Kennedys urges ICO to improve data-sharing guidance

We have told the Information Commissioner’s Office (ICO) that the draft code of practice on how organisations can lawfully share personal data is too generic and needs to reflect the real world.

We have also called for specific guidance to support law firms and insurers navigate issues around data sharing.

Our response to the ICO consultation on a new statutory code of practice on data sharing highlighted examples of issues we have encountered, with insurers concerned that they are unable to obtain sufficient information from their insured clients in order to assess claims. This is often due to a misunderstanding as to the scope of data which can be shared in this context.

We also explained how, in a data breach response situation, we have found clients “reluctant to disclose sufficient information to us to facilitate data subject notification process (for example, customer database lists)”.

Our response said: “This has the potential to cause unnecessary delays, and clarity on this situation would be helpful.”

We feel that these scenarios called into question the potential applicability of article 14 of the General Data Protection Regulation (GDPR), “as this would lead to a situation where an insurer or solicitor becomes a controller of personal data which has not been obtained directly from the data subject”.

Our response argued that the draft code was inadequate because it focused on the general requirements of the GDPR without seeking to apply them to the specific practice of data sharing.

We stated that we would also welcome more guidance on data sharing in legal practice, specifically on sharing personal data with the court, counterparties and witnesses in the context of litigation.

We outlined that “there is a brief, albeit helpful, case study provided by the Law Society of Scotland that outlines the parties that law firms share data with on a regular basis. That guidance coupled with further clarification in the draft code would be of assistance.”

Though the ICO specifies the importance of data sharing in the context of mergers and acquisitions, there is limited focus on the sharing of personal data as part of the due diligence process prior to a merger or acquisition. This too would benefit from more clarity.

In our response, we said: “From an industry perspective, particularly in respect of our insurer clients, we would also be interested to see case scenarios within the insurance sector for the purposes of underwriting and claims, e.g. in the context of fraud prevention and access to medical records.

“This information would also provide guidance to not only the insurance market but across the retail finance industry.”

Partner Tom Pelham, who heads our UK cyber practice, says: “We are all still feeling our way through the requirements imposed GDPR and the guidance as drafted will do little to help anyone understand the limits of data sharing. This is a pivotal issue for so many enterprises, and it is vital that the guidance reflects that.

“The huge fines the ICO has handed out to BA and Marriott highlight the risks of non-compliance with GDPR, and so it is incumbent on the commissioner to be as clear as possible on how the rules work.”