Consultation outcome

Civil Registration Data Sharing Code of Practice

Updated 1 March 2018

This was published under the 2016 to 2019 May Conservative government

1. About the Code of Practice

1) This Code explains how the discretionary powers contained in the Registration Service Act 1953 should be used by registration officials [footnote 1] when sharing registration information [footnote 2] with other registration officials and with specified public authorities for the purpose of public authorities fulfilling their functions. In addition, it provides registration officials with guidance on procedures that need to be followed when considering requests to use registration information. This includes details about the application process, decision-making process and governance procedures.

2) The Code should be read alongside the Information Commissioner’s data sharing code of practice [footnote 3] which provides guidance on how to ensure personal data is shared in a way that is lawful, proportionate and compatible with the Data Protection Act 1998 and other relevant legislation such as the Human Rights Act 1998. The Code should also be read in conjunction with procedural guidance that registration officials already follow when sharing information. This will ensure that responsibilities for sharing information are defined, controlled and managed at the right level.

3) The Code defines ‘data sharing’ in the same terms as the Information Commissioner’s data sharing code of practice, namely the disclosure of data from one or more organisations to a third party organisation or organisations, or the sharing of data between different parts of an organisation. The ICO Code states that data sharing can take different forms including:

  • a reciprocal exchange of data
  • one or more organisations providing data to a third party or parties
  • several organisations pooling information and making it available to each other

4) Before making disclosures under these data sharing powers, data sharing agreements will need to be put in place to outline the responsibilities of recipients of data and any necessary actions that need to be taken should any issues emerge. The Code provides details of actions that may be taken to address any issues associated with either unlawful data disclosures or other disclosures between registration officials and recipients of data.

5) Public authorities will need to satisfy themselves that they are complying with the Data Protection Act 1998. There are also instances where conditions form part of data sharing agreements including arrangements relating to how data is to be used by the recipient – see Part 6.

6) The Information Commissioner’s Office has been consulted in the preparation of the Code to ensure that it is consistent with the Information Commissioner’s data sharing code of practice.

1.1 The Code’s status

7) The Registrar General for England and Wales has prepared and published this Code under section 19AC of the Registration Service Act 1953 [footnote 4]. It is a statutory Code which has been approved by Parliament.

8) The Code relates to civil registration in England and Wales only, as civil registration is devolved in Scotland and Northern Ireland.

9) This Code does not impose additional legal obligations, nor is it an authoritative statement of the law. Registration officials must however have regard to the Code when sharing information with public authorities and will be expected to follow and comply with all of the procedures outlined in the Code.

1.2 Who should use the Code?

10) All registration officials with nominated responsibility for disclosing information under Section 19AA of the Registration Service Act 1953 must have regard to this Code.

1.3 Specific benefits in using the Code

11) The key benefits of using the Code include:

Compliance with current policies and guidance

The Code provides registration officials with assurance that they are following the most appropriate policies and guidance when sharing registration information. By complying with guidance, registration officials can be confident that they are sharing information in a way that is consistent, fair, proportionate and transparent.

Compliance with legislation

The Code provides guidance on procedures to be followed to help ensure that registration officials are complying with the law when sharing information. These include adherence to the Data Protection Act 1998 and the Human Rights Act 1998.

Security provisions

The Code outlines how information is held and controlled by registration officials. This includes details of the safeguards that are in place for protecting information and measures to prevent information being shared where there is no legal or justifiable basis for sharing information. In addition, it includes policies around data retention, and destruction, and provisions that ensure that data is not retained for longer than is necessary.

Competency and awareness

The Code highlights the importance of keeping up to date and appropriately trained in data management, and aware of the criteria that have to be followed when considering granting access to information.

2. Part 2: Principles governing the disclosure of information

12) Registration officials are required to apply the following principles relating to the disclosure of civil registration information. These are separate to the eight Data Protection Principles set out in Part 4 of this Code.

2.1 Principle 1: Disclosures must always be made in accordance with the requirements of the Data Protection Act 1998

Registration officials must also ensure they adhere to any relevant Codes of Practice that are issued by the Information Commissioner under the Data Protection Act 2018. These include the Data Sharing Code, Privacy Impact Assessment Code and Privacy Notice Code.

