Formal adoption of the IS Toolkit is the responsibility of the Chief Executive or Chief Officer of either a statutory body or a private or voluntary sector organisation.
Organisations that agree to support the adoption, dissemination, implementation, monitoring and review of this IS Toolkit, are invited to share ISAs, Work Instructions and practitioners’ guidelines with other public sector organisations.

The IS Toolkit Approach
Flexibility: Pick & Choose
Partner organisations must determine the combination of O-MoU, ISAs and Work Instructions that are required to manage and record the information sharing decisions and agreements made between the parties.
For any systematic (i.e. regular and planned) information sharing the minimum requirement is an Information Sharing Agreement and, in most cases, the corresponding Work Instructions. Overarching MoUs are complementary to the ISA, they provide the required flexibility in the variety of negotiations that need to happen between the parties, but are optional.
-
-
The Toolkit allows the phased recording of decisions and agreements in a progressive manner, at the time decisions need to be made at different stages in the agreement process, by those who are better qualified depending on the kind of decisions to be taken.
Some agreements will cover a wide range of information sharing scenarios, difficult to define with the level of detail required by the ICO guidelines, however, the parties may recognise the benefit of the sharing and agree in principal some overarching aspects that shall facilitate future developments of more specific and contextual decisions.
Overarching Memorandums of Understanding are optional, and should be used only for the wider agreements. Typically will cover strategic decisions, for example:- Long term aspects.
- Difficult cross boundaries principles between agencies.
- High risk or complex decisions.
- Broader aspects of the sharing.
- Legal liabilities.
Example:
Overarching MoU for the sharing of information within a local partnership for the integration of Health and Social Care services.
The parties joining efforts as part of the health and social care integration, may want to record high level decisions with regards to the scope and parties, the high level purposes, the legal basis and regulatory framework in support of the sharing, and the governance mechanisms to be put in place across the parties in order to agree on the more contextual decisions and instructions.
For this purpose, the parties can draft an overarching memorandum of understanding where only the highest level decisions are recorded. Any aspects that will be a common denominator in the underpinning information sharing agreements should also be included in the overarching MoU, for example if the parties have a clear position with regards to:- The jointly agreed wider purposes (must not be very specific as those should be detailed in the actual Information Sharing Agreement).
- How further decisions on the handling of information will be taken (jointly or independently); in other words if the partners want to move forward as joint data controllers, independently or a combination (with some decisions in common and some independent). A common situation is where parties decide the purposes jointly but the more operational decisions on the handling of information are taken independently (e.g. local working instructions).
The proposition that the parties will conduct the processing independently is only an example; it is a choice that requires negotiation between the parties. The MoU should reflect the agreement reached.
This kind of decisions, when taken at a high level, will facilitate and smooth the development of the more contextual and operational decisions, as the most difficult aspects that may require escalation would have been established in the overarching memorandum of understanding.Governance
The MoU is also a good place to agree how future ISAs and joint working instructions (if any) will be developed across the Partnership; who will start the process, how the negotiation should be undertaken and the agreed app. -
Any agreement for systematic sharing of information between different data controllers must be recorded in the format of an Information Sharing Agreement, regardless the existence of an overarching memorandum of understanding.
An Information Sharing Agreement sets out the common decisions on the more contextual aspects of the sharing. If an overarching agreement exists between the parties covering some of the sections, is preferable to avoid repetition, which facilitates future reviews.
The key decisions covered in the Information Sharing Agreement are:- The specific contextual purpose, or purposes, of the sharing.
- Where personal or confidential data is being shared, the legal basis for the sharing.
- The potential recipients or types of recipient and the circumstances in which they will have access.
- The data to be shared.
- Data quality – accuracy, relevance, usability etc.
- Data security.
- Any conditions which may apply / have been agreed.
- Retention of shared data
- Individuals’ rights – procedures for dealing with access requests, queries and complaints.
- Review of effectiveness/termination of the sharing agreement.
