SOME USEFUL GUIDANCE: YOU DO NOT NEED A DATA SHARING AGREEMENT TO PROVIDE INFORMATION THAT IS REQUIRED BY LAW
I recently received this useful guidance....
You don't need a sharing agreement to provide information to the Government of Jersey GoJ - there is a legal obligation for an entity to provide that information. For example, if I had staff I would have to give Social Security that manpower information. My legal basis for sharing the information with Social is because the Social Security Law says I have to.
{Schedule 2 Item 8 Employment and social fields: The processing is necessary for the purposes of exercising or performing any right, obligation or public function conferred or imposed by law on the controller in connection with employment, social security, social services or social care.}
There is nothing in the DPJL that says that formal data sharing agreements have to be in place between two entities and the DPJL doesn't refer to 'data sharing agreement' at all nor does GDPR (other than where there is a controller/processor relationship); data sharing just needs to be done in accordance with the Art.8 principles (etc) and a formal data sharing agreement simply helps an entity to evidence that the sharing is being done lawfully.
The place where data sharing agreements really come into play is, for example, if I’m selling my business and providing my data to the purchaser so they can do their due diligence. You want an agreement in those circumstances to set out exactly what is being shared, confidentiality provisions, return of information if the transaction doesn't go ahead etc. You also see them in cases where information is being passed across for research purposes.
The UK ICO has a code of practice out for consultation: https://ico.org.uk/media/2615361/data-sharing-code-for-public-consultation.pdf
It's pretty helpful but doesn't say when you'd have one. Pg 25 has good stuff about what you would likely want to include but the rest of the doc focuses really on the accountability of controllers and their being able to evidence why processing is necessary and transparency.
No comments:
Post a Comment