As a WEISF Partner you agree to work to this Framework.  The Framework provides practical advice and guidance to all Partners engaged in information sharing.  Adopting consistent good practice will enable information sharing which complies with fair and lawful exchanges and the expectations of citizens when sharing their information.

The Framework refers to a number of the ICO's publications.  These are all available to order or download from the ICO's website.

The data sharing code of practice is a statutory code which has been issued after being approved by the Secretary of State and laid before Parliament. The code explains how the Data Protection Act applies to the sharing of personal data.

  • Notification
  • Data Sharing Explained
  • Privacy Notices
  • Privacy Impact Assessments
  • Legal Basis
  • Consent
  • Security Arrangements
  • Information Quality
  • Access to Information
  • Queries and Complaints
  • Glossary of Terms

​Notification

Under data protection law, you may have to provide details of how your organisation handles personal data about staff or customers, for the data protection register.

You'll need to fill in an online application form and pay a fee.  If you're unsure if you need to do this, check using the online self-assessment.

You could be committing a criminal offence if you don't notify the ICO.

Information including your organisation's name and the reason for storing the data will appear on the data protection public register.  The annual fee is £35 for most organisations, including small and medium-sized businesses.

The annual fee is £500 if your organisation has both:

  • 250 or more staff
  • a turnover of at least £25.9 million

Public sector organisations must pay the annual fee of £500 if they have 250 or more staff.

 
data sharing code of practice.gif

Data Sharing Explained

The ICO have published the Data sharing code of practice which provides data controllers with good practice advice.  Adopting the good practice recommendations will help us to collect and share personal data in a way that is fair, transparent and in line with the rights and expectations of the people whose information we are sharing.  WEISF partners have agreed to adopt the recommendations of this code of practice.

Defining Your Datasets

The Data sharing code of practice covers the two main types of data sharing:

  • systematic, routine data sharing where the same data sets are shared between the same organisations for an established purpose; and
  • exceptional, one-off decisions to share data for any of a range of purposes.

'Systematic data sharing will generally involve routine sharing of data sets between organisations for an agreed purpose.  It could also involve a group of organisations making an arrangement to 'pool' their data for specific purposes.

Different spproaches apply to these two types of data sharing and the code of practice recommendations that are relevant to systematic, routine data sharing are not applicable to one-off decisions about sharing.
 

Privacy Notices

 Privacy Notices code of practice.PNG
 
In a data sharing context, a privacy notice should at least tell the individual:
  • who you are;
  • why you are going to share personal data; and
  • who you are going to share it with - this could be actual named organisations or types of organisation

Privacy Impact Assessments

PIA code of practice.jpg

Legal Basis

Your ability to share information is subject to a number of legal constraints and other considerations such as specific statutory prohibitions on sharing, copyright restrictions or a duty of confidence.  If you wish to share informaiton, you must consider whether you have the legal power or ability to do so.  This is likely to depend on the nature of the information in question and on who you are, and therefore what legislation applies to you.

Consent

One of the conditions for processing is that the individual has consented to their personal data being collected and used in the manner and for purposes in question.

You will need to examine the circumstances of each case to decide whether consent has been given.  In some cases this will be obvious, but in others the particular circumstances will need to be examined closely to decide whether they amount to an adequate consent.

For more information read the section "What is Consent?" on The conditions for processing page of the ICO's website.

Security Arrangements

Organisations are required to have appropriate technical and organisational measures in place when sharing personal data.  Organisations need to establish appropriate security in respect of shared information as new challenges require consideration. The ICO's Data Sharing code of practice provides organisations with the guidance necessary to ensure that both the physical and technical security measures are in place.

Information Quality

It is important to have procedures in place to maintain the quality of the personal data you hold, especially when you intend to share data.  When you are planning to share data with another organisation, you need to consider all the data quality implications. For more detail read the section "Governance - Data Standards" in the ICO's Data Sharing code of practice.

Access To Information

Organisations are required by law to give people access to data about them in a permanent form.  Clear information should be provided to help you understand the process to request information.  For more information about Data Protection and Subject Access Requests read the section"Individuals' Rights - Access to Information" in the ICO Data Sharing Code of Practice.

Queries And Complaints

Individuals may have queries or complaints about how their personal data is being shared, particularly where they think the data is wrong or that the sharing is having an adverse effect on them.  It is good practice to have procedures in place to deal with any queries or comments you receive in a quick and helpful way, for example by having a single point of contact for members of the public.  It is good practice to analyse the comments you receive in order to develop a clearer understanding of publice attitudes to the data sharing you carry out.  Answering individuals' queries can also allow you to provide further information about your data sharing, in addition to what's contained in your privacy notice. For more information read the section "Individuals' Rights - Queries and Complaints" in the ICO Data Sharing Code of Practice. 

Glossary Of Terms

The attached document provides a full glossary terms to assist you when using this site.

Glossary.pdfGlossary.pdf

Document Library

The publications below are all available from the ICO website.  You can choose to view them online, download or order a hard copy for your reference.

Data sharing                                             Privacy Impact Assessments               Privacy notices

data sharing code of practice.gif  PIA code of practice.jpg Privacy Notices code of practice.PNG