Activity Data Synthesis

Wednesday, 11 May 2011

Information Commissioner’s Office publishes UK code of practice on data sharing

For those of you thinking of sharing or publishing personal data as a result of these projects may be interested in the "Data sharing code of practice" from the Information Commissioner's office.

A mere 59 pages available as a pdf from the Information Commissioner's office.

A few quotes may give you a little of the flavour:

"As I said in launching the public consultation on the draft of this code, under the right circumstances and for the right reasons, data sharing across and between organisations can play a crucial role in providing a better, more efficient service to customers in a range of sectors – both public and private. But citizens’ and consumers’ rights under the Data Protection Act must be respected."

"Organisations that don’t understand what can and cannot be done legally are as likely to disadvantage their clients through excessive caution as they are by carelessness."

"the code isn’t really about ‘sharing’ in the plain English sense. It’s more about different types of disclosure, often involving many organisations and very complex information chains; chains that grow ever longer, crossing organisational and even national boundaries."

The code covers activities such as:

  • two departments of a local authority exchanging information to promote one of the authority’s services;
  • a school providing information about pupils to a research organisation;

By ‘data sharing’ we mean the disclosure of data from one or more organisations to a third party organisation or organisations, or the sharing of data between different parts of an organisation. Data sharing can take the form of:

  • a reciprocal exchange of data;
  • one or more organisations providing data to a third party or parties;
  • several organisations pooling information and making it available to each other;
  • several organisations pooling information and making it available to a third party or parties;
  • different parts of the same organisation making data available to each other.

When we talk about ‘data sharing’ most people will understand this as sharing data between organisations. However, the data protection principles also apply to the sharing of information within an organisation – for example between the different departments of a local authority or financial services company.

When deciding whether to enter into an arrangement to share personal data (either as a provider, a recipient or both) you need to identify the objective that it is meant to achieve. You should consider the potential benefits and risks, either to individuals or society, of sharing the data. You should also assess the likely results of not sharing the data. You should ask yourself:

  • What is the sharing meant to achieve? ...
  • What information needs to be shared? ....
  • Who requires access to the shared personal data? .....
  • When should it be shared? ....
  • How should it be shared? ....
  • How can we check the sharing is achieving its objectives? ....
  • What risk does the data sharing pose? ....
  • Could the objective be achieved without sharing the data or by anonymising it? [my emphasis] It is not appropriate to use personal data to plan service provision, for example, where this could be done with information that does not amount to personal data.
  • Do I need to update my notification?
  • Will any of the data be transferred outside of the European Economic Area (EEA)?

Whilst consent will provide a basis on which organisations can share personal data, the ICO recognises that it is not always achievable or even desirable.

If you are going to rely on consent as your condition you must be sure that individuals know precisely what data sharing they are consenting to and understand its implications for them. They must also have genuine control over whether or not the data sharing takes place.

-- it goes on to say where consent is most appropriate and what other conditions allow sharing (p14-15), with some examples of what is permissable

The general rule in the DPA is that individuals should, at least, be aware that personal data about them has been, or is going to be, shared – even if their consent for the sharing is not needed.

The Data Protection Act (DPA) requires organisations to have appropriate technical and organisational measures in place when sharing personal data.

followed by lots of useful guidance on this area covering both physical and technical security

It is good practice to have a data sharing agreement in place, and to review it regularly, particularly where information is to be shared on a large scale, or on a regular basis.

and outlines what should be covered by the agreement (p25)

it is good practice to carry out a privacy impact assessment.

Agree common retention periods and deletion arrangements for the data you send and receive.

Things to avoid

  • Misleading individuals about whether you intend to share their information.
  • Sharing excessive or irrelevant information about people.
  • Sharing personal data when there is no need to do so
  • Not taking reasonable steps to ensure that information is accurate and up to date before you share it.
  • Using incompatible information systems to share personal data, resulting in the loss, corruption or degradation of the data.
  • Having inappropriate security measures in place,

Section 14 is on data sharing agreements pp41-3

Section 15 provides a data sharing checklist p46

the case study on p 55 covers research using data from other organisations

1 comment: