On December 17, 2020 the Office of the UK Information Commissioner (‘ICO‘) published its code of conduct for data exchange (the’code‘) following a public consultation that began in 2019. The code mainly focuses on the exchange of data between data controllers subject to the GDPR and the UK Data Protection Act (DPA) 2018. Controllers falling within the scope of enforcement by the ICO Powers should consider the Code when disclosing personal data as it will help them meet their data protection obligations. Due to the detailed way in which the code covers data exchange under the GDPR, it will also be of greater interest to data controllers in the EU and beyond – even after the end of the Brexit transition period.
Examples of some of the key issues addressed in the Code are:
- Data Protection Impact Assessments (DPIAs) – When controllers are considering sharing personal information, the Code recommends that “the first step is to conduct a Data Protection Impact Assessment (DPIA), even if you are not legally required to do so”. Although DPIAs are only required when the data exchange is likely to result in high risk to individuals, the ICO believes that in a data exchange scenario it is an invaluable tool for you to assess the risks of your proposed data exchange and work out how those risks are can be reduced “.
- Data exchange agreements – The Code notes that it is good practice to have a data exchange agreement and stresses that the ICO “takes into account the existence of a relevant data exchange agreement when assessing complaints we receive about your data exchange”. The Code details the main points that should be addressed in the data-sharing agreement. Examples include:
- Information on the purpose of the data exchange initiative (which should be documented “precisely”);
- Procedures for compliance with the rights of the data subject; and
- Data governance agreements: The data exchange agreement should address the main practical problems that can arise when exchanging personal data, such as: B. Ensuring common rules for the storage and deletion of shared data.
The Code also describes some appendices and appendices that are “likely to help” such as: B. (i) a model form for obtaining consent from individuals to exchange data, if that is the lawful basis; and (ii) a diagram to show how to decide whether to share personal data.
- Responsibilities after forwarding personal data – A section on “Security” in the Code explains that the data controller receiving the processing of personal data assumes its own responsibility for that data. Nevertheless, the disclosing data controller should “continue to take reasonable steps to ensure that the data you share is still protected with reasonable security”. For example, the Code states that the disclosing data controller should (i) ensure that the receiving data controller understands the nature and sensitivity of the information; (ii) take reasonable steps to ensure that security measures are in place; and (iii) resolve any difficulties before the personal data is disclosed if the receiving data controller has different security standards, different IT systems and procedures or different protection labeling systems.
- The impact of the data exchange on the obligations related to the rights of the data subject– For example, the Code states that (i) controllers must have policies and procedures in place that enable individuals to easily exercise their rights, and […] must explain this in [the] Agreement on data exchange ”; and (ii) in a data exchange agreement, it is good practice to provide individuals with a single point of contact who enables them to exercise their rights over personal data without making multiple inquiries to multiple organizations.
- Responsibilities of controllers receiving databases or lists of personal data – The Code states that it is the responsibility of the data controller to ensure the integrity of the personal data provided when a data controller receives such a database or list. The receiving data controller should conduct appropriate inquiries and verifications, including for example: (i) confirmation of the source of the personal data; (ii) identify the legal basis on which it was obtained and confirm that all conditions related to that legal basis have been met; and (iii) reviewing a copy of the privacy information provided to the data subjects at the time the personal information was collected.
You can find the code here. The ICO presented the code to the UK Foreign Secretary on December 17th, 2020. The Foreign Minister will submit the code to parliament for approval for 40 days. If there are no objections, it comes into force 21 days later.
Simultaneously with the release of the code, the ICO launched a “data sharing hub” that contains some other resources, such as: B. a page with the basics of data exchange and a page that breaks myths about data exchange.