The ICO launches UK code of practice on data sharing

A new statutory code of practice designed to help businesses and public sector bodies share people’s personal information appropriately has been published today by the Information Commissioner’s Office (ICO).The ICO’s data sharing code of practice covers both routine and one-off instances of data sharing. It includes good practice advice that will be helpful to all organisations that share personal information – for example when local authorities share information with the health service or when building societies provide information to a credit reference agency. The code gives advice on when and how personal information can be shared as well as how to keep it secure. Along with the full code of practice, the ICO has also published a summary checklist that can be used as a quick reference guide to sharing information. By following the code, organisations should find they have:

  • a better understanding of when, whether, and how personal information should be shared;
  • improved trust and a better relationship with the people whose information they want to share;
  • reduced risk of the inappropriate or insecure sharing of personal data; and
  • minimised risk of breaking the law and consequent enforcement action by the ICO or other regulators.


The Data Sharing Code of Practice can be downloaded here

Information Commissioner, Christopher Graham, said:

“The code of practice we’ve issued today offers a best practice approach that can be applied in all sectors. It reflects the constructive comments we received during the consultation period, meaning that we can be confident that it not only makes sense on paper but will also work in the real world too. I’d encourage all businesses and public bodies that share personal data to get to grips with the code without delay so they can be sure they are getting it right.”

The code explains how the Data Protection Act 1998 (DPA) applies to the sharing of personal data. It also provides good practice advice that will be relevant to all organisations that share personal data.

Any data controller who is involved in the sharing of personal data should use the code to help them to understand how to adopt good practice.