1. What is a Code of Practice?
The production of codes of practice is encouraged in the Data Protection Act 1998. The Code of Practice should be an organisation's rulebook: a comprehensive document that states the principles and legislation which organisations are obliged to adhere to when handling personal data. The Code should set out how the organisation will comply with the Data Protection Act 1998. However, it should go beyond ensuring strictly legalistic compliance and also provide guidance on good practice.
The Information Commissioner's (IC) website includes a number of examples of codes of practice [www.informationcommissioner.gov.uk]. The IC can produce his own code of practice (e.g. on CCTV), encourage an association to do so, or approve Codes submitted to him.
2. Who is the Code for?
The Code should be drawn up for the benefit of:
More generally, we strongly recommend that Codes of Practice are made available to any member of the public who wishes to see them, both on websites and in hard copy. This helps to demonstrate openness and accountability and makes clear the organisation's commitment to the principles set out in the Guarantee.
3. What should the Code contain?
This guidance deals only with those parts of a Code of Practice dealing with data sharing. It does not include other elements necessary to show compliance with the DPA; for example, on notification with the Information Commissioners' Office. Nor does it go into any detail on compliance with the data protection principles. For examples of Codes of Practice on data protection generally, see the Best Practice Library
4. The purpose of data sharing
The Code should set out the organisation's aims and activities and why data sharing takes place. This might be, for example, for the purpose of providing better, joined-up services, for research purposes or to detect and prevent fraud. In many cases, there will be more than one advantage from sharing data. For example, setting up a one-stop shop might also lead to financial savings and less opportunity for people to commit fraud. The secondary purposes should also be detailed.
5. Data sharing powers
Set out the legislation that provides the organisation with the power to share data. The code of practice for the Department for Work and Pensions, explains the Social Security Fraud Act 2001, which allows local authorities and DWP to share data about customers. The DWP code of practice makes specific references to sections of the Social Security Administration Act 1992, which provide the Chief Executives of Local Authorities, with the power to disclose data.
Although a code of practice only applies to an individual organisation, we recommend that you list all the bodies which may be required to provide your organisation with data, quoting any relevant legislation that establishes these data sharing relationships. For example, in the case of the [Social Security Act this covers banks, friendly societies and credit unions.
6. How should the authority/power to share data be used?
Data sharing should not occur without consideration of the common law duty of confidence, The Human Rights Act 1998 and the European Convention on Human Rights, and the Data Protection Act 1998. We recommend that you state within the code of practice the organisation's legal position on data sharing with regards to this legislative framework. It is important to set this out in a clear and accessible way, especially any rules referring to confidentiality, as this is often a sticking point for practitioners. For further advice refer to the DCA's legal guidance on data sharing.
Where consent is required to share data between organisations, the Code should detail:
If data is requested from another organisation and an existing consent form exists, it will be necessary to check that it is still valid, since in some circumstances consent will be time-limited and will be re-sought at regular intervals. It will also be necessary to check that no restrictions have been placed on the consent (e.g. that the data subject is willing for data to be shared with organisation A but not with organisation B).
Good Examples:
East Ayrshire Council's code of practice clearly sets out when it is justified for the Council to disclose data to the police, public utilities and other public bodies, such as the Child Support Agency and the Inland Revenue, for the purpose of detecting and preventing crime and on some occasions for debt tracing. Rules are backed up with a warning, requiring employees of the Council to retain copies of data transfers, in case this is needed as evidence in court to support a decision made by the Council. It also explains what employees should do if there are concerns about disclosing information to other public bodies.
The Employment Practices Data Protection Code, Part 2, Employment Records puts disclosure into the context of human resources.
The BMA's Code deals with disclosure of sensitive medical information.
7. Compliance with the Data Protection Act
The Code must show how the organisation will comply with the Data Protection Principles when data is being shared. For example:
Although information about deceased people is not covered by the Data Protection Act, we nonetheless recommend that the Code include a section on sharing this data, since it will be covered by the common law duty of confidentiality. It is also good practice that an organisation, when considering a request to share data about a dead person, should seek to avoid causing possible embarrassment or distress.
8. Conducting reviews of the Code of Practice
The Code should be reviewed on a regular basis. It will need to be updated to take account of, for example: