Data Ethics Framework: legislation and codes of practice for use of data
Updated 16 September 2020
You must be aware of legislation and codes of practice that apply to your use of data. This includes knowing about:
- legislation that applies to your proposed data use
- how to produce statistics
- data protection by design
- data minimisation
- information governance
Other important pieces of central government guidance that are helpful for using data and designing projects in the public sector include:
- The Civil Service code
- HM Treasury Aqua Book: guidance on producing quality analysis for government
- HM Treasury Magenta Book: guidance for evaluation
What the law says
Here are some important pieces of legislation that typically apply to using data. If you are unsure how relevant laws might affect your work, speak to a legal adviser within your organisation.
Personal data
If you are using personal data, you must comply with the principles of the EU General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018) which implements aspects of the GDPR and transposes the Law Enforcement Directive into UK law. It also provides separate processing regimes for activities which fall outside the scope of EU law.
Personal data is defined in Section 3(2) DPA 2018 (a wider explanation is detailed in Article 4 of the GDPR).
Equality and discrimination
Analysis or automated decision making must not result in outcomes that lead to discrimination as defined in the Equality Act 2010.
Sharing and re-use of data
When accessing or sharing personal data, you must follow the Information Commissioner’s Code of Practice for Data Sharing which should be read alongside the ICO’s guide to GDPR. This code of practice is due to be updated to align with the new Data Protection Act 2018.
When accessing and sharing data under powers in Part 5 of the Digital Economy Act 2017, you must follow the relevant codes of practice.
When re-using published and unpublished information relating to public tasks, you must follow the Re-use of Public Sector Information Regulations 2015.
Copyright and intellectual property
Copyright and intellectual property are often governed by combinations of statutes.
When using data, respect copyright laws and database rights, covered in part by the Copyright and Rights in Databases Regulations 1997.
When procuring software, consider potential intellectual property constraints covered in the Intellectual Property Act 2014.
Freedom of information
Your use of data may be subject to the Freedom of Information Act 2000. You should also consider the wider publishing of datasets released following a Freedom of Information request, in accordance with the Protection of Freedoms Act 2012.
Sector specific legislation
Specific sectors like finance and health have further data use legislation and frameworks, including those relating to the use of non-personal data. Health research has its own UK Policy Framework for Health and Social Care Research drafted by the NHS Health Research Authority (HRA). The NHS HRA also provides specific guidance for health researchers on the new data protection principles being introduced by the General Data Protection Regulation.
Statistics
When using or producing statistics, you must follow the Code of Practice for Statistics.
The National Statistician’s Data Ethics Advisory Committee (NSDEC) provides independent and transparent ethical assurance that the access, use and sharing of public data for research and statistical purposes is ethical and for the public good. The UK Statistics Authority can work with statisticians and researchers to identify potential ethical issues in their research and guide them through the NSDEC application process.
Information governance
Organisations have a responsibility to keep both personal data and non-personal data secure.
How personal data should be collected, stored, shared, processed and deleted is covered by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018).
Government departments, services and public bodies set out how they use, store and share personal data - including how data subjects can exercise their rights - in their personal information charters or service privacy notices. Personal information charters contain guidance on how people can access their data, as prescribed in Articles 13 and 14 of the GDPR. See:
- an example of a personal information charter from the Department for Work and Pensions
- an example of a service privacy notice from the Verify service
The Security Policy Framework requires that risk assessments are carried out to ‘identify potential threats, vulnerabilities and appropriate controls to reduce the risks to people, information and infrastructure to an acceptable level’.
Information assurance (IA) helps do this by:
- assessing the information risks
- helping to define the appropriate measures required to reduce those risks to levels acceptable to your organisation’s risk appetite
- ensuring that contracts provide the required measures
You should engage as early as possible with your IA specialists so they can provide effective support through all stages of your work.
In many organisations information risk is overseen by a Senior Information Risk Owner (SIRO). Usually your organisation will have a risk appetite statement that sets out how information risk is managed. You should consult with your information assurance team when you need to delete data.