The ICO published a new Data Sharing Code of Practice yesterday (17th December 2020). A welcome Christmas present as we have been without an up to date Data Sharing Code since the GDPR came into force in May 2018. This Code is a statutory one and the ICO says it will use the Code in its work to assess the compliance of controllers through its audit programme and other activities. It also says it will take the Code into account when considering whether an organisation has complied with the GDPR or DPA 2018, particularly when considering questions of fairness, lawfulness, transparency and accountability.

The new Code stresses the importance of the Accountability Principle in making data sharing decisions. There is also a heavy emphasis on doing DPIAs (Data Protection Impact Assessments) as a matter of good practice even where they are not legally required. This has been the direction of travel for some time and is logical given the need to show accountability. This Code does reinforce this to such an extent that it would appear unwise to proceed with any planned data sharing without a DPIA except in cases where there is obviously very little risk to individuals.

Data sharing agreements are covered in some detail in the new Code with helpful guidance as to what they should contain. A data sharing agreement is not actually a legal requirement except in a joint controller situation but the ICO says, ‘A data sharing agreement between the parties sending and receiving data can form a major part of your compliance with the accountability principle, although it is not mandatory’.  In practice, the ICO expects to see such agreements in place for any routine data sharing arrangements and this is already clear in the ICO audit outcomes which I have seen.

Most of what the Code does is to help an organisation go through the necessary procedural steps to share personal data in a compliant fashion. There are no easy shortcuts  or magic answers here though and the Code amounts to more of a ‘How to’ Guide than an answer booklet.

One final point of note is that the Code contains a page and a half of information on due diligence and data sharing in mergers and acquisitions. The previous code had just a short paragraph. This reflects a growing focus on data rights in this situation. I have been plugging the importance of early consideration of data issues in such situations for some time as I think they are often overlooked entirely or only raised late in the transaction. There have been ICO fines that came about because of failures in due diligence on an acquisition, e.g. Marriott Hotels. The European Data Protection Board has also pointed out the need to consider the privacy implications of mergers through its statement earlier this year.  This Code provides a clear bullet pointed list of what needs to be covered in such a situation.