New ICO Data Sharing Code Of Practice – Clarifying The Framework For Data Sharing And Busting Myths In The Process – Privacy


New ICO Code of Conduct for Data Exchange – Clarify the framework for data exchange and destroy myths in this process

January 11, 2021

Gowling WLG

To print this article, all you need to do is be registered or log in to

On December 17, 2020, the Information Commissioner’s Office (ICO) published its new code of conduct for data exchange (“code“), a practical guide for organizations to transfer personal data in accordance with the Data Protection Act. The Code replaces the previous ICO Data Exchange Code, which was published in 2011 under the Data Protection Act 1998. It should be noted that the Code only applies to transfer of personal data between controllers (with a focus on sharing data between different controllers), transferring data to processors or within an organization does not fall within the scope of the Code. Appendix C of the Code contains useful case studies of organizations that are personal Share data and there’s a handy checklist that summarizes the most important steps organizations need to take when setting up data sharing.

The ICO recognizes that sharing data has benefits for society as a whole and it can sometimes be more harmful not to share data. The role of data sharing during the pandemic by enabling Test and Trace and helping vulnerable patients is a case in point. In this context, the ICO states that the legal framework is a “precursor to responsible data sharing” and clears up some of the myths that currently exist (e.g. data can only be shared with the consent of the data subjects). The Code will help organizations weigh the risks and benefits of exchanging data and implement them in a fair, transparent and proportionate manner.

In this article, we explain the key takeaways from the Code, although we believe that the Code formalizes the current practices that we see and have already adopted in advising on data sharing agreements and requirements, and adds nothing unusual or new.

1. Data protection principles

As with any type of processing activity, organizations must follow the data protection principles of the General Data Protection Regulation (GDPR) when sharing personal data. The Code explains in detail how these principles apply in connection with data exchange. For example, companies need to think about how to demonstrate that they have complied with the GDPR when exchanging data (i.e. “the principle of accountability”), verifying that data is being transmitted in a secure manner (“security principle”) and ensuring that Individuals know what happens to their data (“principle of transparency”).

2. Data Protection Impact Assessments (DPIA) and Data Exchange Agreements (DSA)


Organizations must conduct a data protection impact assessment (“DPIA“) for the exchange of data that is” likely to pose a high risk to individuals “. This is typically triggered when the processing involves, for example, the use of innovative technologies, large-scale profiling of people, the processing of biometric data and the matching of data includes or combines records from different sources.

Even if a DPIA is not required, the Code recommends that organizations carry it out anyway, especially if the data exchange is part of a large project or a routine data exchange is required. A DPIA can help organizations identify risks and assess the proportionality of the proposed data exchange, as well as promoting the data subject’s confidence in the organizations’ data processing.


The code states that a data exchange agreement (“DSA“) between parties sharing data can be an essential part of GDPR accountability compliance, although it is not required. A DPA can help organizations justify the exchange of data by demonstrating that addresses the issues involved and documented, and The Code as a whole provides a framework for compliance with data protection principles and provides a detailed breakdown of the types of information a DSA should contain.

While a DSA does not provide immunity to violations of the law, the ICO takes the presence of a relevant DSA into account when assessing complaints it receives about an organization’s data sharing activities.

3. Data exchange in the context of a merger or restructuring

The Code contains a number of elements of action that organizations can take into account when exchanging data in connection with a merger or a change in the organizational structure. This means that data is transferred to another organization. For example, companies should follow the general rules for data exchange outlined in the Code and comply with GDPR principles, seek technical advice before exchanging data involving different systems, and consider when and how data subjects will be informed of what is happening. This is likely a response to the increasing value attributed to data as a significant asset in business revenue.

4. Transfer of databases

Companies also trade in data outside of mergers and acquisitions. The transfer of databases or lists of people from organizations such as data brokers or marketing agencies is a form of data exchange, be it for money or other purposes, and for profit or not. The Code states that organizations receiving the data must conduct the appropriate inquiries and reviews to ensure that the databases or lists they receive are shared in accordance with data protection law and can respond to complaints about them. Some of these action items include confirming the data source, reviewing the details of the privacy notice that has been shared with individuals, and making sure that the data received is not excessive or irrelevant. The Code adds that it is good practice to have a written contract with the organization providing the data.

5. Data exchange in an emergency

In a chapter that is certainly inspired by the pandemic, the Code states that in an emergency, organizations should share data when necessary and proportionate. Examples of emergency situations are preventing serious physical harm to a person and protecting public health. The Code specifically refers to recent tragedies such as the Grenfell Tower fire, major terrorist attacks in London and Manchester and the coronavirus pandemic crisis as examples of how urgent or rapid data sharing can make a real difference to public health and safety can cause. In these situations, it can be more harmful not to share data than to share it. In this context, companies should consider the risks associated with not disclosing data.

As part of compliance with the principle of accountability, organizations should document the assessment of an urgent data exchange they are conducting. If no written records could be created at the time of the data exchange, this should be done retrospectively.

Read the original article on

The content of this article is intended to provide general guidance on the subject. A professional should be obtained about your particular circumstances.

POPULAR ARTICLES ABOUT: Privacy Policy from Canada

Bill C-11 – The Digital Charter Implementation Act

Filion Wakely Thorup Angeletti LLP

On November 17, 2020, the federal government introduced Act C-11 to implement the Digital Charter 2020 (“Act C-11”). While Bill C-11 only got the first reading on …

Recent articles

Crypto exchanges struggle as El Salvador adopts Bitcoin

Today, Bitcoin is becoming an official currency in El Salvador, and the markets and crypto exchanges seem to be struggling. On...

Schools are back – and time to comply with the ICO’s Age Appropriate Design Code

As of September 2, 2021, the United Kingdom's Information Commissioner's Office ("ICO") expects organizations to use their Age Appropriate Design Code ("AADC"). The...

the ICO wants input on when personal data goes international

You don't have to be a data-focused IT service provider to realize that the UK was lucky enough to receive an adequacy decision from...