2.2 Principle 2: Disclosures may only be made for the purpose of a public authority or registration official fulfilling their function(s)

Information must only be disclosed in connection with meeting a function of the recipient. Where a data applicant is unable to clearly demonstrate that information is required to meet their function, information must not be disclosed.

2.3 Principle 3: Disclosures must not be made where there are statutory restrictions on sharing information

Information must not be disclosed where there are express statutory restrictions preventing disclosures of information – for example, disclosing particular information relating to adoptions and gender recognition.

2.4 Principle 4: Data must not be linked in any way to create identity datasets

Data sharing agreements should, subject to limited exceptions [footnote 5], ensure that public authorities must not use information in a way that creates any identity datasets – e.g. national identity datasets. Data sharing agreements must include details of retention policies that prevent the linking of records in any way that could create identity datasets.

2.5 Principle 5: Decisions to disclose information must always be made at the right level

Only nominated registration officials (e.g. local data protection officers) can make decisions to disclose information and in doing so must ensure that disclosures are proportionate in relation to carrying out the function for which the information is required. The Registrar General must provide written agreement prior to any large amounts of information being released.

3. Part 3: Understanding the civil registration powers

3.1 The gateway in the Registration Services Act 1953

13) Section 19AA of the Act provides authority for registration officials to disclose information:

  • held in connection with any of their functions

  • with:

1) A specified public authority (as defined by section 19AB of the Act)

2) Any other civil registration official

  • If they are satisfied that the public authority or civil registration official to whom it is disclosed requires the information to enable them to exercise one or more of their functions

14) A civil registration official is defined as:

  • the Registrar General
  • a superintendent registrar of births, deaths and marriages
  • a registrar of births, deaths or marriages
  • a registration authority, as defined by section 28 of Civil Partnership Act 2004

Restrictions on this type of disclosure

15) The provisions do not allow for disclosure where there are current express statutory restrictions on sharing information. Where there are restrictions on the sharing of particular information relating to adoptions [footnote 6], or gender recognition [footnote 7], for example, those will continue to apply and any personal data may only be disclosed subject to those restrictions. Nominated individuals or business areas with responsibility for sharing information must seek advice from policy and/or legal colleagues if they have any concerns about disclosing information where statutory restrictions might apply.

4. Part 4: Data sharing and the law

4.1 Data Protection Legislation

16) Disclosure under the Registration Service Act 1953 must also comply with the Data Protection Act 1998 and the Human Rights Act 1998.

17) This Code will help you to determine whether a particular disclosure is in line with this legislation and government policy on data sharing.

18) It will also assist in determining information that needs to be included in data sharing agreements.

4.2 The Data Protection Act 1998

19) The Data Protection Act 1998 requires that personal data [footnote 8] be processed fairly and lawfully and that data subjects are able to establish which organisations are sharing their personal data and what it is being used for. Some data sharing, however, does not involve personal data. The Data Protection Act 1998 therefore does not apply in these instances, although its principles will often still be relevant, but disclosure will still need to comply with the Human Rights Act 1998.

20) Registration officials will need to demonstrate that they are complying with the provisions contained in the Data Protection Act 1998 (and the General Data Protection Regulation when it comes into effect in the UK in May 2018), including adhering to Data Protection Principles.

4.3 Data Protection Principles

21) The Data Protection Act 1998 sets out eight basic principles which must be applied to the way personal data is collected, held and managed.

These are:

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:

    • at least one of the conditions in Schedule 2 is met
    • in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

  4. Personal data shall be accurate and, where necessary, kept up to date.

  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

22) For more detail on these 8 principles, please see the www.ico.org.uk or contact your local data protection adviser.

4.4 Human Rights Act 1998

23) Registration Officials must ensure that data sharing is compliant with the Human Rights Act 1998 and in doing so must not act in a way that would be incompatible with rights under the European Convention on Human Rights.

24) Article 8 of the Convention, which gives everyone the right to respect for his or her private and family life, his or her home and his or her correspondence, is especially relevant to sharing personal information. Whilst sharing information relating to deceased individuals is not treated as personal data under the Data Protection Act 1998, consideration should be given to whether sharing information could impinge on the right to private life for the relatives of deceased individuals, in accordance with the Human Rights Act 1998.

