A data sharing code of practice has been placed before the House of Commons in the UK that provides guidance on how organisations should manage the information they collect and use.
“The code contains practical guidance on how to share data fairly and lawfully, and how to meet your accountability obligations,” said the Information Commissioners Office, which issued the code. “It does not impose any additional barriers to data sharing, but will help you comply with your legal obligations under the UK GDPR and the Data Protection Act (DPA) 2018.”
The code was mandated under section 125 of the DPA 2018 and produced by the Information Commissioners Office.
The data sharing code of practice also recommends best practice to help business in their approach to compliance. The guidance also includes a number of case studies that illustrate key issues, such as obligations, fairness and transparency.
Companies may now need to comply with the European Union’s General Data Protection Regulation, the UK equivalent and the DPA 2018.
But the ICO also emphasised that data sharing should not just be seen as a risk. “For some organisations the perceived risks of getting it wrong – in the shape of reputational damage or enforcement action by the regulator – outweigh the benefits that can be gained from data sharing, leading to missed opportunities for innovation and improved public services,” it said.
It said there were a number of common misconceptions about data sharing, including:
Reality: This is mistaken. Data protection law does not prevent data sharing, as long as you approach it in a fair and proportionate way. If you were able to share data lawfully under the former data protection regime, it is likely that you are able to continue to do so now. While there are some differences, the new legislation helps you to ensure you are sharing data in a way that promotes trust and transparency.
Reality: Data sharing brings significant benefits to your organisation, to individuals and to society at large. Done well, it helps government, public, social sector and commercial organisations to deliver modern, more efficient services which better meet people’s needs and make their lives easier. It can also identify people at risk, help protect them from harm and address problems before they have a significant adverse impact.
Reality: Most data sharing does not rely on consent as the lawful basis. If you cannot offer a genuine choice, consent is not appropriate. Public authorities, employers and other organisations in a position of power over individuals should avoid relying on consent unless they are confident they can demonstrate it is freely given.
Reality: You can share data in an emergency; you should do whatever is necessary and proportionate. Examples of an emergency situation are the risk of serious harm to human life, the protection of public health, or the protection of national security. Please see our section on this topic later in the code. Where possible you should plan ahead and put contingencies in place.