What is the purpose of the Data Sharing Initiative? Your agreement should specify who the controllers are at each step, even after sharing. This partnership raises questions such as: “In the event of a personal data breach, who is responsible?” Regardless of the terminology, it is recommended to reach an agreement on data sharing. If you are acting with another controller as a joint controller of personal data, there is a legal obligation to set out your responsibilities in a joint control agreement under the UK GDPR / Part 2 of the 2018 DPA and Part 3 of the 2018 DPA. While the Code primarily focuses on sharing data between separate controllers, the provisions of a data sharing agreement can help you enter into a joint control agreement. Article 28(4) provides that the same data protection obligations apply even if a processor engages another processor to carry out certain processing activities on behalf of the controller. In the event of a breach, the article specifies that “if that other processor fails to comply with its data protection obligations, the original processor is fully liable to the controller for the performance of the obligations of that other processor”. Ideally, these additional concerns should be taken into account in the data-sharing agreement in order to facilitate clear communication and, if necessary, put in place additional safeguards: it is probably useful for your agreement to include an annex or annex, including: You need to establish procedures for the respect of human rights. This includes the right of access to information as well as the right to object and demand correction and deletion. You must make it clear in the agreement that all managers remain responsible for compliance, even if you have processes that determine who should perform certain tasks. Controllers must carry out a risk assessment of the provider to ensure that the provider has the means and willingness to comply with data protection standards.
The results of the assessment must be documented before the start of the business engagement and before the sharing of personal data. However, it is not a data exchange agreement per se: creating and updating data processing contracts is a complex and time-consuming task with many risks. An error or omission could mean the difference between complying with the GDPR and a hefty fine. There is no defined format for a data sharing agreement. It can take many forms, depending on the scope and complexity of data sharing. Since a data sharing agreement is a set of common rules that bind all organizations involved, you should write it in clear, concise, and easy-to-understand language. Similarly, controllers must perform frequent audits to confirm trust in the supplier. These results are also documented with the risk assessment reports to confirm that a controller has fulfilled a duty of care to protect the confidentiality of personal data. The SCO has until 1 December 2021 to report on its recommendations on best practices in the areas of data exchange and protection, data exchange contracts and compliance with data protection guidelines. The GDPR applies to both the controller (a body that determines the purposes and means of processing personal data) and the processor (the body that processes personal data on behalf of a controller) to personal data. The controller is usually the organization that collects personal data and tracks its use for commercial purposes. “Processor” is a term used to refer to the supplier to which part of the business is outsourced by the controller.
During the outsourcing process, the processor also has access to the personal data. For public authorities, the agreement should also cover the need to include certain types of information in your freedom of publication system. Data exchange agreements define the purpose of the data exchange, cover what happens to the data at each stage, set standards and help all parties involved in the exchange to be clear about their roles and responsibilities. In this blog, we`ll help you understand why data exchange agreements are essential and how to create an agreement that`s right for your business needs. Many local governments have already had to sign data-sharing agreements with the Court of Auditors as part of their recent audit. The new laws on data exchange agreements do not specify what must be included in the agreements, but only that they must comply with the guidelines on data sharing established by the SCO. Local governments should work with their legal counsel to determine what should be included in data exchange agreements based on their particular circumstances. Your agreement should also address the main practical issues that may arise when sharing personal data. This should ensure that all organizations involved in sharing: MRSC is a private non-profit organization that serves local governments in Washington State. Eligible Washington State government agencies can use our free MRSC service to get answers to legal, political, or financial questions. Here is a list of the elements that are typically included in a data sharing agreement.
While this list may cover the basics, additional concerns may be relevant to a particular dataset or vendor agency. You must identify all organizations involved in data sharing and provide contact information for the appropriate employee in each of those organizations. All organizations must document a legal basis for the processing and disclosure of personal data. This is something that each organization must take into account in the agreement, as the legal basis of one may differ from the other. Local governments should review the entire checklist for a full discussion of all categories of data. WaTech recommends that if a local government employee or elected official is unsure of the category level for certain data, they should consult with the employee responsible for managing the agency`s public records. Data exchange also promotes accountability and transparency and allows researchers to validate each other`s results. Finally, data from multiple sources can often be combined to allow comparisons between national and departmental boundaries. Organizations that act as joint data controllers with another organization must define their responsibilities in writing.
However, for organisations in the UK, the Information Commissioner`s Office (ICO) has confirmed that it will take into account all relevant agreements when considering a complaint about that organisation`s data exchange. To answer these and other relevant questions, the GDPR highlights the need to create data exchange agreements. Providers may not outsource personal data without the consent of the controller. Agreements need to be re-evaluated and reformulated to include downstream processors if such a need arises. You must also indicate the legal authority under which you may disclose the data. A public health official contacted the network to ask if the network could provide it with model data use agreements for use by local health authorities. Examples of data exchange agreements used by health authorities include: Network lawyers are available to answer questions on this and other public health issues free of charge, and can help you use the law to advance your public health initiatives. Contact a network lawyer in your area for more information. The legal information and support contained in this document does not constitute legal advice or representation. For legal advice, readers should consult a lawyer in their state. A data sharing agreement is a formal contract between two or more parties that clearly documents what data is being shared and how the data may be used. .