The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The Information Commissioner’s Office (ICO) has today published its Data Sharing Code of Practice.

The code, and a suite of new resources, provides practical advice to businesses and organisations on how to carry out responsible data sharing.

Data sharing is central to digital innovation in both the private and public sectors. It can lead to many economic and social benefits, including greater growth, technological innovations, and the delivery of more efficient and targeted services.

Information Commissioner Elizabeth Denham said the COVID-19 pandemic brought the need for fair, transparent and secure data sharing into even sharper focus.

She said:

“I have seen first-hand how sharing data between organisations has been crucial to supporting and protecting people during the response to the COVID-19 pandemic.

“That includes public authorities and supermarkets sharing information to support vulnerable people shielding or health data being shared to support fast, efficient and effective delivery of pandemic responses.”

Provision for the code was included in the Data Protection Act 2018 and it addresses many aspects of the new legislation including transparency, lawful bases for using personal data, the new accountability principle and the requirement to record processing activities.

Alongside the code, the ICO has launched a data sharing information hub where organisations can find targeted support and resources, including:

Ms Denham said the publication of the code was not a conclusion, but a milestone.

She said:

“This code demonstrates that the legal framework is an enabler to responsible data sharing and busts some of the myths that currently exist.

“I want my code of practice to be part of a wider effort to address the technical, organisational and cultural challenges for data sharing. The ICO will be at the forefront of a collective effort, engaging with key stakeholders. I know I can count on a collective effort from practitioners and government to understand the code and work with the ICO to embed it.”

As part of its ongoing work, the ICO is encouraging organisations that are developing products and services that support complex data sharing in the public interest to apply for its regulatory Sandbox.

The regulator will also increase its engagement with organisations to help them understand the code and promote the benefits of sharing data.

For more information visit ico.org.uk/datasharing.

Notes to Editors

About the Data Sharing Code of Practice

  1. The Government included provisions in the Data Protection Act 2018 (DPA2018) requiring the ICO to produce a code of practice that provides practical guidance on data sharing. A previous data sharing code was published in 2011 under the Data Protection Act 1998.
  2. The first draft of the new code went out to consultation in July 2019, preceded by a call for views in 2018. It was informed by initial views and evidence gathered from a wide range of private, public and third sector organisations, as well as individual members of the public acting in a private capacity. You can read the responses here.
  3. The ICO submitted the Data Sharing Code of Practice to the Secretary of State on 17 December 2020. The Secretary of State will now need to lay the code before Parliament for its approval as soon as is reasonably practicable.
  4. Once the code has been laid it will remain before Parliament for 40 sitting days. If there are no objections, it will come into force 21 days after that. 


About the Information Commissioner’s Office

  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR) and Privacy and Electronic Communications Regulations 2003 (PECR).
  3. Since 25 May 2018, the ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to £17million (20m Euro) or 4% of global turnover.
  4. The GDPR and the DPA2018 gave the ICO new strengthened powers.
  5. The data protection principles in the GDPR evolved from the original DPA, and set out the main responsibilities for organisations.
  6. To report a concern to the ICO, go to ico.org.uk/concerns.