Winchester Vacancies

ICO urges public sector to "get to grips" with new data sharing code of practice

The Information Commissioner’s Office has published the final version of the statutory code of practice on data sharing by public sector bodies, businesses and other organisations such as the third sector.

The 58-page document covers a wide range of issues, including:

  • Who should use the code of practice, how it can help and its status
  • What the ICO means by ‘data sharing’, including ‘systematic’ data sharing, ad hoc or ‘one off’ data sharing, sharing with a data processor and sharing within organisations
  • Data sharing and the law
  • Factors to consider when deciding to share personal data, and conditions for processing
  • Fairness and transparency, including privacy notices, telling individuals about data sharing, who should tell an individual, and sharing without the individual’s knowledge
  • Security
  • Governance, including data sharing agreements, privacy impact assessments and data standards
  • Individuals’ rights, access to information, individuals’ objections, queries and complaints
  • Things to avoid
  • The ICO’s powers and penalties
  • Notification
  • Freedom of information
  • Data sharing agreements
  • Data sharing checklists, both for systematic data sharing and one-off requests.

In relation to the public sector, the code of practice points out that most organisations derive their powers entirely from statute – either from the Act of Parliament which set them up or from other legislation regulating their activities.

“Your starting point in deciding whether any data sharing initiative may proceed should be to identify the legislation that is relevant to your organisation,” the ICO says. “Even if this does not mention data sharing explicitly, and usually it will not do so, it is likely to lead you to the answer to this question.”

The code explains that that it is necessary to identify where the data sharing in question would fit, “if at all”, into the range of things that the organisation is able to do.

It says that “broadly speaking”, there are three ways in which it may do so:

  • express obligations: “occasionally, a public body will be legally obliged to share particular information with a named organisation. This will only be the case in highly specific circumstances but, where such an obligation applies, it is clearly permissible to share the information”
  • express powers: these are often designed to permit disclosure of information for certain purposes, and
  • implied powers: The code of practice points out that often the legislation is silent on the issue of data sharing, and in these circumstances it may be possible to rely on an implied power to share information derived from the express provisions of the legislation. “This is because express statutory powers may be taken to authorise the organisation to do other things that are reasonably incidental to those which are expressly permitted. To decide if you can rely on an implied power, you will need to identify the activity to which the proposed data sharing would be ‘reasonably incidental’, and then check that the organisation has the power to engage in that activity.”

The code of practice adds: “Whatever the source of an organisation’s power to share information, you must check that the power covers the particular disclosure or data sharing arrangement in question – otherwise, you must not share the information unless, in the particular circumstances, there is an overriding public interest in a disclosure taking place.”

The code says this might be the case where an NHS Trust breaches a duty of confidentiality because a doctor believes that a patient has been involved in serious crime. “Whilst a disclosure in the public interest may be defensible in a particular case, this does not constitute a legal power to share data,” it adds.

The ICO said that the code of practice includes good practice advice that would be helpful to all organisations that share personal information – “for example when local authorities share information with the health service.”

The publication of the statutory code follows a consultation on a draft version in October 2010. The consultation led to the inclusion of more public and private sector case studies to explain in practical terms how the Data Protection Act applies to data sharing.

The ICO claimed that by following the code, organisations should find they have:

  • “a better understanding of when, whether, and how personal information should be shared;
  • improved trust and a better relationship with the people whose information they want to share;
  • reduced risk of the inappropriate or insecure sharing of personal data; and
  • minimised risk of breaking the law and consequent enforcement action by the ICO or other regulators.”

The Information Commissioner, Christopher Graham, said: “Few would argue that sharing data can play an important role in providing an efficient service to consumers in both the public and private sector….People now have an expectation that, where appropriate and necessary, their personal details may be shared.

“However, this does not mean that companies or public bodies can do this just as they see fit. The public rightly want to remain in control of who is using their information and why, and they need to feel confident that it is being kept safe.”

Graham urged all businesses and public bodies that share personal data “to get to grips with the code without delay so they can be sure they are getting it right”.

Philip Hoult

The code of practice can be downloaded here.