Where ever you are using someone else (outsource) or their system you should have a DATA SHARING AGREEMENT that sets out the Terms & Conditions, Responsibility and Liability for Data
This may be a Controller [ORGANISATION A] to Controller [ORGANISATION B] agreement where both organisations may add, amend, use or delete data for their purpose
This may be a Controller [ORGANISATION A] to Processor [ORGANISATION B] agreement where there is a Master to Servant relationship where the Controller tells (and sets limits) on what the Processor can do.
DATA SHARING AGREEMENTS FOR PROCESSORS AND CONTROLLERS
CONTROLLER
If you act as a controller, you must keep a record of the following information:
your name and contact details and, where applicable, any joint controllers, representatives and data protection officers
the purposes of the processing
a description of the categories of data subjects and of the categories of personal data
the categories of recipients, including recipients in third countries or international organisations
details of transfers of personal data to third countries (where applicable)
retention periods for different categories of personal data (where possible) and
a general description of the security measures employed (where possible).
PROCESSOR
If you act as a data processor, you must keep the following records:
your name and contact details and, where applicable, representatives and data protection officers
the name and contact details of each controller you act for including, where applicable, representatives and data protection officers
the categories of processing carried out on behalf of each controller
details of transfers of personal data to third countries (where applicable)
a general description of the security measures employed (where possible).
CONTROLLER > CONTROLLER AGREEMENT
In some cases BOTH organisations are controllers and therefore BOTH organisations must obey all the obligations of being a controllers. Where data is exchanged between two controllers (sometimes called joint-controllers) there should be a data sharing agreement which explains what data is being shared, why and the obligations of each organisation.
There is a sample data sharing agreement included in the appendix.
CONTROLLER > PROCESSOR AGREEMENT
In some cases one organisation is the controller (master) and the other the processor (servant). In these cases it is be appropriate to have a formal contract Controller > Processor- Agreement.
CONTROLLER > SUPPLIER AGREEMENT
In some other cases, for example if using services of Google, Microsoft or other suppliers who are not going to enter into a one-to-one relationship there should be nonetheless an objective appraisal and consideration perhaps my looking at their website or terms and conditions.
In all cases you should do some due diligence on the people you share data with. You should as a minimum do some research (eg Microsoft and Google) and ideally get them to sign an agreement to document the roles, goals, controls and responsibilities as well as any relevant due diligence on the people, process and technology to be used.
DUE DILIGENCE FACTORS
For some organisations with Cyber Essentials, ISO27001, or SOC2 there may be a very complex questionnaire that can be applied, but the following are simple minimal questions that the vendor should be able to confirm, or you should be able to find out from their website.
THINGS YOU MAY ASK A SUPPLIER
People
Describe what role based access controls you have that restrict access to our data and, where relevant, what staff vetting and monitoring do you do to ensure people only access information on a need to know basis.
Process
Describe the process controls that you operate to safeguard our data. If it is easier to refer to documents, standards, accreditations etc. please provide these.
Technology
Describe the technology controls that you operate to safeguard our data. The minimum requirement is those that comply with Cyber Essentials
https://www.gov.je/stayingsafe/besafeonline/protectyourbusinessonline/pages/cyberessentials.aspx
Documents
Please provide copies of, or website links to, the following
Privacy Notice
Data Protection Policy
Information Security Policy
Any documents, standards, accreditations relevant to IT or data security
TYPICAL HEADINGS IN A DATA SHARING AGREEMENT
Item 1) Parties (who are contracting parties and who is DPO if there is one)
Item 2) Aim of the Agreement (what is the purpose and context)
Item 3) Data Protection Principles (recognition of the law)
Item 4) Purpose/justification of data sharing (why)
Item 5) Legal basis for data sharing (is this consent [can be withdrawn] or contract, or other)
Item 6) Data to be Shared (what data is being shared )
Item 7) Data Sharing Process (how is it to be shared, transferred, protected, stored etc.)
