Data Protection Consulting

Following the review of data sharing in the public sector in 2008, the Information Commissioner was tasked by the government to produce a code of practice on data sharing.  The Data Sharing Code of Practice was published by the ICO in May 2011 and it applies to organisations in both the public and private sector.  The Code is stated to be the ICO’s interpretation of data protection law in the context of sharing personal data.  It is not intended to impose any additional legal obligations on organisations but it could be used as evidence of good practice in legal proceedings.

Data sharing is both reciprocal exchanges of data and providing data to a third party.  It can also involve pooling information with other organisations.  Data sharing might be undertaken on exceptional, one-off situations, for example in an emergency, or it might be a continuing relationship.  

The ICO does not rule out data sharing taking place between different parts of the same organisation, for example in local authorities personal data relating to a given data subject might be held by the electoral officer for purposes of registration on the electoral roll and by the housing department in relating to tenancy of a council owned property.  As the two relationships with the data subject are distinct and separate, any data sharing between the two departments must comply with data protection law, for example as with data matching exercises. In the private sector data sharing within an organisation might take place, for example, in a financial services company.  This could arise where an insurance company provides both motor and household insurance.  Customers may have both types of insurance but the policy records would be kept separately and any disclosure of data between the motor and household policy departments would constitute data sharing.

The first step for compliant data sharing is to determine the legality of the proposal and the organisation’s authority to pursue it.  This means considering the statutory or other authority of public bodies to undertake activities.  Private companies are advised to check industry specific regulation or guidance and company formation documents.

The Human Rights Act 1998 may also apply, primarily to the activities of public bodies but also potentially to the activities of private organisations that carry out functions of a public nature.  The Act applies to protect individuals from interference by a public authority with the right to privacy of home, family life and correspondence.  Exceptions exist around national security, public safety or the economic well-being of the country, also for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.  

The ICO guidance lists those factors which should be considered before entering into a data sharing arrangement.  To help identify data protection issues, the use of Privacy Impact Assessments is recommended.  The ICO suggests organisations consider:

• What the sharing is meant to achieve?

• What information needs to be shared.

•Who requires access to the shared personal data?

• When should it be shared?

• How should it be shared?

• What checks can be carried out to ensure the data sharing is achieving its objectives?

• The risks posed by the data sharing.

• Whether objectives could be achieved without sharing the data or by disclosing only anonymous data.

• Whether the organisation will have to amend its data protection notification.

• Whether any of the data will be transferred outside of the EEA.

In a data sharing context the ICO states that the Privacy Notice should include:

• The identity of the organisation

• The reasons why personal data is to be shared

• The identity of other organisations with whom personal data will be shared, either individually named organisations or types of organisation

In particular, the attention of data subjects should be drawn to data sharing involving

• sharing sensitive personal data

• data sharing that is likely to be unexpected or objectionable

• data sharing that may have a significant effect on the individual

• data sharing that is particularly widespread

• data sharing that is being carried out for a range of different purposes

The ICO recommends that organisations enter into data sharing agreements or protocols with regular correspondents.  A data sharing agreement should outline the following:

• the purpose of data sharing

• potential recipients or types of recipient of the personal data and the circumstances in which they will have access

• a description of the personal data to be shared

• provisions around data quality

• data security requirements

• how long shared data should be retained

• how individuals' rights will be met

• provision for a review of the effectiveness of the data sharing arrangements

• sanctions for failure to comply with the agreement 

Organisations should review their policies and procedures around data sharing in the light of this new Code of Practice and undertake an audit to ensure that all data sharing activities have been identified and are regulated appropriately.