Out-Law News 4 min. read
11 May 2011, 12:36 pm
The ICO has published a new code of practice advising organisations how to share personal data. The publishing of the guidance is an obligation under the Data Protection Act.
Organisations must establish whether it is justified to share information in the first place, the ICO code says.
"You should consider the potential benefits and risks, either to individuals or society, of sharing the data. You should also assess the likely results of not sharing the data. You should ask yourself what... the sharing [is] meant to achieve. You should have a clear objective, or set of objectives. Being clear about this will allow you to work out what data you need to share and who with," the ICO data sharing code or practice said (59-page / 467KB PDF).
Companies should assess what information needs to be shared, the ICO said.
"You shouldn’t share all the personal data you hold about someone if only certain data items are needed to achieve your objectives. For example, you might need to share somebody’s current name and address but not other information you hold about them," the new code said.
Organisations should employ 'need to know' principles to restrict access to personal data it holds, and assess whether it a data-sharing arrangement needs to be ongoing or on a one-off basis, the ICO said.
Common rules should be established for how data is shared to make sure it is secure, and reviews of the processes should be made, the ICO said.
The ICO suggested questions an organisation might ask itself when conducting a risk assessment.
"Is any individual likely to be damaged by it? Is any individual likely to object? Might it undermine individuals’ trust in the organisations that keep records about them? Could the objective be achieved without sharing the data or by anonymising it? It is not appropriate to use personal data to plan service provision, for example, where this could be done with information that does not amount to personal data," the ICO said.
Data sharers have to determine whether they have the legal power to disclose personal information, the ICO said.
"If you wish to share information with another person, whether by way of a one-off disclosure or as part of a large-scale data sharing arrangement, you need to consider whether you have the legal power or ability to do so. This is likely to depend, in part, on the nature of the information in question – for example whether it is sensitive personal data. However, it also depends on who ‘you’ are, because your legal status also affects your ability to share information – in particular it depends on whether you are a public sector body or a private/third sector one," the ICO said.
Organisations that decide to share personal data need to determine whether they need to tell individuals, the ICO said.
"The legal requirement is to provide a description of the recipient or the recipients of the data – this means types of organisation, not the names of specific organisations," the ICO code said.
"When any part of the notification entry becomes inaccurate or incomplete, for example because you are now disclosing information to a new type of organisation, you must inform the ICO as soon as practical and in any event within 28 days. It is a criminal offence not to do this.
Where several organisations are sharing personal data it is important that each organisation is clear about the personal data they are responsible for and include that information on their notification entry," the ICO code said.
The ICO suggested how organisations in a data sharing agreement might respond to a Freedom of Information (FOI) or individual's request for information.
"[The agreement] should ensure that one staff member or organisation takes overall responsibility for ensuring that the individual can gain access to all the shared data easily," the ICO code said.
The data privacy watchdog advised public authorities to take an open approach to avoid potential FOI requests.
"Making your policies and procedures available to the public proactively should help to reassure individuals and to establish an increased level of trust and confidence in your organisation’s data sharing practices," the ICO said.
The ICO said that an organisation should make sure any data sharing arrangement it has with another firm addresses practical problems including being well advised of what data sets can be shared, conducting a sampling exercise periodically to make sure information stored is accurate and recording information using the same formats.
An organisation should record any data it shares if it is on a one-off basis, the ICO said.
"If you share information you should record what information was shared and for what purpose, who it was shared with, when it was shared, your justification for sharing and whether the information was shared with or without consent," the ICO's new code said.
Sharing personal information outside of the European Economic Area is only allowed under EU data protection laws if the country has equivalent data security standards to EU countries, the ICO advised.
The ICO said that its code should apply to sharing personal data between 'data controllers'. Data controllers are organisations that are in control of data.
They may share it with other organisations, who become data processors.
Data processors, have lesser responsibilities for data sharing policy, though they must act in line with policies imposed on them by data controllers.
Data sharing activities that the new code could apply to include when a local authority has to disclose personal data about employees to an anti-fraud body, when a GP sends information about a patient to a local hospital or when a school provides information about pupils to a research organisation, the ICO said.
The benefits to companies adopting the new code include minimising the risk of breaking the law, improving the public's trust in how sensitive data is handled, increasing data sharing for the benefit of business and reducing the risk of losing reputation caused by insecure sharing of personal data, the ICO said.
"Adopting its good practice recommendations will help organisations to work together to make the best use of the data they hold to deliver the highest quality of service, whilst avoiding the creation of the opaque, excessive and insecure information systems that can generate so much public distrust," Christopher Graham, Information Commissioner said.
The ICO was required to publish the code under the Data Protection Act.
