A new statutory code of practice designed to help businesses and public sector bodies share people’s personal information appropriately has been published by the Information Commissioner’s Office (ICO).
Compliance with the Data Protection Act (DPA) will be made easier for organisations who want to handle personal data.
Citizens and consumers will be able to benefit from the responsible sharing of information, confident that their personal data is being handled responsibly and securely. However, people also want to know how their information is being used, who has access to it, and what that means for them.
The new ICO’s data code of practice covers both routine and one-off instances of data sharing and explains how the Data Protection Act 1998 (DPA) applies to the sharing of personal data. It also provides good advice to all organisations that share personal data, on when and how personal information can be shared as well as how to keep it secure.
Information Commissioner, Christopher Graham, said:
“Few would argue that sharing data can play an important role in providing an efficient service to consumers in both the public and private sector. More and more transactions are done online – from shopping and banking to managing tax and health records. People now have an expectation that, where appropriate and necessary, their personal details may be shared.”
However, this does not mean that companies or public bodies can do this just as they see fit. The public rightly want to remain in control of who is using their information and why, and they need to feel confident that it is being kept safe.
The ICO consulted on a draft code last October. A number of changes and improvements have been made, including the addition of more public and private sector case studies to explain practically how the Data Protection Act applies to data sharing. ICO powers and penalties
The ICO aims to make compliance with the Data Protection Act (DPA) easier for the majority of organisations who want to handle personal data. In cases where organisations do not comply the ICO has powers to take action to change behaviour. These powers include the ability to serve an enforcement notice, to conduct audits and to serve a monetary penalty notice.
Before sharing any personal data you hold, you will need to consider all the legal implications of doing so. Your ability to share information is subject to a number of legal constraints which go beyond the requirements of the Data Protection Act (DPA).
There may well be other considerations such as specific statutory prohibitions on sharing, copyright restrictions or a duty of confidence that may affect your ability to share personal data. A duty of confidence may be stated, or it may be implied by the content of the information or because it was collected in circumstances where confidentiality is expected.
If you wish to share information with another person, whether by way of a one-off disclosure or as part of a large-scale data sharing arrangement, you need to consider whether you have the legal power or ability to do so. This is likely to depend, in part, on the nature of the information in question – for example whether it is sensitive personal data. However, it also depends on who ‘you’ are, because your legal status also affects your ability to share information.
Along with the full code of practice, the ICO has also published a summary checklist (click on image above to view) that can be used as a quick reference guide to sharing information. By following the code, organisations should find they have:
-
a better understanding of when, whether, and how personal information should be shared;
-
improved trust and a better relationship with the people whose information they want to share;
-
reduced risk of the inappropriate or insecure sharing of personal data; and minimised risk of breaking the
-
law and consequent enforcement action by the ICO or other regulators.
Information Commissioner, Christopher Graham, adds:
“The code of practice we’ve issued today offers a best practice approach that can be applied in all sectors. It reflects the constructive comments we received during the consultation period, meaning that we can be confident that it not only makes sense on paper but will also work in the real world too. I’d encourage all businesses and public bodies that share personal data to get to grips with the code without delay so they can be sure they are getting it right.”
Adopting its good practice recommendations will help organisations to work together to make the best use of the data they hold to deliver the highest quality of service, whilst avoiding the creation of the opaque, excessive and insecure information systems that can generate so much public distrust.
Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Secure
- Not transferred to other countries without adequate protection
The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003. More information : www.ico.gov.uk website.
This article has been read 255 times!
