The UK Information Commissioner's Office ("ICO") proposed a draft statutory code of practice on data sharing. Comments on the draft code must be submitted by September 9, 2019.
The draft code, along with other ICO guidance, includes an outline of how organizations should handle personal data-sharing practices, such as when a third party is given access to such data. The draft code also includes guidance on risk management processes, best practices and misconceptions about data sharing.
In the draft code, the ICO states, organizations are required to:
Additionally, the proposed code would require organizations to create a data-sharing agreement to help demonstrate accountability pursuant to the GDPR. The ICO states that, in a data-sharing agreement, there must be policies and procedures in place to ensure that "data subjects" (i.e., those from whom the data originated) are able to "exercise their individual rights with ease."
The ICO notes that, while most data sharing falls under Part 2 of the DPA ("General Processing"), data sharing by a "competent authority" is subject to Part 3 of the DPA ("Law Enforcement Processing"), which has a separate framework. According to the ICO, a "competent authority" is defined by an entity that either (i) falls under Schedule 7 of the DPA or (ii) "exercise[s] public authority or public powers for law enforcement purposes."
The ICO also clarified a few misconceptions, saying that:
data protection does not prevent data sharing but seeks to balance the risks and benefits of data sharing if it is either (i) "in the public interest" or (ii) "proportionate, in the case of sharing for commercial reasons";