The Information Commissioner's Office (ICO) has published a draft of the UK's first Code of Practice on Data Sharing, a set of rules which will govern the way that public and private sector organisations share personal details with other bodies. The draft Code is the subject of a 12-week consultation process.
The sharing of anybody's personal data is subject to the Data Protection Act, which demands that those people know what data is collected and why, and that treatment of that data is fair.
Many organisations will have to share that data at some point, the ICO said.
"Scenarios where data sharing might occur include a school passing information about a child to a social services department, a group of insurance companies pooling data about people making claims, GPs sending a patient’s record to a hospital, or a retailer passing customer details to a debt collection company," said an ICO statement.
The draft Code outlines requirements that organisations ensure that data is secure in storage and transit; that there is transparency about the sharing; and what individuals' rights are.
The Code makes a distinction, though, between routine and one-off sharing and says that while an organisation must have strict procedures in place for routine sharing, exceptions can be made in unusual circumstances.
"Sometimes a quite unexpected need to share someone’s personal data may arise – for example in an emergency situation. In such cases organisation cannot be expected to have detailed procedures in place, and may just have to go ahead and make a decision about disclosure in the circumstances of the case, possibly in conditions of real urgency," said the Code. "The DPA provides various exemptions that allow ad hoc data sharing to take place lawfully.
"Sometimes there may be a need to share very sensitive or confidential information, even without the individual’s knowledge. Acting appropriately in situations like this depends primarily on the exercise of professional judgement," said the Code. "However, disclosures of personal data in situations like this are still subject to the DPA. The ICO will give due weight to compliance with authoritative professional guidance in determining whether there has been a breach of the DPA."
The Code said that individuals' consent could be one basis on which data is shared, but that other grounds for sharing existed.
"Consent is only one of a number of conditions set out in the DPA which legitimise the sharing of personal data," it said. "In certain limited circumstances the DPA provides for personal data, even sensitive data, to be shared without the individual even knowing about it ... For example, a government agency should not tell an individual that data about them has been shared with the police if this would allow them to destroy evidence, prejudicing a criminal investigation."
“Under the right circumstances and for the right reasons, data sharing across and between organisations can play a crucial role in providing a better, more efficient service to customers in a range of sectors – both public and private," said Information Commissioner, Christopher Graham. "But citizens’ and consumers’ rights under the Data Protection Act must be respected."
"Organisations that don’t understand what can and cannot be done legally are as likely to disadvantage their clients through excessive caution as they are by carelessness," said Graham. "But when things go wrong this can cause serious harm. We want citizens and consumers to be able to benefit from the responsible sharing of information, confident that their personal data is being handled responsibly and securely.
The Code contains requirements about the accuracy of data; the procedures used to keep it physically and technically secure; the retention periods for data; and the training of staff required to maintain its security.
The Code outlined things that organisations should avoid doing when setting up data sharing systems.
These included: "misleading individuals about whether you intend to share their information. For example, not telling individuals you intend to share their personal data because they may object; sharing excessive or irrelevant information about people. For example, routinely sharing details about individuals that are not relevant to the purpose that the information is shared for; [and] sharing personal information when there is no need to do so – for example where statistical information can be used to plan service provision".
Consultation on the Code runs until 5th January 2011.
