ICO consults on draft data sharing code

The ICO encourages organisations to draft data sharing agreements as best practice, its draft data sharing code says. There is no set format for a data sharing agreement. It can take a variety of forms, depending on the scale and complexity of the processing, the ICO says.

“The updated draft code of practice will explain and advise on changes to data protection legislation where these changes are relevant to data sharing. It will address many aspects of the new legislation including transparency, lawful bases for processing, the new accountability principle and the requirement to record processing activities,” the ICO says.

The code discusses legitimate basis, transparency, security and accountability when sharing personal data, as well as individual rights. Under Article 14 of the GDPR, organisations must provide privacy information to individuals whose data has been shared with an organisation “within a reasonable period after obtaining the personal data, but at the latest within one month.”

Where several organisations are sharing data, organisations should make clear in the privacy information they provide how individuals can get in touch with the organisation. It is good practice to provide a single point of contact for individuals to avoid multiple requests, the ICO says. However, individuals may address their complaint against any controller.

There is a short section about data sharing in mergers and acquisitions, and how to share children’s data safely. The code also mentions the concept of ‘data trusts’. In the UK, the Open Data Institute will work on pilot projects on these legal structures that will provide independent third-party stewardship of data.

The revision of the data sharing code is required by the Data Protection Act 2018. The draft code is open for consultation until 9 September 2019.