25) The Information Commissioner’s guidance advises that if information is being shared in ways that comply with the Data Protection Act 1998, it is also considered likely that the sharing would comply with the Human Rights Act 1998. Nonetheless, nominated individuals or business areas with responsibility for sharing information must ensure that disclosures are compatible with Article 8 of the Convention and seek advice from legal advisers if they have any concerns.

5. Part 5: Deciding to share information under the powers

5.1 Who can share information?

26) It is important that all registration officials understand their roles and responsibilities in relation to information that they may access and share. Responsibility will differ in accordance with the role of the registration official. Decision-making responsibility for sharing information will be in accordance with GRO or local authority policies and guidance. Nominated individuals or business areas will have responsibility for deciding whether information can be shared – e.g. Proper Officers / Registration Service Managers / Superintendent Registrars, Registrar General or the GRO Fraud and Disclosure Unit [footnote 9]. This will ensure that consistent approaches are applied by both the GRO and Local Registration Service when considering requests to share information. Data sharing agreements should not be entered into without first consulting these individuals/business areas.

27) All registration officials must adhere to and keep up to date with internal procedural guidance issued by the Registrar General on sharing information. By doing so, they can be confident that they are following the correct procedures when sharing information. Before any information is released by a registration official, written agreement must be obtained from the nominated individual or business areas that have responsibility for sharing information. The written agreement will need to confirm that there is a legal power to share information and confirm exactly what information may be released.

28) Prior to sharing information, nominated individuals or business areas with responsibility for sharing information, must be satisfied that any disclosures will be compatible with Section 19AA of the Registration Service Act 1953.

29) The permissive gateway under the Registration Service Act 1953 allows registration officials to share information which they hold in connection with their functions with specified public authorities to assist them to fulfil their public functions. This is a discretionary power, with registration officials being able to determine whether or not it is appropriate to share information that has been requested. Examples of the types of information sharing include: enabling registration officials to share information more widely within the local authority, and across local authority boundaries, about the births of children and also any unregistered births. Other examples include providing ‘list cleaning’ services that would help other departments flag deceased accounts on their systems, therefore enabling them to appropriately carry out their functions whilst at the same time preventing correspondence being issued to the families of deceased individuals.

5.3 Does the disclosure need to be approved by the Registrar General?

30) In instances where any large amounts [footnote 10] of information are requested, you must notify the Registrar General and obtain written agreement for disclosing the information. The only exceptions are where the Registrar General has previously authorised disclosures of this type and has issued guidance permitting future disclosures. This safeguard will ensure consistency of information sharing across the civil registration service.

5.4 Criteria for sharing information

31) The main criterion for sharing registration information with specified recipients (as outlined in the primary legislative powers) is that the information to be shared is required in order to enable the recipient to fulfil one or more of their function(s).

32) In addition to satisfying the requirement, registration officials should also consider whether:

  • The release of information is compatible with the principles governing the disclosure of civil registration information contained at Part 2
  • In their role as data controller, registration officials (i.e. those with nominated responsibility for sharing information in accordance with GRO / Local Registration Service policy) consider it appropriate and justified to take part in the arrangements - for example if there are any perceived conflicts of interest with sharing information
  • They can meet the requirements of the Data Protection Act 1998 and the Human Rights Act 1998 when participating in the data sharing agreement
  • Registration officials have the resource and technical capacity to either release information or provide responses to data-matching requests – e.g. yes/no responses
  • The information that has been requested is adequate and not considered excessive for the purpose for which it has been requested. Only minimum information should be provided in line with the specific requirements of the recipient

33) Registration officials must also adhere to and keep up to date with any guidance issued by the Registrar General (and any local authority policy for the Local Registration Service) to ensure that consistent approaches are being applied when sharing information.

6. Part 6: Fairness and transparency

6.1 Lawful processing

34) Whilst registration officials have discretion to share any information they hold in connection with their own functions under section 19AA of the Registration Service Act 1953, exercise of that discretion is subject to important limitations. The disclosure of information under section 19AA of the Registration Service Act 1953 may only be made for the purpose of enabling the recipient to exercise one or more of their functions. Also, in order for disclosure to be lawful, the information must not be subject to another express legislative restriction on disclosure and the disclosure must be in accordance with the Data Protection Act 1998 and Human Rights Act 1998.

