#timhjrogers: YOU MAY NOT NEED A DATA SHARING AGREEMENT

Tuesday 2 June 2020

YOU MAY NOT NEED A DATA SHARING AGREEMENT

SOME USEFUL GUIDANCE: YOU DO NOT NEED A DATA SHARING AGREEMENT TO PROVIDE INFORMATION THAT IS REQUIRED BY LAW

I recently received this useful guidance....

You don't need a sharing agreement to provide information to the Government of Jersey GoJ - there is a legal obligation for an entity to provide that information. For example, if I had staff I would have to give Social Security that manpower information. My legal basis for sharing the information with Social is because the Social Security Law says I have to.

{Schedule 2 Item 8 Employment and social fields: The processing is necessary for the purposes of exercising or performing any right, obligation or public function conferred or imposed by law on the controller in connection with employment, social security, social services or social care.}

There is nothing in the DPJL that says that formal data sharing agreements have to be in place between two entities and the DPJL doesn't refer to 'data sharing agreement' at all nor does GDPR (other than where there is a controller/processor relationship); data sharing just needs to be done in accordance with the Art.8 principles (etc) and a formal data sharing agreement simply helps an entity to evidence that the sharing is being done lawfully.

The place where data sharing agreements really come into play is, for example, if I’m selling my business and providing my data to the purchaser so they can do their due diligence. You want an agreement in those circumstances to set out exactly what is being shared, confidentiality provisions, return of information if the transaction doesn't go ahead etc. You also see them in cases where information is being passed across for research purposes.

The UK ICO has a code of practice out for consultation: https://ico.org.uk/media/2615361/data-sharing-code-for-public-consultation.pdf

It's pretty helpful but doesn't say when you'd have one. Pg 25 has good stuff about what you would likely want to include but the rest of the doc focuses really on the accountability of controllers and their being able to evidence why processing is necessary and transparency.

No comments:

Post a Comment

Privacy

This Privacy Notice sets out what data we hold and use. We take privacy and security of your information seriously and will only use such personal information as set out in this privacy policy.

OTHER WEBSITES

This site contains links to other sites whose information practices may differ from ours. If you should visit such third party sites, you should ensure that you review the appropriate privacy notices as we have no control over information that is submitted to, or collected by, these third parties.

WHO WE ARE

This site is run by Tim Rogers to provide and seek information, comment and guidance on matters affecting charities. It is a free not-for-profit, non-commercial site.

WHAT, WHERE AND WHEN WE COLLECT YOUR DATA

The site is run using Blogger, which is a standard application provided by Google. Tim Rogers does not capture any personal data from the site, unless of course you choose to leave you personal details in a comment. However Google does track data: it is for example how we know if this page has been read by 10 people or 10,000 people.

If you choose to comment, phone, email or send a letter we may note your name, email-address, organisation and information relevant to your correspondence.

DISCLOSING YOUR PERSONAL DATA

On occasion that a correspondent may seek advice which is best given by a third-party (for example a specialist in IT Security) we will put them in touch with each-other. Similarly if someone asks a question that is better addressed by the Association of Jersey Charities or Jersey Community Partnership we will put you in touch with each other.

DATA SECURITY

We use Google’s up-to-date data storage and security techniques to protect your personal information from unauthorised access, improper use or disclosure, unauthorised modification or unlawful destruction or accidental loss. Unless you post a comment we know nothing about you, and if you use a Private Browser Google will know nothing about you.

INTERNATIONAL TRANSFERS

However as a consequence of using Google’s Blogger some personal data may be processed in (including being accessed in or stored in) a country or territory outside your home country, including outside the European Economic Area (“EEA”).

HOW LONG WE RETAIN PERSONAL DATA

We will retain your personal data for as long as necessary to fulfil the purpose for which it was collected in accordance with General Data Protection Regulation [GDPR]

YOUR RIGHTS

You have the right to apply for a copy of the personal data we hold about you and to have any inaccurate personal data about you rectified.

In some circumstances you may also have the right to ask us to erase your personal data or restrict its processing. Where we process your data for our legitimate interests, you have the right to object to such processing. Where our processing is based on consent, you may withdraw your consent by emailing us

Should you wish to discuss the exercise of any your rights, please contact us as set out below.