The ICO exists to empower you through information.

Contracts and data sharing

Share Download options

Pages

Format

Control measure: There are policies and procedures in place to make sure that data sharing decisions are appropriately managed.

Risk: If the process to assess the risks and benefits of sharing is not consistent, this may result in a personal data breach. If you cannot demonstrate why sharing is justified, this may breach article 5(1)&(2), and 35 of the UK GDPR.

If sharing decisions are not documented and subject to approval, personal information could be shared inappropriately. This may breach article 5(1) or 5(2) of the UK GDPR.

Ways to meet our expectations:

  • Implement a review process, through a DPIA or a similar exercise, to assess the legality, benefits and risks of the data sharing.
  • Document all sharing decisions for audit, monitoring and investigation purposes and regularly review them.
  • Have clear policies, procedures and guidance about data sharing, including who has the authority to make decisions about systematic data sharing or one-off disclosures, and when it is appropriate to do so.
  • Train all staff likely to make decisions about data sharing, and make them aware of their responsibilities. Refresh this training appropriately.

Options to consider:

  • Involve relevant internal and external stakeholders in risk assessments for proposed data sharing activities. 
  • Keep DPIAs under review and make appropriate interventions where data sharing decisions have changed.
  • Include data sharing arrangements within business continuity plans. 
  • Undertake a training needs analysis (TNA) to formally identify roles requiring specialised data sharing training.
  • Ensure the DPO has input and oversight into data protection training content.
  • Run regular staff awareness exercises to promote the procedures to follow when making sharing decisions.

Have you considered the effectiveness of your accountability measures?

  • Are staff aware of their responsibilities and how to carry them out effectively? 
  • Would staff say they have a clear process to follow?
  • Is your organisation meeting their training needs?

 

Control measure: There are data sharing agreements in place with parties with whom personal information is routinely shared. The agreements are reviewed regularly.

Risk: Where routine sharing takes place, there is increased risk of unlawful sharing if not all parties are aware and have agreed the scope and rules of the arrangement. This may result in a breach of the UK GDPR and ICO data sharing code.

Ways to meet our expectations:

  • Agree data sharing agreements with all the relevant parties and ensure senior management sign them off.
  • Ensure the data sharing agreement includes details about:
    • the parties' roles;
    • the purpose of the data sharing;
    • what is going to happen to the information at each stage; and
    • the standards set (with a high privacy default for children).
  • Where necessary, implement procedures and guidance covering each organisation’s day-to-day operations to support the agreements.
  • If your organisation is acting as a joint controller (within the meaning of Article 26 of the UK GDPR), set out responsibilities under an arrangement or a data sharing agreement and provide appropriate privacy information to people.
  • Have a regular review process to make sure that the information remains accurate and up to date, and to examine how the agreement is working.
  • Keep a central log of the current sharing agreements.

Options to consider:

  • If there is sharing across multiple organisations, have:
    • an overarching high-level agreement; and
    • more detailed agreements for data sharing between individual organisations at a one-to-one level.
  • Have a data sharing agreement template which contains all the required clauses to ensure that the requirements of the law and the data sharing code are met.
  • Introduce a data sharing request form.

Have you considered the effectiveness of your accountability measures?

  • Are staff with sharing responsibilities aware of the process?
  • Is there contingency built into the process if something goes wrong or if people aren’t available to perform their role?
  • Would staff say the decision-making is maintained or appropriately delegated?

 

Control measure: There are procedures in place to make sure that restricted transfers are made appropriately.

Risk: Without procedures in place to outline the requirements for transfers of information there may be a breach of article 44 of the UK GDPR.

Ways to meet our expectations:

  • Consider whether the restricted transfer is covered by an adequacy decision or by 'appropriate safeguards' listed in data protection law, such as contracts incorporating standard contractual data protection clauses adopted by the Commission or Binding Corporate Rules (BCRs).
  • If a restricted transfer is not covered by an adequacy decision nor an appropriate safeguard, consider whether it is covered by an exemption set out in Article 49 of the UK GDPR.

Have you considered the effectiveness of your accountability measures?

  • Are staff aware of the process and their responsibilities?
  • Are you meeting their training needs?
  • Do staff adhere to the policies and procedures?

 

Control measure: There are appropriate procedures in place regarding the work that processors do on behalf of the organisation.

Risk: Without written contracts in place covering required terms under data protection law, there will be a breach of UK GDPR requirements. This may also lead to delays in complying with information rights requests.

Ways to meet our expectations:

  • Ensure there are written contracts with all processors.
  • If using a processor, assess the risk to people and make sure that these risks are mitigated effectively.
  • Ensure an appropriate level of management approves the contracts and both parties sign. The level of management required for approval should be proportionate to the value and risk of the contract.
  • Ensure each contract (or other legal act) sets out details of the processing, including the:
    • subject matter of the processing;
    • duration of the processing;
    • nature and purpose of the processing;
    • type of personal information involved;
    • categories of people; and
    • controller’s obligations and rights, in accordance with the list set out in Article 28(3) of the UK GDPR.
  • Keep a record or log of all current processor contracts, and update it when processors change.
  • Review contracts periodically to make sure they remain up to date.
  • If a processor uses a sub-processor to help with the processing it is doing on your behalf, ensure they have written authorisation from your organisation and a written contract with that sub-processor.