6.2 Fair processing

35) The first data protection principle requires that organisations must be able to satisfy one or more “conditions for processing” when processing personal data. The conditions for processing are set out in Schedules 2 and 3 of the Data Protection Act [footnote 11]. Many (but not all) of these conditions relate to the purpose(s) for which information is intended to be used. Organisations processing information must meet one or more of the conditions in Schedule 2 or, in the case of sensitive personal data, a condition from both Schedule 2 and Schedule 3. Sensitive personal data includes information about an individual’s sexual orientation (in the context of civil registration information, the existence of an opposite-sex marriage record versus a civil partnership or same sex marriage record will by definition disclose this) and therefore have to meet a condition in both Schedule 2 and 3. For a full list of sensitive personal data see section 2 of the Data Protection Act 1998.

36) This will not, on its own, guarantee that the processing is fair and lawful – fairness and lawfulness must still be looked at separately. The Data Protection Act 1998 does not define fair processing but provides guidance on the interpretation of this principle in Part II of Schedule 1 to the Act. However, to assess whether or not personal data is processed fairly, registration officials must consider more generally how it affects the interests of the people concerned – as a group and individually.

37) Registration officials and public authorities are required to have fair and transparent processes in place for disclosing and receiving information – e.g. by actively communicating how information is being used (by which bodies) via the use of a privacy notice that is provided either directly to individuals or otherwise made available to individuals.

38) Privacy notices describe all the privacy information you make available or provide to individuals about what you do with their personal information. Privacy notices must be published and made available to the public in line with fairness and transparency principles as set out in the Information Commissioner’s privacy notices, transparency and control code of practice [footnote 12] - which provides guidance on the content of these notices and where and when to make them publicly available.

39) Registration officials must also satisfy themselves that the public authorities’ processes are satisfactory for the types of information which is being disclosed before any information is shared, and should discuss with the recipients what their arrangements will be. In considering whether to share information, registration officials must also consider what conditions need to be imposed on the future use, onward disclosure and retention of information by way of data sharing agreements. Any conditions will need to be clearly specified prior to sharing information.

40) Public authorities receiving registration information – e.g. for the purpose of providing services such as digital services will be expected to ensure that the individuals concerned are aware of how their information is being used.

41) In some instances, it may be impracticable to inform individuals that their information has been shared, for example, if birth data is shared across local authority boundaries for the purpose of school planning. However, registration officials and public authorities will need to comply with requirements of the Data Protection Act 1998 to ensure that information has been shared fairly and lawfully. It will also be necessary to complete standardised records of information shared for audit purposes, detailing the circumstances, what information was shared and an explanation as to why the disclosure took place.

42) The Information Commissioner’s Office has produced good practice guidance on fair processing, including guidance on producing privacy notices, to ensure that individuals are aware of which organisations are sharing their personal data, including what it is being used for.

6.3 Data protection exemptions

43) The Data Protection Act 1998 includes a number of exemptions which permit disclosure of data notwithstanding the fact that to do so would be incompatible with some of the safeguards provided by that Act. Registration Officials should consider the exemptions set out in Part IV of and Schedule 7 to the Data Protection Act 1998 and should contact nominated GRO or local authority individuals with responsibility for information sharing for advice if it appears that an exemption may apply and disclosure could not be made unless it is relied upon.

6.4 Data Sharing Agreements

44) The ICO’s Data Sharing Code of Practice states that it is good practice to have a data sharing agreement in place, and to review it regularly, particularly where information is to be shared on a large-scale, or on a regular basis. Registration officials must follow procedural guidance in developing data sharing agreements [footnote 13] required when disclosing information under these powers.

45) Prior to entering into data sharing agreements with a public authority, registration officials will need to agree with the public authority that they will take appropriate organisational, security and technical measures to:

  • Prevent, subject to limited exceptions, [footnote 14] civil registration information being linked, either itself or with other government information, in order to create any identity datasets or databases
  • ensure information will be retained securely and deleted once it has been used for the purpose for which it was provided
  • prevent accidental loss, destruction or damage of information
  • ensure only people with a genuine business need have access to the information

46) Public authorities will need to satisfy themselves that they are complying with the Data Protection Act 1998 and should be advised to seek their own legal advice regarding data sharing following any agreements to access registration information.

