legislation, such as the General Data Protection Regulation (GDPR), the UK Data Protection Act, the ePrivacy Directive, and related EU and global legislation. She also advises on a variety of policy developments in Europe, including providing strategic advice on EU and national initiatives relating to artificial intelligence, data sharing, digital health, and online platforms.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Brussels office, where he is a member of the Data Privacy and Cybersecurity practice group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws…

Nicholas Shepherd is an associate in Covington’s Brussels office, where he is a member of the Data Privacy and Cybersecurity practice group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide.  Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements related to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer registered on the B-List of the Brussels Bar, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.