A fair share

July 7, 2011

Data sharing with external partners can be a real minefield. Ibrahim Hasan and Tim Turner look at whether the ICO's new statutory code of practice will help.

In May the Information Commissioner published a new statutory code of practice on data sharing. The Code explains how the Data Protection Act 1998 (DPA) applies to the sharing of personal data both within and outside an organisation. It aims to provide practical advice to the public, private and third sectors, and covers systematic data sharing arrangements as well as one off requests for information.

For years, data sharing has been the most common bugbear of anyone working within an organisation which processes large amounts of personal data. The DPA is often perceived as a barrier to data sharing despite offering a range of justifications (e.g. consent, legal obligation, protecting vital interests etc. (Schedule 2)).

Local authorities, in particular, have often encountered great difficulties in deciding on the legalities of sharing personal data with external partners even if it is for very good reasons (e.g. child protection or crime prevention). Sometimes their well-meaning data sharing has been criticised by the courts. In the recent case of H & L v A City Council [2011] the Court of Appeal ruled that a local authority’s decision to disclose details of an individual’s criminal conviction for a child sex offence was unlawful and in breach of Article 8 of the European Convention on Human Rights (the right to respect for private and family life) (see an earlier article on Local Government Lawyer: Good Intentions). In some cases, even internal departments have felt constrained from updating each other about a change of a service user’s address.

Many attempts have been made to resolve the perceived problem. As far back as 1999, the Cabinet Office’s report on “Privacy and Data Sharing” tried to tackle the issue. Since then, there have been many government backed guidance documents, proposed changes to the law and initiatives from the Information Commissioner. In one sense at least, this new code is different. By using his powers to issue a statutory code of practice (alongside existing codes covering employment, CCTV, and fair processing), the Commissioner is clearly highlighting data sharing as an issue of great importance. Under Section 52 of the DPA the Code can be used as evidence in any legal proceedings and can be taken into account by the courts and the Commissioner himself when considering any issue.

The Code is arranged into fifteen sections, ranging from the legal basis for data sharing, to the importance of transparency with data subjects and the vital issue of security. Much of the Commissioner’s enforcement activity in recent years has been focussed on breaches of security. The weakest link in any security framework is when data is moved or shared, a fact the Code reinforces. The Commissioner also emphasises the need to be aware that data subjects can exercise their right of access to their personal data, and can demand to know what data has been shared, where it came from, and whom it has been given to.

A very practical benefit of the new Code comes at the end of the main text. For organisations wanting to make it easier to make their case for a disclosure, two helpful templates are provided. The one designed for a disclosure request, especially if used unchanged, will be a useful tool. Using this form will mean that anyone receiving a request for data will have all the facts they need to make a decision about whether to share. The requestor will have the benefit of the Commissioner’s stamp of approval on the format of their request. The other template sets out the factors the organisation whose data is sought needs to consider (and record) when deciding whether to provide the requested data. Rather than toiling through endless redrafts of an information sharing protocol that front line staff will never see, information sharing partners who agree to do no more than use these two forms will inevitably find sharing decisions easier to make.

In addition to the forms, two checklists are provided which outline the main questions that must be considered before carrying out either routine or ad hoc information sharing. These summarise intelligently the fulsome detail of the code.

The rest of the Code is useful but not revolutionary. The reader who has never tussled with a disclosure request or information sharing protocol before, will find all of the issues intelligently rehearsed at some length. Is the disclosure affected by Human Rights or confidentiality considerations? Is the method of sharing being proposed secure and efficient? The Code emphasises the need for a clearly defined purpose for the sharing, a justification for each element of information that is requested, and for appropriate assurances to be provided about how information will be used once obtained.

Adopting the good practice recommendations in the Code will help organisations to collect and share personal data in a way that complies with the law, is fair, transparent and in line with the rights and expectations of the data subjects. However, anyone hoping that this new code will prove to be the data sharing “Holy Grail” will be disappointed. The Commissioner gives the game away in his introduction by stating:

“This code of practice is inevitably written in general terms, providing a framework for organisations to make good quality decisions about data sharing. The code cannot provide detailed advice relevant to every situation in which data sharing takes place.”

There is no definitive “do this and everything will be fine” section in the Code. It stays safely on the fence for most of the time. It suggests but does not dictate. It contains options and checklists that will greatly assist anyone who already understands the issues, but will not get the sceptics over any of their psychological hurdles. Anyone who has ever phoned the Information Commissioner’s helpline to receive a helpful answer that nevertheless boils down to “it depends” will find that same spirit permeates through this document.

Someone ultimately has to make the decision to weigh up all the relevant factors outlined in the Code and decide whether or not to share the data. That person, when faced with a document that does not (and cannot) provide a clear cut answer, will often decide to opt for “the safer option” which is to not share the data.

The Information Commissioner’s Data Sharing Code of Practice will provide local authority lawyers and data protection officers with useful additional guidance. However for anyone who starts from the proposition that data sharing is complicated, it does little to shake them from that conviction.

Ibrahim Hasan and Tim Turner are trainers with Act Now Training. They specialise in information and surveillance law (www.actnow.org.uk).