On December 17, 2020, the Information Commissioner’s Office (ICO) published its new code of conduct for data exchange (“code“), a practical guide for organizations to transfer personal data in accordance with the Data Protection Act. The Code replaces the previous data exchange code of the ICO, which was published in 2011 under the Data Protection Act 1998. It should be noted that the code only applies to transfer of personal data between controllers (with a focus on sharing data between different controllers), transferring data to processors or within an organization does not fall within the scope of the Code. Appendix C of the Code contains useful case studies of organizations that are personal Exchanging data There is a handy checklist that summarizes the most important steps companies must take when setting up data sharing.

The ICO recognizes that sharing data has benefits for society as a whole and it can sometimes be more harmful not to share data. The role of data sharing during the pandemic by enabling Test and Trace and helping vulnerable patients is a case in point. In this context, the ICO states that the legal framework is a “precursor to responsible data sharing” and clears up some of the myths that currently exist (e.g. data can only be shared with the consent of the data subjects). The code will help organizations weigh the risks and benefits of sharing data and implement them in a fair, transparent and proportionate manner.

In this article, we explain the key takeaways from the Code, although we believe that the Code formalizes the current practices that we see and have already adopted in advising on data sharing agreements and requirements, and adds nothing unusual or new.

1. Data protection principles

As with any type of processing activity, organizations must follow the data protection principles of the General Data Protection Regulation (GDPR) when sharing personal data. The Code explains in detail how these principles apply in connection with data exchange. For example, companies need to think about how to demonstrate that they have complied with the GDPR when exchanging data (i.e. “the principle of accountability”), verifying that data is being transferred in a secure manner (“security principle”) and ensuring that Individuals know what happens to their data (“principle of transparency”).

2. Data Protection Impact Assessments (DPIA) and Data Exchange Agreements (DSA)

DPIA

Organizations must conduct a data protection impact assessment (“DPIA“) for the sharing of data that is” likely to pose a high risk to individuals “. This is usually triggered when, for example, the processing uses innovative technologies, large-scale profiling of people, biometric data processing and data matching, or Combine records from different sources.

Even if a DPIA is not required, the Code recommends that organizations carry it out anyway, especially if the data exchange is part of a large project or a routine data exchange is required. A DPIA can help organizations identify risks and assess the proportionality of the proposed data exchange, as well as promoting the data subject’s confidence in the organizations’ data processing.

DSA

The code states that a data exchange agreement (“DSA“) between parties sharing data can be an essential part of GDPR accountability compliance, although this is not required. A DPA can help organizations justify the exchange of data by demonstrating that it addresses the issues of concern and documented, and The Code as a whole provides a framework for compliance with data protection principles and provides a detailed breakdown of the types of information a DSA should contain.

While a DSA does not provide immunity to violations of the law, the ICO takes the presence of a relevant DSA into account when assessing complaints it receives about an organization’s data sharing activities.

3. Data exchange in the context of a merger or reorganization

The Code contains a number of elements of action that organizations can take into account when exchanging data in connection with a merger or a change in the organizational structure. This means that data is transferred to another organization. For example, organizations should follow the general rules for data sharing outlined in the Code and comply with GDPR principles, get technical advice before sharing data that involves different systems, and consider when and how data subjects will be informed of what is happening . This is likely a response to the increasing value attributed to data as a significant asset in business revenue.

4. Transfer of databases

Companies also trade in data outside of mergers and acquisitions. The transfer of databases or lists of people from organizations such as data brokers or marketing agencies is a form of data exchange, be it for money or other purposes, and for profit or not. The Code states that organizations receiving the data must conduct the appropriate inquiries and reviews to ensure that the databases or lists they receive are shared in accordance with the Data Protection Act and can respond to any complaints. Some of these action items include confirming the data source, reviewing the details of the privacy notice that has been shared with individuals, and making sure that the data received is not excessive or irrelevant. The Code adds that it is good practice to have a written contract with the organization providing the data.

5. Data exchange in an emergency

In a chapter that is certainly inspired by the pandemic, the Code states that in an emergency, organizations should share data when necessary and proportionate. Examples of emergency situations are preventing serious physical harm to a person and protecting public health. The Code specifically refers to recent tragedies such as the Grenfell Tower fire, major terrorist attacks in London and Manchester and the coronavirus pandemic crisis as examples of how urgent or rapid data sharing can make a real difference to public health and safety can cause. In these situations, it can be more damaging not to share data than to share it. In this context, companies should consider the risks associated with not disclosing data.

As part of compliance with the principle of accountability, organizations should document the assessment of an urgent data exchange they are conducting. If no written records could be created at the time of the data exchange, this should be done afterwards.