Item 8) Processing Conditions(what rules are to be applied see SUB SECTION FOR PROCESSOR AGREEMENTS)
Item 9) Security and confidentiality of the Shared Data (what measures / safeguards)
Item 10) Data quality (and safeguards to ensure accurate)
Item 11) Data breaches (and actions eg to inform each-other)
Item 12) Subject Access Requests (SARs), queries (and actions eg to inform each-other)
Item 13) Data retention (how long to hold data for)
Item 14) Audits and inspections of the Shared Data (usually only for processor agreements)
Item 15) Review arrangements (when will this be reviewed)
Item 16) Authorised signatories
SUB SECTION FOR PROCESSOR AGREEMENTS
Item a) The processor must only act on the written instructions of the controller (unless required by law to act without such instructions)
Item b) The processor must ensure that people processing the data are subject to a duty of confidence
Item c) The processor must take appropriate measures to ensure the security of processing
Item d) The processor must only engage a sub-processor with the prior consent of the data controller and a written contract
Item f) The processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the gdpr
Item e) The processor must assist the data controller in meeting its gdpr obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments
Item g) The processor must delete or return all personal data to the controller as requested at the end of the contract and
Item h) The processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their obligations, and tell the controller immediately if it is asked to do something infringing the gdpr or other data protection law of the eu or a member state.
DATA SHARING AGREEMENT FORM
| HEADING | EXAMPLE CONTENT BETWEEN AAAA AND BBBB |
| Parties (who are contracting parties and who is DPO if there is one) | For the purposes of this Agreement the AAAA and BBBB will act as the data joint controllers. |
| Aim of the Agreement (what is the purpose and context) | This agreement has been developed to facilitate partnership working between the AAAA and BBBB This agreement identifies the legal basis, security safeguards and methods of sharing information to achieve common goals for the benefit of this area. To ensure that sharing is carried out in accordance with the requirements of the Data Protection (Jersey) Law 2018 (the Law) |
| Data Protection Principles (recognition of the law) | In entering into this Agreement, the Parties have carefully considered the requirements of the six Data Protection Principles (the DP Principles) as set out in Article 8 of the Law. The Parties agree that they have complied with and will continue to comply with the DP Principles in respect of the sharing and processing of the Shared Data. |
| Purpose/justification of data sharing (why) | XXXX |
| Legal basis for data sharing (is this consent [can be withdrawn] or contract, or other) | Legal basis for data sharing XXXX In accordance with Data Protection (Jersey) Law 2018 this Data Sharing Agreement between two Controllers (or Joint Controllers Article 7) is for the above purpose and none other. |
| Data to be Shared (what data is being shared ) | |
| Data Sharing Process (how is it to be shared, transferred, protected, stored etc.) | The Shared Data will be provided in XXXXXXXXXX format and submitted via XXXXXXXXXXX encrypted file system utilised by XXXXXXXXXXXXX. The data will be sent to BBBB via an email address where access is limited to only those individuals that require the data to be able to carry out their relevant objectives in accordance with the laws set out at Section 7 of this Agreement. BBBB will formally acknowledge receipt of the data by return email. |
| Processing Conditions(what rules are to be applied) | 1. The processor must only act on the written instructions of the controller (unless required by law to act without such instructions) 2. The processor must ensure that people processing the data are subject to a duty of confidence 3. The processor must take appropriate measures to ensure the security of processing 4. The processor must only engage a sub-processor with the prior consent of the data controller and a written contract 5. The processor must assist the data controller in providing subject access and allowing data subjects to exercise their rights under the gdpr 6. The processor must assist the data controller in meeting its gdpr obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments 7. The processor must delete or return all personal data to the controller as requested at the end of the contract and 8. The processor must submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their obligations, and tell the controller immediately if it is asked to do something infringing the gdpr or other data protection law of the eu or a member state. |
