The ICO (Information Commissioner’s Office) has published its updated Data Sharing Code of Practice.
It contains detailed guidance on GDPR considerations when sharing or disclosing personal data, either on a routine or one-off basis. And includes checklists to help organisations make decisions about whether or how to share data.
The new code of practice highlights the importance of:
- Being able to demonstrate that you have assessed the risks for your proposed data sharing.
- Consistently taking a fair and transparent approach to sharing personal data.
- Taking care where sharing personal data in relation to a company merger or acquisition.
- Providing relevant training to everyone in your business in order to comply with GDPR.
In tandem, the ICO has also launched a new data sharing information hub, to provide additional support to organisations and help them comply with data sharing best practice.
“This code, and the products and toolkits published alongside it, provides a gateway to good data sharing practice and the benefits we can expect from the results.” Says the Information Commissioner, Elizabeth Denham.
Reed Smith’s article describes what the new data sharing code covers and also highlights that is for controller-to-controller data sharing, not data sharing with a processor.
- Take stock of situations where you share personal data with other controllers, such as your clients. Do you have up-to-date records of your purposes, risk evaluations etc?
- Consider each type of data you share. Pay extra attention to any special category data, such as candidate vetting or employee HR records.
- If your candidate database or internal employee personal data is shared with other group companies, be thorough in identifying the scope of data that is shared or accessible.
- For helpline subscribers, a cribsheet on third party data sharing to help you identify which types of agreements to use is on our client portal.
- Contact our helpline for further help on your particular data sharing activities.