In December 2020 the Information Commissioner's Office (ICO) issued the final version of its Data Sharing Code of Practice, which is intended to give organisations confidence to share personal data in compliance with data protection law. Please see the December 2020 issue of DWF Data Protection Insights, our data protection focused newsletter, for an overview of the Code. Of particular relevance to public sector bodies is the section Data sharing across the public sector: the Digital Economy Act codes.
The Digital Economy Act 2017 (DEA) introduced a framework for sharing personal data for defined purposes across specific parts of the public sector. Although the DEA predates the GDPR, it was drafted to be compatible with it. When using the DEA framework, public sector bodies must comply with data protection law including the GDPR (as retained in UK law as the UK GDPR) and the Data Protection Act 2018, as well as other codes of practice issued by the ICO. The framework aims to:
- ensure clarity and consistency in how the public sector shares personal data;
- improve public services through the better use of data; and
- ensure data privacy.
The DEA provides gateways that allow specified public authorities to share personal data for tightly-defined objectives and purposes. These powers are supplemented by statutory codes of practice (the DEA codes) which facilitate data sharing for different purposes, including the production of statistics, disclosure of information by civil registration officials and Revenue Authorities, and data sharing for research purposes. The DEA does not currently cover data sharing relating to the provision of health and social care.
The DEA codes contain guidance about what data you can share and for which purpose, and include safeguards to make sure that the privacy of citizens’ data is protected. Some of the codes require public authorities to put in place a data sharing or information sharing agreement, and specify what the agreement must cover.
Case Study
The ICO Data Sharing Code includes a case study about Companies House and HMRC using the data sharing powers under the DEA to share details of company accounts, including personal data about the company's directors, to prevent fraud by ensuring that companies file the same accounts with both bodies. While the DEA created a gateway which permitted this sharing, Companies House and the HMRC had to work together to:
- design and agree a data specification;
- complete a data protection impact assessment (DPIA) to ensure they considered proportionality and fair processing; and
- agree and sign an information sharing agreement.
If you would like advice on how to set up a data sharing arrangement under the DEA, please contact JP Buckley, who can help you to conduct a DPIA, address any risks identified and draft an appropriate data sharing agreement.