Options to consider: 

  • Maintain all contracts in a central log or system so that staff can readily monitor and review them.
  • Revisit any contracts put in place before the current data protection regime to check they include the relevant details, terms, clauses now required. Put in place an appropriate approval process for contracts. 

Have you considered the effectiveness of your accountability measures?

  • Are staff aware of the need for a written contract when using a processor?
  • How do they make sure the contracts are kept up to date?
  • Are the risks of using a processor mitigated effectively?
  • Do you have an appropriate approval process for contracts?
  • Is it easy for staff to find existing contracts where appropriate?

 

Control measure: All controller-processor contracts cover the terms and clauses necessary to comply with data protection law.

Risk: Without written contracts in place covering required terms under data protection law, there will be a breach of UK GDPR requirements. This may also lead to delays in complying with information rights requests.

Ways to meet our expectations:

  • Ensure the contract or other legal act includes terms or clauses stating that the processor must:
    • only act on the controller’s documented instructions, unless required by law to act without such instructions;
    • ensure that people processing the information are subject to a duty of confidence;
    • help the controller respond to requests from people to exercise their rights; and
    • submit to audits and inspections.
  • Ensure contracts include the technical and organisational security measures that the processor must adopt (including encryption, pseudonymisation, resilience of processing systems and backing up personal information in order to be able to reinstate the system).
  • Ensure the contract includes clauses to make sure that the processor either deletes or returns all personal information to the controller at the end of the contract. The processor must also delete existing personal information unless the law requires its storage.
  • Ensure the contract includes clauses to make sure that the processor assists the controller in meeting its UK GDPR obligations regarding the security of processing, the notification of personal data breaches and DPIAs. 

Options to consider:

  • Include clauses in the contract that require that regular testing takes place to ensure availability and access to personal information in the event of a physical or technical incident.
  • Conduct regular compliance checks to test that processors are complying with contractual agreements.

Have you considered the effectiveness of your accountability measures?

  • Was the International Organisation for Standardization (ISO) consulted on the appropriateness of security measures detailed within contracts?

 

Control measure: Due diligence checks are carried out to guarantee that processors will implement appropriate technical and organisational measures to meet UK GDPR requirements.

Risk: If contracts are entered into without due diligence by the controller there is a risk that the appropriate technical and organisational measures will not be in place. 

Ways to meet our expectations:

  • Build in due diligence checks into the procurement process that are proportionate to the risk of the processing before you agree a contract with a processor.
  • Ensure the due diligence process includes data security checks, eg site visits, system testing and audit requests.
  • Ensure the due diligence process includes checks to confirm a potential processor will protect people’s rights.

Options to consider:

  • Confirm that the processor’s staff have received regular data protection and information security training and guidance within the due diligence process. 

Have you considered the effectiveness of your accountability measures?

  • Are staff aware of what they need to do?
  • Is there a clear and effective process?
  • Are due diligence checks proportionate to the risks?

 

Control measure: There is a review of data processors’ compliance with their contracts.

Risk: If guarantees are not sought or compliance activities are not carried out, there is no assurance that processors have implemented the appropriate measures or are abiding by the terms of the contract, or both. This may breach articles 28, 32, and 5(2) of the UK GDPR. 

Ways to meet our expectations:

  • Ensure contracts include clauses to allow your organisation to conduct audits or checks, to confirm the processor is complying with all contractual terms and conditions.
  • Carry out routine compliance checks, proportionate to the processing risks, to test that processors are complying with contractual agreements.

Options to consider:

  • Include clauses in the contract that require that regular testing takes place to ensure availability and access to personal information in the event of a physical or technical incident.

Have you considered the effectiveness of your accountability measures?

  • Is there any follow-up where you identify non-compliance to contract terms or a Service Level Agreement?
  • Are the checks proportionate to the risks?

 

Control measure: There is evidence that ‘data protection by design’ is considered when selecting services and products to use in data processing activities.

Risk: Without this approach, there may be a risk of ignoring the privacy rights of people and accepting the trade-off of functionality over privacy. This may breach article 25 of the UK GDPR.

Ways to meet our expectations:

  • When third parties supply products or services to process personal information, choose suppliers that design their products or services with data protection in mind.

Options to consider: 

  • Include a review of system design documents and DPIAs as part of the due diligence process before procuring new products or services, to make sure data protection was considered as part of the design process.

Have you considered the effectiveness of your accountability measures?

  • Do staff consider suppliers’ approach to data protection when using third-party products or services to process personal information?
  • Is there a clear way for them to do this?

 

Control measure: There are proactive steps taken to only share necessary personal information with processors or other third parties.

Risk: The more personal information that is processed, the greater the risk of a breach. This may breach articles 5(b), (c), (e), 35, and 25(2) of the UK GDPR.

Ways to meet our expectations:

  • Only share the personal information necessary to achieve your specific purpose.
  • When information is shared, ensure it is pseudonymised or minimised wherever possible. Consider anonymisation so that the information is no longer personal information.

Options to consider: 

  • Carry out dip sampling and cold case reviews to ensure that staff are following data minimisation and pseudonymisation policies.

Have you considered the effectiveness of your accountability measures?

  • Do staff understand what they should consider when sharing information to make sure it is limited appropriately?