UK Data Protection Authority reinforces need for data sharing agreements.
As part of their digital transformation initiatives, businesses are increasingly getting into closer relationships with other companies up and down the supply chain. This often means access to each other's systems and data sharing.
This raises several issues in terms of what you can and can't share and the risks inherent in third-party systems, which could leave your data exposed via someone else's system. As a result, the UK Information Commissioner's Office (ICO) has issued an updated Data Sharing Code of Practice to offer practical guidance on sharing personal data between organisations but remain in compliance with data protection law. At the same time, it makes recommendations to promote good practice.
Do you need a data-sharing agreement?
According to the ICO, while there is no legal requirement for a data-sharing agreement between businesses, it is considered good practice to have one in place. This is because a data-sharing agreement ensures that all parties are clear about the purpose of data sharing and sets out what happens to the data at each stage of the process.
Of course, these agreements also make for a valuable tool for data controllers to demonstrate their accountability under the UK GDPR legislation in a way that partners and regulators can inspect. So even though UK GDPR doesn't say you must have data-sharing agreements in place, it's pretty clear that the regulators expect that any organisations involved in data-sharing arrangements will have some kind of written documentation as a means by which to demonstrate their respective responsibilities.
What should an agreement include?
Although the ICO doesn't offer a set format for agreements to take, it does set out in its code of practice a range of areas that it needs to cover:
- What will the data sharing achieve? A clear set of objectives will show what you need to share and with whom.
- What needs to be shared? First, you should always aim to share the minimum information required for the task, only some things you hold concerning the individual.
- Who needs access? This should be on a 'need to know basis so that only organisations and staff that need access have it.
- When is it shared? Is this an ongoing process, or will it be a one-off?
- How is it shared? This needs to look at how it's transmitted and protected along the way.
领英推荐
- Are objectives being met? For example, do you still need to share the data and are there safeguards in place to address the risks of sharing?
- What are the risks? Is any individual likely to object to the data sharing, and could it harm anyone?
- Do you need to share PII? For example, could you carry out the task by anonymising the data? Indeed do you need to share it at all?
- Is sharing covered by your data protection register entry?
- Is data going to be shared outside the European Economic Area (EEA)?
The case for sharing
Why would you need to share data? The Commissioner's Office guidelines look at specific situations, such as mergers and acquisitions. In these cases, data and what needs to be shared should be part of the due diligence carried out as part of the merger process.
If you need to share data for commercial purposes, then it must be within the terms of your data protection compliance. This applies equally to non-profit organisations as well as to commercial ones. When entering a new agreement, it's vital to check where the data is coming from and how it will be processed and used.
There are situations where one-off sharing may be appropriate, in an emergency or with time-sensitive situations, for example. However, the guidelines make clear that it is still necessary to comply with UK GDPR rules. At the very least, this means having a mechanism in place for recording what has been shared, when and why.
The overriding consideration is that you must remain compliant with data protection legislation. The regulator suggests carrying out a Data Protection Impact Assessment (DPIA). This is good practice for any project that involves personal data, not just those that require sharing it. As always, you need to be able to show compliance by having documented all steps of the sharing process and, crucially, ensuring that it remains protected even after it's been shared.
This is a collaborative process, and you will need to work closely with your supply chain partners to ensure that all of the proper checks and documentation are in place before you sign off on a project.