10 May 2011

Data Sharing Code of Practice

Whilst on the theme of the privacy protection, this afternoon I attended the launch of the Information Commissioner's Office (ICO) Data Sharing Code of Practice, at the House of Commons.

Photograph of a collection of Data Sharing Code of Practice launch items: the cover of the new ICO Data Sharing Code of Practice, the Data Sharing Checklist, the Data Sharing Code of Practice launch list of attendees and a House of Commons serviette

If you remember there was a public consultation at the end of 2010, and the final document is now complete. I contributed to my company's written response, as well as to a response by OWASP on the security aspects of data sharing.

The invitation to the launch event for the ICO Data Sharing Code of Practice, sponsored by John Leech MP, Alun Michael MP and Dominic Raab MP, in the Stranger's Dining Room of the House of Commons

The event was sponsored by John Leech MP, Alun Michael MP and Dominic Raab MP, and the new code of practice was introduced eloquently by the Information Commissioner, Christopher Graham. He made the important point that the ICO is about enabling safe use of personal data, and that blocking the use of personal data is not its role. In fact, consumers and citizens can benefit from transfers and sharing of their data — it just has to be done legally. He described the guidance as "making sense on paper, and in the real world".

Note this is statutory guidance which has therefore been approved by the Secretary of State and laid before Parliament. It does not impose new legal obligations nor is an authoritative statement of the law. But both courts and the Information Commissioner must take into account the contents of the code when determining any question arising from proceedings, or functions being performed by the ICO under the Data Protection Act (DPA).

It applies to all sectors — public and private — although there is some sector-specific guidance included. Importantly it applies to both routine systematic data sharing as well as one-off data sharing tasks. The guidance notes data protection principles also apply to the sharing of information within an organisation, such as between divisions, departments and teams. Examples and case studies used in the document include "a retailer providing customer details to a payment processing company", "a mobile phone company intends to share details of customer accounts with a credit reference agency" and "a marketing company wants to share data with a fulfilment company so it can send out free samples". Practical, yes.

Delegates in the Stranger's Dining Room of the House of Commons for the launch event for the ICO Data Sharing Code of Practice

I was interested to read the new document to see what changes had been made in the period since the consultation. The draft document was quite good, but the final guidance is an order of magnitude better. It looks as though considerable re-writing, greater explanation, and addition of a glossary and quick-reference checklist have improved its content and usability. Additionally, I am pleased to see many more practical private-sector examples have been included throughout the main body, and in the case studies in Annex 3.

In terms of information security, the primary aspects are detailed in Section 7, which lists good practice to take in respect of information shared with other organisations, highlights the need for building a security-aware culture, identifies the need to take reasonable steps to ensure the receiving organisation understands the nature and sensitivity of the information, the need to consider all modes of transmission, and provides two short lists of physical and technical security measures to be considered. One which stands out in particular is:

Have you identified the most common security risks associated with using a web-product — e.g. a website, web application or mobile application?

Well, that's quite specific! And, good advice.

So, data controllers take note. If you are involved with specifying or designing online (or other) business systems, read the whole document — it really will help. The code of practice does not itself have the force of law (the DPA does), but it describes good practice, and the ICO can only take enforcement over breaches of the DPA. But as the guidance says doing nothing, risks breaking the law.

Photograph on the inside of Westminster Hall, the oldest existing part of the Palace of Westminster, erected in 1097

The whole structure of the document is:

  1. Information Commissioner's Foreward
  2. About this code
  3. What do we mean by "data sharing"?
  4. Data sharing and the law
  5. Deciding to share personal data
  6. Fairness and transparency
  7. Security
  8. Governance
  9. Individual's rights
  10. Things to avoid
  11. The ICO's powers and penalties
  12. Notification
  13. Freedom of Information
  14. Data sharing agreements
  15. Data sharing checklists

The annexes are:

  1. The Data Protection principles
  2. Glossary
  3. Case studies

Coincidentally today a potential £200,000 penalty was imposed by the ICO for a recent web site personal data loss, and the full amount was only avoided because the sole trader had already ceased trading.

Photograph of Big Ben at the UK Houses of Parliament with a statue of Oliver Cromwell in the foreground

The code of practice has not yet been published on the ICO web site. I will check again tomorrow morning.

Update 11th May 2011: The ICO has now announced and published the Data Sharing Code of Practice and checklists on their web site.

Posted on: 10 May 2011 at 22:26 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Data Sharing Code of Practice
http://www.clerkendweller.com/2011/5/10/Data-Sharing-Code-of-Practice
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2011/5/10/Data-Sharing-Code-of-Practice
Requested by 38.107.179.224 on Thursday, 17 May 2012 at 23:01 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2011-2012 clerkendweller.com