47)The data sharing agreements will be expected to include details of:

  • The purpose of the data sharing arrangement
  • The respective roles, responsibilities and liabilities of each party involved in the data share
  • The legal basis for exchanging information
  • The accuracy of the information – ensuring that the recipient is aware that registration information is only as accurate as at the time it is captured and will be treated as such
  • Precise details of what exact information is required to enable them to perform the function for which it is requested
  • Restrictions on sharing certain categories of information – i.e. adoptions and gender recognition information
  • Restrictions on any onward disclosure of information
  • Information handling responsibilities, including details of any data processors or subcontractors
  • Conditions for data processing, including whether data subjects are aware of how their information is being shared
  • Process and methods of exchange
  • Standards and levels of expected operational service
  • Reporting arrangements, including any reporting in the event of any data loss and handling arrangements
  • Termination arrangements
  • Issues, disputes and resolution procedures
  • Information on data security, data retention and data deletion
  • Review periods
  • Individuals’ rights – procedures for dealing with access requests, queries and complaints
  • Any costs associated with sharing information
  • Sanctions for failure to comply with the agreement or breaches by individual staff

48) Data sharing agreements should contain details of sanctions that will apply to recipients of information who are found to be processing information unlawfully or inappropriately. These sanctions will include, but are not limited to:

(a) Public authorities ceasing to receive information from registration officials. Regulations may be made to amend the list of bodies able to obtain information under the power

(b) Registration officials reporting the recipient and incident to the Information Commissioner’s Office who will decide whether penalties are applicable

(c) Registration officials determining whether any misuse of public office offences have been committed, and if so, to take any necessary action where this has occurred

(d) Public authorities found to be in breach of any data sharing agreements needing to formally re-apply for accessing information again in the future

(e) Public authorities that have previously breached a data sharing agreement only being granted access to information again if registration officials are satisfied that any security or other issues have been resolved to reduce the risk of any further issues occurring in the future

49) Both the General Register Office and Local Registration Service will be required to maintain up-to-date lists of their individual data sharing agreements for audit purposes. Furthermore, under the General Data Protection Regulation (GDPR), public authorities will be required to keep records of their data sharing agreements.

6.5 Register of information sharing activity

50) Information about all data sharing agreements under these powers must be submitted to the Government Digital Service (GDS) in the Cabinet Office who will maintain a searchable register available to the general public. The registerwill allow Government and the ICO to understand what data sharing is taking place under the provisions, to assess the value of the provisions as well as run audits where appropriate and to check compliance with legislation and this Code and other security and data processing guidelines.

51) Responsibility for submitting any information required by GDS for the purpose of populating or maintaining the register rests with registration officials.

6.6 Privacy Impact Assessments

52) Privacy Impact Assessments are a useful tool which can help registration officials identify the most effective way to comply with their data protection obligations and meet individual expectations’ of privacy. The Information Commissioner’s Conducting Privacy Impact Assessments code of practice provides information on a range of issues in respect of these assessments.

53) Registration officials entering into data sharing arrangements under these data sharing powers must follow the Information Commissioner’s Conducting Privacy Impact Assessments code of practice which provides guidance on how and when to conduct a privacy impact assessment. The code also includes screening questions to determine when privacy impact assessments are required and guidance on publishing privacy impact assessment reports. Registration officials will need to ensure that any sensitive information is redacted from any published reports and must also keep a record of redactions in each case and the reasons for making them.

7. Part 7: governance

7.1 Application process

54) A formal application process and audit trail of decisions will need to be in place to ensure that informed decisions on data sharing can be made by registration officials at the right level in the organisation. Whilst the process to be followed may differ in accordance with whether the applicant is applying to the General Register Office or the Local Registration Service, each application process should be consistent.

55) Questions that should form part of the application process include:

  • What information is being requested?
  • For what specific purpose and public function is the information being requested?
  • How does the information exchange enable the recipient to perform their functions?
  • Are there any restrictions on what information can be disclosed?
  • What exact data items are required – e.g. names, dates of birth, gender?
  • Has the recipient of the information any legal obligations to provide personal data they hold to any other bodies?
  • How regularly and in what volume is it proposed to share the information?
  • High-level details of security provisions that are in place/will be put in place to safeguard information exchange, handling and retention?
  • Does the proposal suggest transferring information outside the UK/EEA or storage of information on servers outside the UK or in the cloud? If so, what security measures are taken to ensure data security?
  • Is there a time limit suggested for using the information and if so how will the information be deleted?
  • Is funding available to pay for costs incurred with the data share?
  • Will the data subjects be aware that their information is being shared – e.g. via a privacy notice?
  • Has a Privacy Impact Assessment been conducted/findings of a Privacy Impact Assessment?
  • Are there any other benefits (including financial) of the data sharing for the receiving party or any other public body?
  • Implications of not sharing information – e.g.

