Since the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) came into effect in May last year, many charities have been looking again at their data sharing practices. It's not always easy to make a judgment call about whether data sharing is fair and lawful, particularly if data protection law threatens to impinge on a charity's ability to deliver front-line services or to raise funds.
A new data sharing code of practice
The Information Commissioner's Office (ICO) is required by law to publish a code of practice on data sharing. The aim of the code is to act as a practical guide for organisations on how to share personal data in compliance with data protection law and to provide good practice recommendations.
The previous data sharing code had last been updated in 2011 and was quite out of kilter with GDPR and DPA requirements in places. The new draft code was published in July. It covers the whole spectrum of data sharing activities, from emergency or one-off requests to regular data sharing arrangements, and applies to all organisations, whether commercial or not-for-profit. This ambitious scope means the code will never provide all the answers but we found several positive messages for the charity sector.
Over the summer, we gathered data protection leads from several charities together to discuss the draft data sharing code. Here are a few ideas that we found encouraging:
- the code acknowledges that regular and systematic data sharing can have significant benefits. It gives the example of information exchange between multi-agency network groups, which can be crucial in order to provide effective social care, or to pick up on safeguarding concerns at an early stage. Importantly for many charities, the code recognises that personal data may sometimes be used in a way that negatively affects an individual but that doesn't automatically make it unfair as long as the charity can demonstrate that the impact is justified
- the code sets out what should be included in a written data sharing agreement. While this doesn't necessarily mean that the process will be speedy or straightforward, having clear guidance about what should be taken into account will provide comfort to charities that previously had to hope that the data sharing arrangements they had put in place were sufficient
- when the new code is published, it will include a data sharing checklist as well as template data sharing request and decision forms. Although we haven't seen what these documents will look like as they weren't included in the draft version of the code, they are likely to prove helpful to charities, particularly those that receive ad hoc requests from third parties (such as social workers or lawyers) to share client or service user personal data
The draft code was open for consultation over the summer and the deadline for responses was 9 September. It is hoped that the final version of the code will be published by the end of this year.
The code will be compulsory reading for any charity that shares personal data. Although the code isn't law, non-compliance can be taken into consideration in legal proceedings. If the ICO is required to investigate a charity's data sharing activities, it will also take the code into account in order to decide whether the sharing is fair and lawful.