In-depth: Staying on the right side of the ICO

Are you a business that holds personal information on staff or customers? If so, you need to be aware of a new Code of Practice recently published by the Information Commissioner's Office which offers guidelines on when data can be shared and how it should be protected, writes Liz Fitzsimons.

Are you a business that holds personal information on staff or customers? If so, you need to be aware of a new Code of Practice recently published by the Information Commissioner's Office which offers guidelines on when data can be shared and how it should be protected, writes Liz Fitzsimons.

The Code also includes information on data sharing laws, advice on remaining transparent and avoiding common mistakes, and a summary checklist that can be used as a quick reference guide to sharing information.

The Code is published under s52 of the Data Protection Act 1998 and although it is not legally binding, it does add detail and guidance around how to interpret the 'bare minimum requirements' of the DPA in this area. The approach suggested by the Code is therefore recommended practice but, if not followed, data controllers  - you, your business or someone controlling information on your behalf - are likely to face criticism and harsher sanctions if any DPA breach is considered by the ICO or the courts.

The Code follows a public consultation exercise and although previous data sharing advice focused on the public sector and more regular data flows, this Code is relevant to all data controllers including those in the private sector. It covers not only regular or permanent data sharing but also one-off instances of data sharing such as single third party requests and disclosures. The Code is designed to facilitate data sharing but also to ensure that such disclosures comply with the DPA. By following the Code, the ICO believes that organisations will demonstrate to their customers and the public that they are following best practice and are taking measures to reduce the risk of personal data being disclosed inappropriately.

When does the Code apply?
The Code applies to the sharing of personal data between 'data controllers'. Data controllers are organisations that are in control of personal data and decide on the purposes and the manner in which it will be used. Data controllers may share personal data with other organisations who act as their data processors. Data processors only hold personal data on behalf of the data controller, not in their own right, and can only use the personal data in accordance with instructions imposed on them by the data controller. Disclosures from data controllers to data processors are not covered by the Code and are regulated separately under the DPA.

Examples of when the Code will apply include when an on line provider wants to disclose personal data about an employee to an anti-fraud body, or when a retail group shares customer details in a pool, or when personal details are shared in the context of a proposed merger or acquisition say under TUPE. In these cases both the recipient and the provider of the personal information are data controllers as they are both making decisions regarding how that personal information will be used and are 'controlling' the data.

There are no special rules that apply more limited requirements to data sharing within corporate groups or between joint venture parties. The Code sits alongside existing ICO requirements for data sharing, such as the need to conduct a privacy impact assessment.

What data can be shared?
Generally, information can be shared provided this does not breach the DPA or other applicable laws. According to the Code, organisations should consider whether they are justified in sharing information in the first place. Data controllers should weigh up the benefits and risks (to both individuals and society) of sharing data against the likely results of not sharing the data. You must be able to demonstrate that you have clear reasons for sharing data and a clear objective on what sharing data will achieve. If only certain pieces of data need to be shared in order to achieve these objectives then sharing all of the information that you hold will not be necessary.

Special rules will apply to sensitive personal data, such as on health, or confidential information, or other details the disclosure of which would be likely to cause damage or distress. Explicit consent to disclosure may be required in such cases. Where sharing personal information may involve it being sent to or viewed from outside the European Economic Area, special rules on data transfers will also have to be met.

Informing Individuals
When sharing personal information, such use must be 'fair' by law in that the individual concerned should reasonably expect it. It is therefore good practice to provide a privacy notice to such individuals which as a minimum states the name and details of the relevant data controller, why they are going to share the data, what data is involved and who they are going to share the data with. The organisation may not be able to demonstrate that data sharing is fair without such a document being used. You should normally provide a privacy notice when you first collect a person's personal data. If you have already collected their personal data, then you need to provide them with the information above as soon as you decide that you are going to share their data or as soon as possible afterwards.

Organisations involved in data sharing should work together to ensure that the individuals concerned know who has, or will have, their data and what it is being used for, or will be used for. The responsibility for doing this falls to the organisation that collected the data initially. However, it is good practice for all organisations involved to ensure that, throughout the data sharing process, individuals remain aware of who has their personal data and what it is being used for.

In some cases, organisations may be exempt from ensuring the disclosure is 'fair', such as where the police request details for an investigation and informing the individual concerned would be likely to prejudice their investigation.

Lawful data sharing
Disclosure of personal data, which is at the heart of all data sharing, is a form of processing and must be lawful by in all cases by meeting a condition under Schedule 2 DPA. If sensitive personal data is involved, it also needs to meet a condition under Schedule 3 DPA. This obligation applies to all data controllers and so affects the data controller disclosing the details and the data controller receiving the details.

In most cases, it will be essential to consider whether the legitimate interests of the disclosing party and/or receiving party could be achieved other than by the proposed data sharing. Where it cannot there must be no unwarranted prejudice to the rights, freedoms and interests of the affected individuals. The use of data in relation to data sharing must also always comply with the data protection principles, which all data controllers are legally bound to comply with under the DPA.

Practical Issues
It is good practice to have a data sharing agreement in place that includes a common set of rules to be adopted by the various organisations involved in a data sharing operation. It should be reviewed regularly, particularly where information is to be shared on a large scale, or on a regular basis.

The data sharing agreement should cover issues such as the purpose of sharing data, data quality, data security, retention of data, procedures for dealing with access requests, queries and complaints and sanctions for failing to comply with the agreement. The data sharing arrangement should also address practical problems such as defining which data sets can be shared, ensuring appropriate security measures and safeguards are in place and conducting a sampling exercise periodically to make sure information stored is accurate. When sharing information, organisations should also record what information was shared and for what purpose, who it was shared with, when it was shared, the justification for sharing and whether the information was shared with or without consent.

Data controllers must also check whether their notification with the ICO is affected by data sharing arrangements. If your notification becomes inaccurate or incomplete because you are sharing data on a basis not listed in your notification, you must inform the Information Commissioner as soon as possible (within 28 days) or you will commit a criminal offence.

Liz Fitzsimons is a Senior Associate at Eversheds.

Read more on Data Protection Services