Control measure: There is a clear understanding of the distinction between data sharing on a controller to controller (C2C) basis and the use of data processors who process information under instruction (on a controller to processor basis (C2P)) under the UK GDPR and the DPA 2018.
Risk: There is a risk that legal obligations will not be met and controls required by the law will be mis-applied, if there is a lack of understanding about the difference between:
- data sharing by and between controllers; and
- the use of third-party data processors who process information on behalf of a controller under the UK GDPR and DPA 2018.
Ways to meet our expectations:
- Ensure data flow mapping analysis shows a clear differentiation between information that is shared with other organisations (C2C) and information that is processed by a data processor under instruction (C2P).
- Have separate policies that clearly distinguish between the requirements for sharing information on a C2C or C2P basis.
- Educate staff on the distinction between C2C and C2P data sharing.
- Avoid using data sharing agreements that are drafted for use on a C2C basis, if you are instructing third-party processors to process information under instruction.
Options to consider:
- Introduce a simple checklist to help staff determine whether a C2C data sharing agreement or a C2P agreement is needed.
Control measure: Data sharing agreements are agreed with all parties that personal information is routinely shared with and are sufficiently detailed (give sufficient direction to both parties to ensure that the requirements of the law are met).
Risk: Where routine sharing takes place, there is increased risk of unlawful sharing if not all parties are aware and have agreed the scope and rules of the arrangement. This may result in a breach of the UK GDPR and ICO data sharing code.
Ways to meet our expectations:
- Agree written data sharing agreements with all the relevant parties and ensure senior management sign them off.
- Include the following details in data sharing agreements:
- the parties' roles;
- the purpose of the data sharing;
- what is going to happen to the information at each stage; and
- the standards set (with a high privacy default for children).
- Implement procedures and guidance covering day-to-day operations to support the agreements.
- Where information is shared with parties outside the UK:
- check whether the restricted transfer is covered by adequacy regulations or an article 49 exemption applies; and
- f not, carry out a risk assessment and implement an article 46 transfer mechanism (along with any required additional steps or protections).
- Ensure agreements specify which controller is the contact point for people to exercise their rights, if parties are acting as joint controllers (article 26 of the UK GDPR and section 58 of the DPA18).
- For public authorities - Ensure the agreement covers responsibilities and procedures for responding to freedom of information requests and the need to include certain types of information in publication schemes.
Options to consider:
- If there is sharing across multiple organisations, have:
- an overarching high level agreement; and
- more detailed agreements for data sharing between individual organisations at a one-to-one level.
- Have a data sharing agreement template which contains all the required clauses to ensure that the requirements of the law and the data sharing code are met.
- Introduce a data sharing request form.
Control measure: There is a log or record of all data sharing agreements.
Risk: Without a log or record of all agreements in place, there is a high likelihood that existing agreements will not be tracked or reviewed. A lack of understanding and oversight, and therefore documentation of how, when and why information is shared, may breach article 30, article 5 (2) and the ICO data sharing code.
Ways to meet our expectations:
- Keep a log of sharing agreements that details the nature of the sharing and the partners.
- Include data sharing within the data mapping and data flow analysis.
- Assign information asset owners (IAOs) to oversee any information sharing within their information assets.
- Include data sharing information on the record of processing activities (ROPA). Include categories of recipients that personal information will be disclosed to, including recipients in third countries or international organisations.
- Maintain a record of what was shared and when, so you can:
- act on a person’s request to exercise their rights under UK GDPR; or
- know whether they are affected if there is a data breach.
- Put in place appropriate information tracking, tracing and labelling procedures to understand what information has gone where and when. In particular, if there are large information transfers or information is shared to enable artificial intelligence services.
Options to consider:
- Create a central log of all sharing agreements that is linked to the ROPA and relevant DPIAs.
Control measure: Data sharing agreements are reviewed on a regular basis.
Risk: If agreements are not reviewed, there is a risk that they become inaccurate or inappropriate and could result in unlawful sharing or a data breach.
Ways to meet our expectations:
- Create a review process to regularly examine whether data sharing under your agreements continues to be appropriate.
- Ensure partner organisations are removed from or added to agreements, when required.
- Implement processes to review agreements following:
- a change in circumstances for sharing partners;
- a change in the reason for the data sharing;
- a significant complaint; or
- a security breach.
- Regularly include the outcomes of the reviews on the agenda for the information governance board (or equivalent).
Options to consider:
- Include scheduled review dates on a central log of all sharing agreements.