Any agreement for systematic sharing of information between different data controllers must be recorded in the format of an Information Sharing Agreement, regardless the existence of an overarching memorandum of understanding.
An Information Sharing Agreement sets out the common decisions on the more contextual aspects of the sharing. If an overarching agreement exists between the parties covering some of the sections, is preferable to avoid repetition, which facilitates future reviews.
The key decisions covered in the Information Sharing Agreement are:
- The specific contextual purpose, or purposes, of the sharing.
- Where personal or confidential data is being shared, the legal basis for the sharing.
- The potential recipients or types of recipient and the circumstances in which they will have access.
- The data to be shared.
- Data quality – accuracy, relevance, usability etc.
- Data security.
- Any conditions which may apply / have been agreed.
- Retention of shared data
- Individuals’ rights – procedures for dealing with access requests, queries and complaints.
- Review of effectiveness/termination of the sharing agreement.
- Sanctions for failure to comply with the agreement or breaches by individuals (e.g. staff) or data processors acting on behalf of the parties.
Example: Discharge Hub service (Hospital at Home)
Following the same example used earlier, an Information Sharing Agreement supporting the Overarching Health and Social Care Integration MoU, would be an ISA for the sharing of information in connection with the Discharge Hub Service, which involves setting up a joint care plan for discharging of patients from hospital to home. This typically requires joint work between a number of agencies including health bodies, local authorities, and potentially third sector agencies. The ISA will detail which information can be shared, in which circumstances, and with which partners including health care professionals social work employees, and colleagues that provide other services, for example Meals On Wheels.
ISAs are very specific and contextual whilst Overarching MoUs are high level.
Example: Scottish Public Pensions Agency (SPPA)
Following the same principles used earlier, an Information Sharing Agreement should be in place between all relevant parties: SPPA and employing authorities for NHS, education, police and fire service.
An Overarching Health and Social Care Integration MoU would probably not be required since the sharing of information for this purpose is very specific and unlikely to require separate negotiations at strategic and tactical level; hence the ISA along with the working instructions would suffice.
Nevertheless, if a particular territorial set of agencies decide that in their case different people have to decide very strategic matters (e.g. approach to liabilities: in common or jointly), and at a later stage a different group of people will proceed to negotiate other information sharing matters, it may be beneficial to record the more strategic agreements in a MoU (e.g. the most relevant senior stakeholders on each party agree to go ahead as Data Controllers in Common). At a later stage, a different group of people may progress the negotiations with regards to the more specific matters in the ISA (e.g. retention periods, etc.)
It makes sense a more strategic agreement (MoU) followed by the more tactical (ISA) and operational (work instructions) decisions and agreements.
The Toolkit is flexible to accommodate the choice that better suits the needs on different scenarios. It is key thinking of the process as a negotiation that takes place at different levels (strategic, tactical and operational) and moments in time; typically also involving different people and skills at different stages. In the simplest scenario, all the negotiation happens at once via a single ISA and a few work instructions already in place on each of the parties (e.g. their own policies and procedures).
[2019] ISA Template v201902 Form with instructions [Data Protection Act 2018 (UK) updated]
[2019] ISA Template v201902 Blank Form [Data Protection Act 2018 (UK) updated]
[2019] ISA Template v201902 Form with green quick prompts [Data Protection Act 2018 (UK) updated]
[2019] ISA Template v201902 Multi Party Sign Off Form [Data Protection Act 2018 (UK) updated]