The ICO has published a new framework code of practice for all organisations sharing information about individuals. Was there really a need for a new code and does it offer new insights or say anything new about data protection law? Phil Lee shares his thoughts.
Who: The Information Commissioner
When: 10 October 2007
Law stated as at: 2 November 2007
In recognition of the benefits that organisations can achieve through sharing of personal information, but with a watchful eye on data protection compliance, the Information Commissioner has published its "Framework code of practice for sharing personal information" (the "Code").
The Code aims to encourage organisations that engage in information sharing to develop their own bespoke "codes of practice" – internal policies governing what personal information may be shared and why, and the standards and procedures that should apply to information sharing activities.
The Code applies both to inter-departmental sharing within a single organisation (principally of relevance to sharing between governmental departments) and, also, to sharing between two separate organisations. This latter form of sharing will encompass a wide range of personal information uses that may be undertaken by marketing organisations – including, for example, list rental and/or sale activities, personal information sharing for joint venture marketing campaigns and sale of customer databases as part of a wider business disposal.
Privacy Impact Assessment
Before engaging in information sharing activities, the Code first encourages organisations first to step back and appraise their motives for information sharing. Organisations should, amongst other things, consider:
- why they wish to share personal information;
- what benefits this is expected to deliver;
- the scope of information that must necessarily be shared in order to achieve the desired objective;
- the likely effect on the individuals to whom the information relates;
- possible alternatives to sharing personal information, such as statistical information;
- whether it is necessary to seek consent from the individuals to whom the data relates (especially where sensitive personal information – such as health or racial information – may be shared).
Organisations are encouraged to undertake a "privacy impact assessment" to address the above and other relevant issues. The Code does not detail how a privacy impact assessment should be conducted but, by analogy with the Information Commissioner's guidance on impact assessments for proposed employee monitoring activities, the degree of formality with which the exercise should be conducted will necessarily depend on the scale and scope of the proposed information sharing activities. Bespoke codes of practice should clearly address each of the above issues, as well as any other issues arising out of a privacy impact assessment.
A key requirement placed on organisations by the Data Protection Act 1998 is the need to regularly refresh information held about individuals. The Information Commissioner expects organisations to check that the information they hold is not excessive, is accurate and is up-to-date. In an information sharing context, the Code advises organisations to check that the information they are about to share meets these standards before sharing the data. The Code also requires organisations to ensure that, if notified that information held about an individual is incorrect, corrections to that information are made both by the relevant organisation and also by any organisations with whom that information is shared. Bespoke codes of practice should fully document the procedures for performing these checks and corrections.
Bespoke codes of practice must specify the period(s) for which particular categories of personal information may be retained, to guard against sharing "out-of-date" data. This does not provide organisations with a carte blanche to specify lengthy retention periods – the Code provides that any period specified must not be "longer than is necessary", in keeping with data protection law. In assessing what is an appropriate retention period, the Code encourages organisations to take into account the purpose for which information is being retained, the costs, risks and liabilities of retaining that information and ease or difficulty with which that information can be kept accurate and up-to-date. Particularly relevant to these considerations will be the application of any relevant legal, regulatory or professional guidelines.
Organisations that collect, process and share personal information are expected to adopt technical and organisational security measures to guard against data theft, damage or loss. Different levels of security may be appropriate depending on the type of information concerned in a particular context – however, for ease of administration, the Code encourages organisations to adopt a "highest common denominator" approach and achieve a consistent security standard across all personal information. Bespoke codes of practice should describe the technical and organisational measures that should be applied to safeguard personal information.
The Code highlights that issues can arise where organisations that share information adopt different technical and organisational security measures. To avoid these problems arising, the Code specifies that security issues should be addressed before engaging in information sharing activities – reminding organisations that compliance risk generally remains with the disclosing organisation.
Organisations are expected to ensure that individuals have the ability to access information held about them easily. The Code warns that, in an information sharing context between two or more organisations, it can be difficult for individuals to know who to approach. The Code therefore encourages organisations to provide a "single point of contact" for individuals to turn to in this situation. Organisations are also encouraged to consider whether it may be possible to provide individuals with alternative access routes to their information – for example, online access to personal records. Bespoke codes of practice should also provide clear guidance on how to respond to requests by individuals for access to their information and clarify any cases where information can legally be withheld from those individuals. On a practical level, organisations should ensure that they (and any third parties with whom they share information) maintain good record keeping systems that enable prompt, efficient access to information.
Why this matters:
Whilst the Code does not say anything new in terms of data protection law, it provides a helpful overview of the steps organisations can take towards achieving data protection compliance when embarking on an information sharing programme. The Code can perhaps be viewed as recognition by the Information Commissioner that its role is not to bar sharing of personal information between organisations where this can deliver a discernable benefit but, instead, to provide organisations with a workable framework highlighting key issues of which they need to facilitate compliance with data protection law.