Data sharing fit for the GDPR age: ICO drafts new code

The data protection regulator said establishing controller-controller data sharing agreements can help the companies concerned demonstrate their compliance with the General Data Protection Regulation (GDPR).

Data protection law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law, said the guidance provided by the ICO, set out in a new draft code of practice on data sharing, offers welcome clarity.

Wynn said: "Since GDPR has applied in the UK, there has been a lot of confusion around the need for a contract for controller-to-controller data sharing between two independent controllers, as opposed to two joint controllers, and, if there is, whether there are mandatory contractual provisions that must be included in that contract. This is essentially because for data sharing between two independent controllers, the GDPR does not contain any specific requirements around what must be put in place, as it does for controller-processor and joint controller relationships."

"However, the ICO's draft code makes it clear that it is good practice to put in place a data sharing agreement between controllers and flags that this will also support the controller to demonstrate compliance with the GDPR’s accountability principle," she said.

The ICO said that a data sharing agreement "helps all the parties to be clear about their respective roles; sets out the purpose of the data sharing; covers what is to happen to the data at each stage; and sets standards". The agreement does not have to be in any particular format, but it should be drafted in "clear, concise language that is easy to understand", it said.

"[The data sharing agreement] should help you to justify your data sharing and to demonstrate that you have been mindful of, and have documented, the relevant compliance issues," the ICO said in its draft code.

Wynn said that the ICO's new draft code takes account of some of the more prescriptive requirements of the GDPR.

"The new code reaffirms the importance of carrying out a data protection impact assessment, it looks at the importance of consideration of privacy by design, reminds controllers that they will need to update records of processing activities to reflect the data sharing, and considers the role of the data protection officer in the decisions around, and monitoring of, the data sharing," Wynn said.

While the code takes a more comprehensive view of data sharing, looking at a variety of use cases, including data sharing in a mergers and acquisitions, on the sale or purchase of a database and use of data trusts, Wynn said specific examples cited by the ICO in its paper are "disappointingly high level". However, she said the code contains some helpful "myth busters" that should help address "the sense of paralysis" that has hindered organisations looking at new technologies for data sharing since the GDPR took effect.

“On mergers and acquisitions, the code clearly sets out the ICO’s expectations around compliance with the GDPR’s governance and accountability requirements. In particular, the code flags that, post completion, organisations must check data accuracy, keep an audit trail of data use – including updating their record of processing activity, adhere to data retention policies and ensure that appropriate security is in place. The guidance on security comes after the ICO recently criticised the Marriott hotels group over the levels of due diligence applied to its acquisition of the Starwood business after its investigation found that millions of hotel guests' personal data had been compromised following a hack on a Starwood database," she said.

"On the purchase and sale of databases, the code provides a useful checklist of points to consider, such as identifying the lawful basis on which the data was obtained and checking what the individuals were told at the time of handing over their data," Wynn said. "On data trusts, while this is very high level, the code does underline the importance of bearing in mind ethical factors, in addition to the GDPR principles of fairness, transparency and proportionality."

Wynn said that the ICO's draft code also provides businesses with guidance on controller liability once personal data has been shared.

"The code is helpful in clarifying the position around the disclosing controller’s responsibility once the data has been disclosed to the recipient controller," Wynn said. "The code makes clear that the recipient controller will take on its own legal responsibility for the personal data when it is shared with it, but that the disclosing controller should still take reasonable steps to ensure that the data being shared will continue to be protected with adequate security by the recipient controller."

Further guidance on dealing with data subject complaints is contained in the ICO's code too.

"The code flags that organisation should take account of any negative feedback from the data subjects and look at, for example, whether the amount of data being shared could be reduced," Wynn said. "Interestingly, this suggests that if the ICO were to receive a high number of complaints regarding data sharing, it would be likely to take a dim view of an organisation that had failed to address earlier feedback from data subjects along similar lines."

The UK's Data Protection Act requires the ICO to prepare a code of practice containing practical guidance regarding the sharing of personal data. Businesses have until 9 September to provide feedback to the ICO's proposals.