When do we need to put in place data sharing or data processing agreements?25th October 2021
Here at Griffin House Consultancy, our mission is to help protect our clients from poor information governance and educate you about data protection and compliance.
As you can imagine (and are no doubt aware), the data protection and information governance rules and regulations are many and complex, so we get asked a lot of questions!
Our new blog series is about answering as many of those frequently asked questions as we can. If you have a question of your own that you would like us to respond to in one of our future blogs, please email your question to [email protected]
This blog answers the question, “When do we need to put in place data sharing or data processing agreements?’.
We will explain what a data-sharing agreement is, whether your organisation needs one, what you should include in a data-sharing agreement, and when should you review a data-sharing agreement.
What is a data-sharing agreement?
A data-sharing agreement is a formal contract between two or more data Controllers covering what happens to the data at each stage, what data is being shared and how the information will be used. It sets standards and helps all the parties involved in sharing clarify the roles and responsibilities.
You may find that your organisation may use a different title than a data-sharing agreement; this could be an information-sharing agreement, data-sharing protocol, or a personal information-sharing agreement.
It is not necessarily important what your organisation calls it, but it is important and good practice to have a data-sharing agreement in place.
What is a data-processing agreement?
A data processing agreement is very similar to a data sharing agreement, but this is an agreement issued by a Controller to a data Processor.
If your organisation is subject to the GDPR, you must have a written data processing agreement in place with all your data processors. In summary, whenever a controller uses a processer, there must be a written agreement in place; this also includes if a processer uses another organisation to assist with processing the data for a controller. They need to have a written contract with that sub-processor.
A data processing agreement will usually contain a schedule detailing what information is being shared, exact details of the processing activity, what is expected of the Processor, and limits on any further data sharing, minimum security arrangements, and so on.
What should you include in a data sharing or processing agreement?
Within the agreement, you should address a range of questions so that nothing is missed; below are a few to consider:
- The purpose of the data sharing
In the agreement, you will need to explain why the information is being shared, the benefits, and how it will help you achieve the objectives.
- Other organisations are involved
You must identify all the organisations or legal entities involved with the data sharing, and you must provide the contact details for each of those Controllers or Processers
- Information is being shared with another controller
If your organisation has joined with another organisation to have joint data controllers, you must set out their responsibilities in writing as it is a legal obligation. A data flow map can be a very easy way to achieve this.
- What data is going to be shared?
You will need to specify the types of, and categories of data you will be sharing; this will need to be detailed, for example, standard or special category, the types of individuals, such as employees, students, website visitors, etc.
- The lawful basis for sharing
You and all the organisations involved will need to document a lawful basis for processing and sharing personal data. The organisations will each need to consider this, as the lawful basis may differ from one organisation to another.
- Special category data
This includes any information related to the individual’s race, religion, political opinions, health information, sexual orientation, genetic information, and criminal offence data.
- Data subject rights
In your data sharing or data processing agreements, you should ensure that your processing activities respect the rights of individuals and ensure that they can activate their rights. This includes them having the right to access the data, objecting to the processing, and having a mechanism for requesting that their data be rectified or removed.
- International transfers
When you are dealing with transfers to insecure third countries, such as the US, you need to embed certain terms called standard contractual clauses (SCC) which in essence embed the key elements of the GDPR into an enforceable contract. At the time of writing the EU have issued new SCC templates, however, the UK is still waiting for the ICO to authorise wording for non-EU-UK agreements – see consultation document.
- The small print
Agreements will vary and you need to ensure caveats are included to do with ownership of information, retention, who is responsible for reporting breaches, managing subject access requests, and compensation claims.
In the agreement, you must make it clear that all controllers and processors remain responsible for compliance, whilst ultimately the controller is always liable, you should ensure that the agreement states that the processor is liable if the breach was their fault.
- Appendix or Annex
It will be constructive for your agreement to summarise the key legislation and other legal provisions, e.g., relevant sections of the Data Protection Act 2018. If Processors are required to gain consent on your behalf then providing a model form or template wording for seeking the individual’s consent would be useful. As stated previously, data flow maps or diagrams are very useful in showing how data will flow and roles and responsibilities. You can download a template of the sharing agreement here.
When should I review my data sharing agreement?
Reviewing your data sharing or data processing agreements should be done regularly, especially if there is a change throughout the agreement. Also, if there is a complaint or a potential security breach, you should immediately review the arrangement and update the agreement to reflect any changes.
Please get in touch with the Griffin House Consultancy if you have any questions about Data Sharing Agreements and how to implement them within your organisation.