UK: Statutory Data Sharing Code of Practice Entered into Force on 5 October 2021
Businesses often need to share personal data with other organisations. For example, an employer may use a payroll service provider to pay its staff. The Information Commissioner’s Office (ICO) has prepared a new code giving practical guidance to organisations on how to share personal data in compliance with the requirements of the UK GDPR and Data Protection Act 2018. The code does not impose additional requirements on data sharing but it is designed to help organisations with complying with their legal obligations. The code covers a range of issues including transparency, the lawful basis for processing, the accountability principle and the need to document processing requirements.
Failure to comply with the code will make it more difficult to demonstrate that an organisation’s data sharing is fair, lawful and accountable, and could result in the ICO taking enforcement proceedings against the organisation. The code can also be used in evidence in court proceedings, and the courts must take its provisions into account wherever relevant.
Key Action Points for Human Resources and In-house Counsel
Employers who are sharing personal data with third parties should ensure that they comply with the new statutory code of practice on data sharing. The ICO has updated its website which contains useful information, including a data sharing checklist and some data sharing templates.