ICO’s data sharing code of practice is in full force11th October 2021
The data sharing code of practice, published by the UK ICO, came into force on 5th October 2021. This is after it was laid before parliament on 18th May 2021 and then issued on 14th September 2021 under the Data Protection Act 2018.
Overview of the Code
The Code explains the requirements of data protection law and guides organisations on sharing personal data responsibly. The Code is not a new law – it is a statutory Code of Practice issued under the authority of the Data Protection Act 2018 and, as such, does have some legal weight. The Data Sharing Code primarily addresses data sharing by controllers and offers guidance on sharing personal data fairly and lawfully.
Information Commissioner Elizabeth Denham said:
“We have written this Data Sharing Code to give individuals, businesses, and organisations the confidence to share data in a fair, safe, and transparent way in this changing landscape. This Code will guide practitioners through the practical steps they need to share data while protecting people’s privacy. We hope to dispel many of the misunderstandings about data sharing along the way.”
The Code contains optional good practice recommendations for organisations to help them adopt a practical approach to data protection compliance.
Not all recommendations are a legal requirement; however, it is important to note that the ICO will consider the Code when evaluating if an organisation has complied with its data protection requirements when sharing data. Also, the Code can be used in evidence in court proceedings, and the courts must take its provisions into account whenever relevant.
What happens if you don’t comply with the Code?
Not complying with the Code means that you could find it more challenging to validate that your data sharing is honest, lawful, and accountable and that it complies with either the UK or EU GDPR and the Data Protection Act 2018.
It also means that if you and your organisation breach this Code, the ICO and private individuals can take action against you.
The ICO has various tools at its disposal, including warnings, assessment notices, reprimands, enforcement notices, and administrative fines. They have the authority to issues penalties of up to £17.5 million or 4% of your annual worldwide turnover (whichever is higher) for the more serious breaches.
Who is the Code for?
The Code is mainly for organisations who act in the capacity of the data controller and who habitually share personal data and data protection officers (DPO’s) and any other individuals within organisations who are responsible for data sharing matters.
The Code applies to public, private, and third sector organisations and all data sharing, regardless of scale and context.
Understanding the Code and implementing its practical recommendations will help give you confidence when collecting and sharing personal data. It will also help you identify what you need to consider before sharing personal data.
Why should you use the data sharing code?
Here are the benefits when you adopt the recommendations in the Code:
- You will have greater trust with those whose data you may want to share, e.g., the public and your customers.
- A better understanding of whether and when it is appropriate to share your personal data.
- You will be confident that your organisation is sharing data lawfully, appropriately, and correctly.
- There is better protection for individuals whose data you are sharing.
- You will protect your organisation against potential Regulator or private legal action.
- Able to share data in a one-off situation or an emergency without feeling uncertain.
For details of the guide and how it applies to you, visit the ICO website here.
Please get in touch with Griffin House Consultancy if you have any questions about the Code and how it may impact your organisation.