You need to document this accurately so that all parties are absolutely clear about the purposes for which they can share or use the data. In this blog, we`ll help you understand why data exchange agreements are essential and how to create one tailored to your organization`s needs. Organizations that act as joint data controllers with another organization must define their responsibilities in writing. Data exchange agreements define the purpose of data sharing, cover what happens to the data at each stage, set standards, and help all parties involved in data exchange to be clear about their roles and responsibilities. Your agreement should specify who is responsible at each stage, even after sharing. There is no defined format for a data sharing agreement. It can take many forms, depending on the scope and complexity of data sharing. Since a data sharing agreement is a set of common rules that bind all organizations involved, you should write it in clear, concise, and easy-to-understand language. Ideally, these additional concerns should be addressed in the data sharing agreement to facilitate clear communication and, if necessary, put in place additional safeguards: a data sharing agreement will allow you to demonstrate that you are meeting your liability obligations under the UK GDPR. They should establish procedures for the respect of individual rights.
This includes the right to information as well as the right to object and requests for correction and deletion. You must make it clear in the agreement that all managers remain responsible for compliance, even if you have processes that determine who should perform certain tasks. For example, the agreement should explain what to do when an organisation receives a request for access to shared data or other information, be it data protection or freedom of information rules. In particular, it should be clarified that an employee (usually a DPO in the case of personal data) or an organisation has overall responsibility for ensuring that the data subject has easy access to all his or her personal data that has been shared. This should help you justify your data sharing and prove that you have considered and documented relevant compliance issues. A data sharing agreement provides a framework to help you meet the requirements of the Privacy Principles. It is likely to be useful for your consent to have an appendix or appendix, including: All organizations must document a legal basis for the processing and sharing of personal data. This is something that each organization must take into account in the agreement, as the legal basis of one may differ from the other.
The GDPR establishes stricter controls for the processing of special categories of personal data. This includes information about a person`s race, religion, political opinions, trade union membership, sexual orientation, health information, biometric data and genetic information. Your consent must specify the types of data you want to share. This is sometimes referred to as a data specification. This may need to be detailed, as in some cases it is appropriate to share only certain information in a file about a person and omit other more sensitive documents. In some cases, it may be appropriate to add «permissions» to certain data elements so that only certain employees or employees of certain roles are allowed to access them. for example, employees who have been trained accordingly. Here is a list of the elements that are typically included in a data sharing agreement. While this list may cover the basics, additional concerns may be relevant to a particular dataset or vendor agency. Data sharing is an important way to improve the ability of researchers, scientists and policymakers to analyze data and translate it into meaningful reports and knowledge. Data sharing prevents duplication of data collection and encourages diversity of thinking and collaboration, as others are able to use the data to answer questions that the original data collectors may not have considered. With our GDPR legal contracts and services package, you benefit from the guidance of a team of experienced data protection officers, lawyers, lawyers and information security experts.
A data sharing agreement between the parties that send and receive data can be an essential part of your compliance with the principle of responsibility, although it is not mandatory. Your organization may use a different title for a data sharing agreement, e.B: Data sharing also promotes accountability and transparency so that researchers can validate each other`s findings. Finally, data from multiple sources can often be combined to allow for comparisons that transcend national and departmental boundaries. For public authorities, the agreement should also cover the need to include certain types of information in your freedom of information publication system. It is important to recognize that the process of setting up data exchange agreements varies from country to country, as well as the type of data shared and the agencies that share the data. Designing and complying with a data-sharing agreement should help you comply with the law, but it does not provide immunity from violations of the law or the consequences of the law. However, the ICO will take into account the existence of a relevant data exchange agreement when it comes to assessing the complaints we receive about your data sharing. Data exchange agreements between organizations with which you send and receive information play an important role in compliance with the GDPR (General Data Protection Regulation) and similar regulations. You should regularly review your data sharing agreements. and in particular, if there is a change in the circumstances or justification for sharing the data.
You must update your data sharing agreement to reflect the changes. If there is a significant complaint or security breach, this should be a trigger for you to review the agreement. Your organization may refer to it by a different name — for example. B, an information sharing agreement, a data sharing agreement or a data sharing protocol – but the principle is the same and you need to take certain steps. In this context, it defines the purpose of the data exchange and covers what happens to the information at each stage. This does not mean that it immunizes you against non-compliance or regulatory measures if you conflict with the law. To avoid compliance gaps, you must ensure that you and the people with whom you share personal data comply with the terms of your agreement. Second, it avoids misunderstandings on the part of the data provider and the agency receiving the data by ensuring that all issues relating to the use of the data are discussed. Before the data is shared, the provider and recipient must speak in person or by phone to discuss data sharing and use issues and reach a common understanding, which is then documented in a data exchange agreement. In addition, the agreement helps you justify your data sharing and provide documented evidence that you have addressed compliance issues. They must explain the purpose of data sharing, why information must be shared to achieve those goals, and the benefits of doing so.
Under the GDPR, individuals have certain rights over how their information is processed and used. Your agreement should include processes to help you determine when these rights apply and how to respect them. A data-sharing agreement ensures that companies and their suppliers are clear about their roles and sets standards for what they can expect from the agreement and what is expected of them. What is the purpose of the data exchange initiative? You must also indicate the legal authority under which you may disclose the data. For organisations in the UK, however, the Information Commissioner`s Office (ICO) has confirmed that it will consider all relevant agreements when considering a complaint about that organisation`s data sharing. Creating and updating data processing contracts is a complex and time-consuming task that involves many risks. An error or omission could mean the difference between GDPR compliance and a hefty fine. Regardless of the terminology, it is recommended to reach an agreement on data sharing. You must identify all the organizations that will be involved in data sharing and provide contact information for the appropriate employee in each of those organizations. Government agencies and certain other public bodies (e.g., regulators, law enforcement authorities and law enforcement agencies) may enter into a Memorandum of Understanding (MOU) containing provisions on data sharing and fulfilling the role of a data exchange agreement. If you are acting with another controller as a joint controller of personal data, there is a legal obligation to define your responsibilities in a joint control agreement, both under the UK GDPR/Part 2 of the 2018 DPA and Part 3 of the 2018 DPA.
While the Code primarily focuses on sharing data between different controllers, the provisions of a data-sharing agreement could help you enter into a joint control agreement. You must clearly explain your legal basis for data sharing. The legal basis of one organization in a data exchange agreement may not be the same as for the other. Whether you`re drafting a data exchange agreement or other documents, such as privacy notices and policies, HR documentation, business contracts, or international data transfers, you don`t have to risk doing it alone. .