You must identify all the organizations that will be involved in data sharing and provide contact information for the appropriate employee in each of those organizations. Whether you`re drafting a data exchange agreement or other documents, such as privacy notices and policies, HR documentation, business contracts, or international data transfers, you don`t have to risk doing it alone. If you are acting with another controller as a joint controller of personal data, there is a legal obligation to define your responsibilities in a joint control agreement, both under the UK GDPR/Part 2 of the 2018 DPA and Part 3 of the 2018 DPA. While the Code primarily focuses on sharing data between different controllers, the provisions of a data-sharing agreement could help you enter into a joint control agreement. In this context, it defines the purpose of the data exchange and covers what happens to the information at each stage. Data sharing also promotes accountability and transparency, allowing researchers to validate each other`s results. Finally, data from multiple sources can often be combined to allow for comparisons that transcend national and departmental boundaries. A data sharing agreement between the parties that send and receive data can be an essential part of your compliance with the principle of responsibility, although it is not mandatory. Your organization can use a different title for a data sharing agreement, e.B. : Your agreement must specify who the controllers are at each stage, even after the transfer. They should establish procedures for the respect of individual rights. This includes the right to information as well as the right to object and requests for correction and deletion. You must make it clear in the agreement that all managers remain responsible for compliance, even if you have processes that determine who should perform certain tasks.
Data exchange agreements between organizations with which you send and receive information play an important role in compliance with the GDPR (General Data Protection Regulation) and similar regulations. Typical points of a data exchange agreement are the period during which the data must be available, the intended use, confidentiality and security information, usage restrictions, details of confidentiality requirements, and financial costs. For public authorities, the agreement should also cover the need to include certain types of information in your freedom of information publication system. You must also indicate the legal authority under which you may disclose the data. It is important to recognize that the process of setting up data exchange agreements varies from country to country, as well as the type of data shared and the agencies that share the data. A data-sharing agreement ensures that companies and their suppliers are clear about their roles and sets standards for what they can expect from the agreement and what is expected of them. What is the purpose of the data exchange initiative? Government agencies and certain other public bodies (for example. B, regulators, law enforcement and law enforcement agencies) may enter into a Memorandum of Understanding between themselves containing provisions on data sharing and fulfilling the role of a data sharing agreement. There is no defined format for a data sharing agreement. It can take many forms, depending on the scope and complexity of data sharing. Since a data sharing agreement is a set of common rules that bind all organizations involved, you should write it in clear, concise, and easy-to-understand language.
In this blog, we`ll help you understand why data exchange agreements are essential and how to create one tailored to your organization`s needs. They must explain the purpose of data sharing, why information must be shared to achieve those goals, and the benefits of doing so. Your consent must specify the types of data you want to share. This is sometimes referred to as a data specification. This may need to be detailed, as in some cases it is appropriate to share only certain information in a file about a person and omit other more sensitive documents. In some cases, it may be appropriate to add “permissions” to certain data elements so that only certain employees or employees of certain roles are allowed to access them. for example, employees who have been trained accordingly. You must document the types of data you want to share. The more detailed you are, the better, because there will be times when you will only have to share certain information about the people involved. If you use consent as the legal basis for disclosure, your agreement must include a model declaration of consent.
You must also deal with issues related to the refusal or withdrawal of consent. This should help you justify your data sharing and prove that you have considered and documented relevant compliance issues. A data sharing agreement provides a framework to help you meet the requirements of the Privacy Principles. You need to document this accurately so that all parties are absolutely clear about the purposes for which they can share or use the data. This does not mean that it immunizes you against non-compliance or regulatory measures if you conflict with the law. To avoid compliance gaps, you must ensure that you and the people with whom you share personal data comply with the terms of your agreement. Regardless of the terminology, it is recommended to reach an agreement on data sharing. It is probably useful for your agreement to include an annex or annex, including: Ideally, these additional concerns should be taken into account in the data sharing agreement in order to facilitate clear communication and, if necessary, put in place additional safeguards: However, the following points do not in themselves constitute an agreement on data sharing: Here is a list of the elements that are typically included in a data sharing agreement. While this list may cover the basics, additional concerns may be relevant to a particular dataset or vendor agency. Second, it avoids misunderstandings on the part of the data provider and the agency receiving the data by ensuring that all issues relating to the use of the data are discussed. Before the data is shared, the provider and recipient must speak in person or by phone to discuss data sharing and use issues and reach a common understanding, which is then documented in a data exchange agreement.
Under the GDPR, individuals have certain rights over how their information is processed and used. Your agreement should include processes to help you determine when these rights apply and how to respect them. Whether other organizations are involved in data sharing With our GDPR contract and legal services package, you get guidance from a team of experienced data protection officers, lawyers, lawyers and information security experts. You must document the relevant processing conditions to the extent appropriate under the UK GDPR or the 2018 DPA, where the data you share contains a special category of data or criminal offences under the UK GDPR, or if there is sensitive processing within the meaning of Part 3 of the 2018 DPA. A data exchange agreement is a formal contract that clearly documents what data is shared and how the data can be used. Such an agreement has two objectives. First, it protects the authority that provides the data and ensures that the data is not misused. Data exchange agreements define the purpose of data sharing, cover what happens to the data at each stage, set standards, and help all parties involved in data exchange to be clear about their roles and responsibilities. For example, the agreement should explain what to do when an organisation receives a request for access to shared data or other information, be it data protection or freedom of information rules.
In particular, it should be clarified that an employee (usually a DPO in the case of personal data) or an organisation has overall responsibility for ensuring that the data subject has easy access to all his or her personal data that has been shared. You should regularly review your data sharing agreements. and, in particular, in the event of a change in circumstances or justification for sharing data […].