Our response to the ICO on the Data Sharing Code of Practice draft
In July, the Information Commissioner’s Office (“ICO”) published its draft guidance on the Data Sharing Code of Practice.
We welcome the Draft Code and the clarity it brings to certain data sharing issues that have arisen post-GDPR. However, we also criticise the Draft Code for going too far, both legally (its effect is to impose obligations on businesses which are simply beyond the requirements of the GDPR and DPA) and practically (many of the requirements imposed are unworkable for some businesses).
The Draft Code also seems to focus its examples far too heavily on public sector entities and fails to take into account the vast impact it will have on the private sector, particularly those businesses for whom data sharing is a daily practice.
Our concerns can be summarised as this:
- The authors of the GDPR considered it necessary to mandate requirements that must be set out in a written agreement between controllers and processors. There is no equivalent regulatory (or statutory) imposition on controller to controller agreements. All of the ICO’s guidance on data sharing must be viewed through that lens. The general use of statements using words such as “shall”, “must” or “should” when describing data sharing duties gives the impression that these statements are mandatory (in effect, the law) when that is simply not true. They are good practice recommendations and the Draft Code should be more clear about this. Only a few passing references are made to this point.
- At times, the Draft Code is simply unworkable, placing disproportionate burdens on UK businesses which are not required by law. This impact will be most acutely felt by SMEs, although even business with large legal functions are likely to struggle to meet all standards and expectations in the Draft Code.
The document (downloadable below) sets out our consultation response to the ICO’s Data Sharing Code of Practice draft for consultation, dated 15 July 2019.Click to download our full response
If you would like to find out more about our Data Protection team and what we are doing to help businesses of all sizes to comply with the GDPR, please get in touch!