ICO: data sharing code of practice
The ICO has released its Code of Practice on Data Sharing, under the GDPR / Data Protection Act 2018.
For ease of reference, here's the draft version of the Code, on which the ICO consulted.
The Code contains some helpful information for controllers looking to share personal data with other controllers, although some bits are better than others.
Data sharing agreements: "good practice" or "basic necessity"?
The section on data sharing agreements sets out what a data sharing agreement should cover (although exactly what you want, or need, will depend on the specific situation).
I'm a fan of "plain English" contracts generally, as that usually makes them easy for the parties to understand and follow. While data sharing agreements (and joint controllership arrangements) do not need to be contractual, I adopt the same approach: I want them to be something which the sharer(s) and recipient(s) can use in practice, without needing to get further legal advice.
One bit of the Code leaves me confused though, and that is where the ICO says that it is just "good practice" to have a data sharing agreement.
Readers with longer memories may recall than, when the ICO issued an enforcement notice to the Met Police in 2018, in respect of its "gangs matrix", some of the (many) reasons for the notice were that:
Information has been shared without any formal written information sharing agreement being in place to control the purpose of that sharing and subsequent use of the data (paragraph 40, in respect of fairness)
information has been repeatedly shared by the MPS (often on an excessive and unnecessary basis, above) with third parties without there being any, or any properly completed, information sharing agreement. Such agreements are a basic necessity to establish what personal data is to be shared, in what circumstances, for what purposes, what use is to be made of the data by the receiving party, and the measures expected to be taken by the receiving party to protect that personal data. The manifest and manifold failures in this respect were not addressed at Borough level or through any central management. (paragraph 47, in respect of technical and organisational security)
Indeed, one of the requirements of the enforcement notice was that the Met must:
Conduct a full review of all data sharing relating to the Gangs Matrix across the MPS in order to evaluate ... whether any sharing is properly regulated by formal written agreements approved by the MPS Information Rights Unit.
Confirm that any and all information sharing of personal data on or derived from the Gangs Matrix will only occur under a formal written agreement approved by the MPS Information Rights Uni
(My emphasis added here.)
So even though the Code says merely "good practice", if you are proposing to share any significant volume of data, or in circumstances which pose significant risk to data subjects, I'd have thought that "good practice" should be read as "do it".
Sharing personal data in databases and lists
There's a pretty good section on buying personal data (e.g. in the form of marketing lists), including suggestions about the due diligence you should carry out before buying (or taking possession of, if it's free) the list.
Responding to requests for personal data from the police and others
The Code contains information on the sharing of personal data in an urgent or emergency situation.
It also has some — and I say "some", as it's rather high level — guidance of sharing data with law enforcement authorities and others.
This is very common — at least, it crosses my desk a lot — so it's a shame it is hidden away in the section on law enforcement processing, under the title "We are not a competent authority: how do we share data with a competent authority?".
Requests for information made to you by competent authorities must be reasonable in the context of their law enforcement purpose, and they should clearly explain the necessity for the request to you.
This bit is often missing, in my experience. Instead, controllers get a standard form document from the requesting agency, setting out their assertion that paragraph 2(1), Schedule 2, Data Protection Act 2018 applies, but without giving the controller sufficient information to assess whether this is genuinely the case in respect of the data being sought. This is important since the controller, and not the requesting authority, bears the risk in respect of reliance on the exemption.
What's here is better than nothing, but more could have been done, I feel. (I didn't reply to the consultation, so perhaps I'm churlish to grumble.)
If you're faced with a request like this and want to assist but are hesistant, do get in touch — we've plenty of experience with this type of request, and helping the police give you the information you need to make a decision.