Data Sharing Made Easy (well, easier)

The new Data Sharing Code, (effective October 2021), provides welcome clarification, with useful checklists and examples.

It only applies to joint controllers.  As a reminder, a Data Controller is the party who has “ownership” of the personal data.  There are a surprising number of examples where an individual working with an organisation, or two or more organisations working together, will be joint controllers.

There is no legal requirement to have a written Data Sharing Agreement. But there is a legal requirement to have “arrangements” in place dealing with

  • The responsibilities of each Data Controller,
  • Who deals with privacy notices,
  • Who deals with Subject Access Requests and other rights.

So, the Code continues to recommend a written agreement. Often called Data Sharing Agreements, these need not be complicated or overly‑lengthy.  They just need to ensure that they record the checklist of all matters to be addressed.  The new Code goes into some detail about the matters to be included in Data Sharing Agreements.

The enforcement section of the new Code makes it clear that in the event of any complaint the regulator (the ICO) will ask Data Controllers to explain their position on data compliance, and reminds Data Controllers that they may well be asked for details of their policies and procedures; their Data Protection Impact Assessment (DPIA) and other relevant documentation. If you are responsible for data compliance in your organisation you will have no excuse for not having up to date accountability documentation to hand!

The ICO places considerable emphasis on the use of DPIAs and this Code is no exception, prompting Data Controllers to use such impact assessments.  If you do not have a Data Sharing Agreement now might be a good time to put one in place.  If you do have a Data Sharing Agreement, now might be a good time to review this; particularly in light of recent developments emphasising good practice with regard to children and vulnerable data subjects.

And finally,…..3 additional things to remember about data sharing.

  • Don’t forget there are lots of instances of data sharing where exemptions apply under the legislation, for example, taxation or other regulatory requirements to data share.
  • Now might be a good time to use the Data Sharing Code of Practice as a trust-building tool. Organisations will want to signal their compliance with the statutory Code as part of their commitment to respect for customer or client data.
  • Don’t forget that data protection law applies to not‑for‑profit organisations.

For advice on this and other Data Protection matters contact

Holly Dobson at or on 07912 749455.



Sign up for our newsletter

Please fill in the form below to receive legal updates and seminar invitations from our expert solicitors – straight to your inbox.


By signing up, you agree to our terms and that you have read our privacy policy.