ICO Code of Practice

The Information Commissioner's Office (ICO) Data Sharing Code of Practice provides a summary of the actions and reference material relevant to an organisation or team when designing, building, or substantially changing a digital service which processes personal information.

It includes:

• principles
• templates
• recommended documentation 

The Information Commissioner’s Office is the UK regulatory office for the Data Protection Act 2018 and General Data Protection Regulation.

The code of practice is intended for project and digital teams during the design and development of new services.

This will form one part of the organisation’s wider obligations under UK law. Any service owner or project team will need to engage with their organisation’s data protection processes.

In Wales

Where establishing data sharing agreements with other Welsh organisations, teams should be aware of the Welsh Accord on Sharing of Personal Information (WASPI).

The accord helps participating organisations effectively share personal information, and specifically assists in the completion of the ICO Data Sharing Code of Practice.

Our recommendation

Public bodies in Wales must put in place appropriate technical and organisational measures to implement data protection principles effectively and safeguard individual rights.

User’s personal and sensitive information rights are protected by UK law, with compliance monitored by the ICO. Using these resources will minimise the risk of improper handling of data and ensure that digital services are developed to comply with the UK GDPR.

Digital services will create, consume, or process personal data. Applying these principles ensures that users are treated fairly, and processes are transparent.

CDPS won’t be monitoring your compliance but point 11 of the Digital Service Standard for Wales sets the expectation that services must protect sensitive information and keep data secure.