UK Data Protection Agency Issues New Guidelines for Data Sharing

July 25, 2019

The United Kingdom’s Information Commissioners Office (ICO) has issued, for public consultation, draft guidelines for data sharing that—once adopted —will govern all controller-to-controller data sharing agreements which are subject to the UK Data Protection Act (this means UK companies as well as companies that provide products and services to individuals in the UK).

Controller-to-controller data sharing occurs when you share information with a third party that has its own purposes for using the information. Examples are case-by-case but can include: two universities sharing student information, a company sharing information with an advertising provider; health organizations sharing information or a school providing information about students to a research organization.

Here are two big reasons to take the draft ICO Data Sharing Code of Practice seriously:

  • Failure to comply with the guidance in this code may make it more
    difficult to demonstrate that your data sharing is fair, lawful, accountable
    and complies with the GDPR.
  • If you process personal data in breach of this code and it results in a breach
    of the GDPR (or the UK Data Protection Act), the ICO can take action against you.

Below are some key takeaways from the very detailed Code of Practice, organized by topic:

Data Sharing Generally

  • Data sharing means giving personal data to a third party, by whatever means, including when you give a third party access to personal data on or via your Information Technology (IT) systems.
  • When “data pooling”—data sharing in which organizations decide together to pool information they hold and make it available to each other or to a third organization—the various organizations are considered “joint controllers” under Article 26 of the GDPR.
  • When considering sharing data, you must assess your overall compliance with the data protection legislation. Consider conducting a Data Protection Impact Assessment (DPIA) even if not required.
  • The ICO deems a DPIA to be mandatory for:
    • data matching
    • invisible processing; (there is more detail on this in the ICO’s DPIA guidance)
    • processing records where there is a risk of harm to individuals in the event of a data breach, such as whistleblowing or social care records.

Deciding to Share Data

When sharing data, ask yourself:

  • What is the sharing meant to achieve?
    • Document the objective in the data sharing agreement.
  • What information do we need to share?
    • You should only share the specific personal data needed to achieve your objectives.
  • Could we achieve the objective without sharing the data or by anonymizing it?
    • If you can reasonably achieve the objective in another less intrusive way (such as sharing anonymized data) you should not process the personal data.
  • What risks does the data sharing pose to individuals?
    • Consider, for example, if any individual is likely to be harmed by it in any way, including physically, emotionally, economically or socially.
    • Is any individual likely to object?
    • Could it undermine individuals’ trust in the organizations that keep records about them?
  • Is it right to share data in this way?
    • Consider the potential benefits and risks, to both society and individuals, of sharing the data. Where appropriate, ethics should form a part of those considerations.
  • What would happen if we did not share the data?
  • Are we allowed to share the information?
    • Check whether there is any statutory bar or other restriction on sharing the data.
  • Who requires access to the shared personal data?
    • You should employ “need to know” principles, meaning that you should only share data to the extent that it is proportionate to do so and consider any necessary restrictions you may need to impose on the onward sharing of data with third parties.
  • When should we share it?
  • How should we share it?
    • What are the processes for sharing the data? This must include security considerations and procedures around the transmission of data, and access to it by all those involved.
  • How can we check if the sharing is achieving its objectives?
  • Do we need to review the DPIA?

Data Sharing Agreements

  • It is good practice to have a data sharing agreement. It sets out the purpose of the data sharing, covers what is to happen to the data at each stage, sets standards and helps all the parties to be clear about their respective roles. It helps you to demonstrate your accountability under the GDPR.
  • There is no set format for a data sharing agreement. It can take a variety of forms, depending on the scale and complexity of the data sharing in question. Address the following questions in your data sharing agreement:
    • What is the purpose of the data sharing initiative? Your agreement should explain:
      • why the data sharing initiative is necessary
      • the specific aims you have
      • the benefits you hope to bring to individuals or to wider society, documented in precise terms
    • Which other organizations will be involved in the data sharing?
      • Include contact details for their Data Protection Officers (DPO) and other key members of staff.
      • Address procedures for including additional organizations in the data sharing arrangement and for dealing with cases in which an organization needs to be excluded from the sharing.
    • Are you sharing data along with another controller?
      • Follow the requirements of Article 26
      • Under the transparency requirements of the GDPR you must make the essence of the agreement available to individual data subjects, preferably in the privacy information you give to them.
      • What data items are you going to share? This may need to be quite detailed. In some cases it may be appropriate to attach “permissions” to certain data items so that only certain staff members are allowed to access them, for example, those who have received appropriate training.
    • What is your lawful basis for sharing?
      • You need to explain clearly your lawful basis for sharing data.
      • If you are using consent as a lawful basis for disclosure, then your agreement could provide a model consent form.
      • You should also address issues surrounding the withholding or retraction of consent.
    • Is there any special category data or sensitive data?
      • Document the relevant conditions for processing, as appropriate under the GDPR or the DPA.
    • What about access and individual rights?
      • Set out procedures for compliance with individual rights.
      • Make it clear that all controllers remain responsible for compliance even if you have processes setting out who should carry out particular tasks.
      • Ensure that one staff member (generally a DPO) or organization takes overall responsibility for ensuring that the individual can gain access to all of the shared data easily, although individuals may choose to contact any controller.
    • What information governance arrangements should we have?
      • Your agreement should also deal with the main practical problems that may arise when sharing personal data. This should ensure that all organizations involved in the sharing:
        • have detailed advice about which datasets they can share, to prevent irrelevant or excessive information being disclosed
        • make sure that the data they are sharing is accurate, for example by requiring a periodic sampling exercise
        • are using compatible datasets and are recording data in the same way. (The agreement could include examples showing how particular data items should be recorded, for example, dates of birth.)
        • have common rules for the retention and deletion of shared data items and procedures for dealing with cases where different organizations may have different statutory or professional retention or deletion rules
        • have common technical and organizational security arrangements, including the transmission of the data and procedures for dealing with any breach of the agreement
        • have procedures for dealing with access requests, complaints or queries from members of the public
        • have a time frame for assessing the ongoing effectiveness of the data sharing initiative and the agreement that governs it
        • have procedures for dealing with the termination of the data sharing initiative, including the deletion of shared data or its return to the organization that supplied it originally
    • What further details should you include? Consider:
      • a summary of the key legislative provisions, for example, relevant sections of the law, any legislation which provides your legal power for data sharing and links to any authoritative professional guidance
      • a model form for seeking individuals’ consent for data sharing
      • a diagram to show how to decide whether to share data
      • a data sharing request form and data sharing decision form
  • You should review your data sharing agreement on a regular basis because changes in circumstances or the rationale for the data sharing may arise at any point.

Up next, I’ll drill down to unpack the ICO’s guidance as it relates to individual rights, security, mergers and acquisitions, and more.

Odia Kagan is a Partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. For assistance with the full range of GDPR compliance issues, including data sharing, contact Odia at [email protected] or 215.444.7313.

Further Reading:

EDPB Opinion Provides Guidance on Controller-Processor Agreements Under GDPR

French Privacy Regulator Releases Long-Awaited Rules for Use of Cookies

How To Determine If Europe’s GDPR Law Applies to a U.S.-based Retail Business

European Regulator Provides Guidance on Conducting Clinical Trials Under the GDPR