    a) Public finances or commercial projects are at risk

    b) The government is in direct contravention of the law

    c) The government’s reputation is at risk

    d) The government’s ability to deliver services is at risk

    e) The government is not able to fulfil its functions

    f) Impacts on citizens

56) In completing applications, the following key issues need to be satisfied and understood:

  • All parties must be clear on the tangible benefits (including financial) that are expected from the information sharing, who will receive them and how they will be measured
  • The purpose of the information sharing needs to fall within the purposes outlined in legislation – i.e. providing information to a public authority for the purpose of enabling it to fulfil one or more of their functions
  • Only minimum information should be provided to meet a specific function.
  • Information sharing must be physically and/or technically possible and be compliant with the Data Protection Act 1998, Human Rights Act 1998
  • Strict compliance with security provisions to safeguard against any misuse or loss of information, including having secure methods in place for transferring information

7.2 Data standards and data accuracy

57) The General Register Office and Local Registration Service hold data in a number of different formats. When considering sharing information it is essential that every effort is made to ensure that information is not altered or changed in any way at the point of transfer or once transferred. This will help ensure that individuals are not adversely impacted as a result of the data sharing – e.g. preventing them accessing a service where there are issues with data held by a recipient.

58) It is also important that checks are made on the accuracy of information prior to transferring information. In instances where issues arise following the transfer of information, procedures need to be in place to allow for inaccurate information to be corrected by all bodies holding the information. Registration officials will need to be aware of the correct procedures to follow to amend inaccurate information held on their own systems, including alerting data protection officers and other identified teams to ensure data is corrected where held on other systems.

7.3 Compliance

59) The Registrar General will work with the National Panel for Registration when producing any associated guidance and on any measures to ensure compliance with this Code of Practice, for which he/she has responsibility.

60) Where it becomes evident that regard is not being given to the Code, the Registrar General will work with the National Panel for Registration on any necessary measures to ensure compliance, including the use of sanctions. In instances where data protection issues are identified, the Information Commissioner’s Office will be notified at the earliest opportunity.

61) Any general questions with regard to compliance should be taken up with the GRO in the first instance.

62) The Registrar General has responsibility to review the Code on an annual basis. The National Panel for Registration will be consulted when reviewing the Code to ensure any amendments support the delivery of the Local Registration Service and their own data sharing arrangements in line with the Code.

(a) The Registrar General (b) A Superintendent Registrar of births, deaths and marriages (c) A Registrar of births, deaths and marriages (d) A registration authority, as defined by section 28 of Civil Partnership Act 2004

(a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

  1. A “registration official” is any of the following: 

  2. Registration information means any information held by a registration official in the exercise of his or her registration functions – e.g. information held relating to births, adoptions, stillbirths, marriages, civil partnerships, gender and deaths. 

  3. www.ico.org.uk 

  4. The Digital Economy Act 2017 inserts new sections 19AA, 19AB and 19AC, concerning the disclosure of information by civil registration officials, into the Registration Service Act 1953. 

  5. A limited exception would be for example where a dataset is held, for national security purposes, further to a warrant approved by a Judicial Commissioner under Part 7 of the Investigatory Powers Act 2016. 

  6. See section 79(3) and 81(3) Adoption and Children Act 2002. 

  7. See section 22 Gender Recognition Act 2004. 

  8. The Data Protection Act 1998 describes “personal data” as data which relates to a living individual who can be identified - 

  9. The Local Registration Service will nominate individuals with responsibility for sharing information at a local level. The GRO will be responsible for nominating individuals with responsibility for sharing GRO information. 

  10. For the purposes of this code, large amounts of information is defined as over 1,000 records either singly or cumulatively over a 12 month period. 

  11. www.ico.org.uk 

  12. www.ico.org.uk 

  13. Data Sharing Agreements may also be known by other names such as Memorandums of Understanding. 

  14. A limited exception would be for example where a dataset is held, for national security purposes, further to a warrant approved by a Judicial Commissioner under Part 7 of the Investigatory Powers Act 2016.