753.This section inserts new sections 52A to 52E into the 1998 Act. New section 52A places the Information Commissioner under a duty to publish and keep under review a data-sharing code of practice.
754.New section 52A(1) and (2) provide that the code will contain practical guidance and any other guidance that promotes good practice in the sharing of personal data. Good practice is defined as practice that appears to the Information Commissioner to be desirable including, but not limited to, compliance with the requirements of the 1998 Act. When deciding what constitutes good practice, the Information Commissioner must have regard to the interests of data subjects and others.
755.New section 52A(3) requires that in preparing the code the Information Commissioner must consult, as he or she considers appropriate, with trade associations, data subjects and persons who represent the interests of data subjects.
756.New section 52A(4) defines sharing of personal data as the disclosure of the data by transmission, dissemination or otherwise making it available. For example the sending of files, the granting of access to a database and the publication of information all amount to “sharing” under this definition.
757.New section 52B(1) requires that once the Information Commissioner has prepared the code it must be submitted to the Secretary of State for approval.
758.New section 52B(2) provide that approval may be withheld only if the Secretary of State is of the opinion that the code is incompatible with any community obligations (such as EC Directive 95/46/EC on the protections of individuals with regard to the processing of personal data and on the free movement of such data) or any international obligations of the UK (such as the Convention for the protection of individuals with regard to automatic processing of personal data: Convention 108 of the Council of Europe).
759.If approval is withheld, new section 52B(3) requires the Secretary of State to publish the reasons for this. If approval is granted, the Secretary of State must lay the code before Parliament.
760.New section 52B(4) to (11) makes provision relating to the issuing of the code. In particular, either House of Parliament has 40 days (excluding any period during which Parliament is not sitting for more than four days) in which to pass a resolution refusing to approve the code. If such a resolution is passed, or if the Secretary of State withholds approval, then the Information Commissioner is obliged to prepare another code of practice for approval. Where approval is granted and no resolution is passed, the Information Commissioner must issue the code. The code then comes into force 21 days later.
761.New section 52C(1) requires the Information Commissioner to keep the code under review and empowers him or her to prepare an alteration or replacement to the code. New Section 52C(2) obliges the Information Commissioner to alter or replace the code if he or she becomes aware that application of the code could give rise to a claim that the UK was in any way in breach of its European Community or other International obligations.
762.New section 52C(3) requires the Commissioner in preparing an alteration or replacement code to consult, as he or she considers appropriate, with trade associations, data subjects and such persons who represent the interests of data subjects. New section 52C(4) provides that section 52B (with the exception of subsection (6)) applies equally to a replacement code or an alteration to the code.
763.New section 52D makes provision for the code, any replacement code and any alteration, to be published by the Information Commissioner.
764.New section 52E provides that although the code cannot of itself give rise to legal proceedings, a person’s breach or compliance with the code is to be taken into account by the courts, the Information Tribunal, and the Commissioner, whenever it is relevant to a question arising in legal proceedings or in connection with the exercise of the Commissioner’s functions. So, for example, the Information Commissioner is entitled to consider levels of compliance with the data-sharing code of practice when evaluating whether to instigate enforcement action in relation to an instance of data-sharing. Equally a court would be entitled to have regard to levels of compliance with the code where it was attempting to resolve an issue relating to whether or not a particular person had fulfilled their legal obligations by complying with good practice.