On 9 July 2019 the UK data protection authority (ICO) updated its Data Sharing Code of Practice (first published in 2011) (Code). On the same day, the ICO also announced its intention to fine Marriott International just over £99m for infringements of the General Data Protection Regulation (GDPR), highlighting the importance of due diligence in the context of data sharing.
The Code, made under section 121 of the UK’s Data Protection Act (DPA), is publicly available for consultation until 9 September 2019. Once finalised, the Code will become a statutory code of practice under the DPA. Non-compliance with the code will likely be considered non-compliance with data protection laws.
Scope of application and aim
Unlike in relation to the engagement of processors, which is subject to the prescriptive requirements under Article 28 GDPR, the GDPR remains silent about the sharing of personal data between organisations which are controllers (with the exception of the obligations that Article 26 GDPR sets out for joint controllership scenarios). Overall, the Code aims to provide practical guidance on how to share personal data between controllers (i.e. separate/joint controllers) in compliance with data protection law, and promotes good practice recommendations.
The Code mainly covers data sharing by private organisations subject to the GDPR and Part 2 of the DPA, but it also includes a specific section on data sharing under the Law Enforcement regime (Part 3 of the DPA).
Are data sharing agreements required under the GDPR?
According to the ICO, it is “good practice” to have a data sharing agreement in place between controllers sharing and receiving data. A data sharing agreement helps the parties be clear about the purpose of data sharing and covers what happens to the data at each stage. Crucially, such agreements also present a useful tool for controllers to demonstrate their accountability framework under the GDPR in a tangible way. In other words, although the GDPR does not prescribe the use of data sharing agreements, it is obvious that the regulators’ expectation is that the parties involved in data sharing arrangements will have some contractual documentation in place as a way of evidencing their respective responsibilities.
What are the points a data sharing agreement should address?
There is no set format for a data sharing agreement, which can take a variety of forms depending on the scale and complexity of the processing. However, the ICO recommends that a data sharing agreement should cover a range of points, including:
- The purpose of the data sharing initiative;
- The organisations involved in the data sharing (explaining whether they would be acting as joint controllers, and adding the contact details for the Data Protection Officer and other key members of staff, as appropriate);
- The types of data the organisations intend to share (including special category/sensitive data);
- The lawful basis for sharing data;
- The procedures for compliance with individual rights, including a single point of contact so that individuals know how to action these rights;
- The main practical problems that may arise when sharing personal data; and
- Appendices or annexes including a summary of the key legislative provisions, a model form for seeking individuals’ consent for data sharing (where applicable) and a diagram to show how to decide whether to share data.
For joint controllers, the data sharing agreement may also serve for the purposes of setting out the responsibilities of the entities sharing the data as required under Article 26 GDPR.
The final version of the Code will include examples of data sharing checklists and template data sharing request and decision forms.
Specific data sharing cases
The ICO provides some insight into specific data sharing cases. In particular, the ICO emphasises the importance of data sharing in the context of mergers and acquisitions, regarding it as a potential “priority.” Organisations should ensure they consider data sharing as part of their due diligence process and adhere to the governance and accountability requirements of the GDPR.
Similarly, due diligence is essential for data protection compliance when sharing personal data in databases and lists (whether for profit or not), and this exercise should be undertaken by both the sharing and the recipient controller. Organisations should make appropriate enquiries and checks with respect to the data, including its source and reviewing a copy of the privacy information given at the time of collection of the data.
Final considerations before sharing data
The ICO states that when considering sharing data, organisations need to assess their overall compliance with data protection legislation. The ICO encourages undertaking a Data Protection Impact Assessment (DPIA), which is deemed as good practice for any major projects involving the disclosure of personal data, or any plans for routine data sharing, even where there is no specific indicator or likely high risk.
Finally, the ICO indicates that organisations must adhere to the key principles in data protection legislation when sharing data, in particular accountability (documenting all aspects of data sharing) and data minimisation (ensuring it is reasonable and proportionate to share data). In terms of security, the ICO notes that even once the data has been shared, organisations will be expected to take reasonable steps to ensure such data will continue to be well-protected.