Privacy & Information Security Law Blog

On May 11, 2011, the UK Information Commissioner’s Office (the “ICO”) published a new statutory code of practice on the sharing of personal data.  As stated in the ICO’s press release, the code of practice covers best practices for both routine and one-off data sharing activities, and offers organizations tips for reducing the risk of inappropriate or insecure data sharing.  By helping organizations understand how to share data appropriately, the code of practice should facilitate compliance with the Data Protection Act and minimize the risk of enforcement actions by the ICO or other regulators.

The UK Information Commissioner, Christopher Graham, said, “[f]ew would argue that sharing data can play an important role in providing an efficient service to consumers in both the public and private sector . . . People now have an expectation that, where appropriate and necessary, their personal details may be shared.  However, this does not mean that companies or public bodies can do this just as they see fit.  The public rightly want to remain in control of who is using their information and why, and they need to feel confident that it is being kept safe.”

The publication of the code of practice follows a 12-week consultation on the draft version.  The Information Commissioner said that the published code “reflects the constructive comments we received during the consultation period” which makes the ICO “confident that it not only makes sense on paper but will also work in the real world too.”  The published code of practice includes the addition of case studies which provide practical explanations of how the Data Protection Act applies to data sharing.