| Security and confidentiality of the Shared Data (what measures / safeguards) | All Parties to this agreement are responsible for compliance with the Data Protection Law (Jersey) Law 2018, and for ensuring proper training is provided for all staff involved in the processing of the data outlined in this agreement. They are also responsible for ensuring the resolution of any issues arising. Neither party will use the information shared for any purpose other than the stated in the Use of information clause of this agreement. The security measures in place are: Policies - All staff adhere to the Acceptable use policy. Training - There is a mandatory Data Protection training for all the new staff and annual updates for existing staff. Physical Security/Access Permissions - There are access controls to all data held by social security which are appropriate to staff requirements. To ensure security in the work place staff have their own access card for perimeter doors to prevent unauthorised access. Destruction process - All personal data is securely destroyed after it has reached the retention period. Paper waste is sent to secure disposal in designated confidential waste bins. No data will be transferred outside of Europe for this data sharing agreement. Encrypted email will be used for email data transfer outside of the closed SoJ network |
| Data quality (and safeguards to ensure accurate) | Data quality is a perception or an assessment of datas fitness to serve its purpose in a given context. Aspects of data quality include (but are not limited to): Accuracy completeness status consistency reliability accessibility. The Parties agree it is crucial to operational and transactional processes. Before sharing data, the AAAA will check that the Shared Data is accurate and up to date to the best of their knowledge. |
| Data breaches (and actions eg to inform each-other) | In the event that the Shared Data is subject to a personal data breach (as defined in Article 1 (1) of the Law), the BBBB will be responsible for escalating this through the [Organisation Name] security incidents reporting system, in accordance with the BBBBs data breach process. The BBBB will be responsible for informing the other Party to the Agreement of the data breach as soon as possible. |
| Freedom of Information (FOI) requests [if relevant eg for government] | The BBBB will be responsible for handling any requests received from members of the public, in respect of the Shared Data, pursuant to the Freedom of Information (Jersey) Law 2011, in accordance with the relevant Partys FOI process. |
| Subject Access Requests (SARs), queries (and actions eg to inform each-other) | The BBBB Party will be responsible for handling any SARs, dealing with general data protection queries and complaints received from members of the public in respect of the Shared Data. SARs, general data protection queries and complaints should be dealt with in accordance with the relevant Partys policies and procedures. |
| Data retention (how long to hold data for) | The Shared Data shall be retained by the BBBB for a period of 1 year |
| Audits and inspections of the Shared Data (usually only for processor agreements) | The Parties shall make available to each other all information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the other Party or another auditor mandated by the relevant Party as set out below. Upon a relevant Partys reasonable request, the other Party agrees to provide that Party with any documentation or records which will enable it to verify and monitor that Partys compliance with its data protection and security obligations under the terms of this Agreement, within 14 days of receipt of such request, and to notify the relevant Party of the relevant person who will act as the point of contact for provision of the information required. For this purpose, the Party may present up-to-date attestations, reports or extracts thereof from independent bodies (e.g. external auditors, internal audit, the data protection officer, the IT security department or quality auditors) or suitable certification by way of an IT security or data protection audit. Where, in the reasonable opinion of either Party, such documentation is not sufficient in order to meet the obligations of the Law, either Party will be entitled, upon reasonable prior written notice to the other Party and upon reasonable grounds, to conduct an on-site audit of the other Parties premises used (save for domestic premises), solely to confirm compliance with its data protection and security obligations under this Agreement. Any audit carried out a Party will be conducted in a manner that BBBBs not disrupt, delay or interfere with the other Partys performance of its business. The Parties shall ensure that the individuals carrying out an audit are under the same confidentiality obligations as set out in this Agreement. |
| Review arrangements (when will this be reviewed) | This Agreement will be reviewed after two years from the final date of signing. The instigation of the review process will be the responsibility of the BBBB. This Agreement will also be reviewed in the event of significant changes to any of the following: i) the data sharing process ii) the use of the Shared Data by the BBBB iii) data security arrangements or iv) Jersey data protection legislation. |
| Authorised signatories |