- Sanctions for failure to comply with the agreement or breaches by individuals (e.g. staff) or data processors acting on behalf of the parties.
Example: Discharge Hub service (Hospital @ Home)
Following the same example used earlier, an Information Sharing Agreement supporting the Overarching Health and Social Care Integration MoU, would be an ISA for the sharing of information in connection with the Discharge Hub Service, which involves setting up a joint care plan for discharging of patients from hospital to home. This typically requires joint work between a number of agencies including health bodies, local authorities, and potentially third sector agencies. The ISA will detail which information can be shared, in which circumstances, and with which partners including health care professionals social work employees, and colleagues that provide other services, for example Meals On Wheels.
ISAs are very specific and contextual whilst Overarching MoUs are high level.
Example: Scottish Public Pensions Agency (SPPA)
Following the same principles used earlier, an Information Sharing Agreement should be in place between all relevant parties: SPPA and employing authorities for NHS, education, police and fire service.
An Overarching Health and Social Care Integration MoU would probably not be required since the sharing of information for this purpose is very specific and unlikely to require separate negotiations at strategic and tactical level; hence the ISA along with the working instructions would suffice.
Nevertheless, if a particular territorial set of agencies decide that in their case different people have to decide very strategic matters (e.g. approach to liabilities: in common or jointly), and at a later stage a different group of people will proceed to negotiate other information sharing matters, it may be beneficial to record the more strategic agreements in a MoU (e.g. the most relevant senior stakeholders on each party agree to go ahead as Data Controllers in Common). At a later stage, a different group of people may progress the negotiations with regards to the more specific matters in the ISA (e.g. retention periods, etc.)
It makes sense a more strategic agreement (MoU) followed by the more tactical (ISA) and operational (work instructions) decisions and agreements.
The Toolkit is flexible to accommodate the choice that better suits the needs on different scenarios. It is key thinking of the process as a negotiation that takes place at different levels (strategic, tactical and operational) and moments in time; typically also involving different people and skills at different stages. In the simplest scenario, all the negotiation happens at once via a single ISA and a few work instructions already in place on each of the parties (e.g. their own policies and procedures).
[2019] ISA Template v201902 Form with instructions [Data Protection Act 2018 (UK) updated]
[2019] ISA Template v201902 Blank Form [Data Protection Act 2018 (UK) updated]
[2019] ISA Template v201902 Form with green quick prompts [Data Protection Act 2018 (UK) updated]
[2019] ISA Template v201902 Multi Party Sign Off Form [Data Protection Act 2018 (UK) updated]
-
An IG Pack is a standard set of documents, some of which are based on templates. These documents help project and system managers of data-driven or digital-driven innovations, projects or systems, to ensure they have considered the digital, privacy and other relevant information risks of their projects/systems.
These also provide evidence of due diligence.
The IG Pack is designed to help you navigate through the required assessments and documentation you should keep as part of your project/system as you proceed towards approval.
In particular, the current data protection regulations require that approval is sought prior to processing personal data.
Resilience is the ability of your system to provide and maintain an acceptable level of service in the face of faults and challenges to normal operation, including cyber-attacks but also other common issues that may impact the performance of your system such us speed, access to data, etc.
The Network and Information Systems (NIS) Regulations also require certain levels of resilience to be built into digital systems across health care organisations.
Understanding and reasonably minimising the information security and privacy risks of your project/system is not only good practice but a legal requirement derived from Data Protection regulations (UK) and the Network and Information Systems (NIS) Regulations (UK).
- What does it mean to you?
If you are running a project or managing an information system that handles NHS data, you must ensure your project/systems have sufficient security measures in place and complies with current regulations (e.g. Data Protection and NIS regulations (UK)).
This paper has been designed to help you by providing guidance, support and resources to help you manage risk within of your project/system and follows the fundamental principles of proportionality. i.e. The higher the risk the more effort you have to put to manage the risk.- Where can I find the templates and resources?
All templates available can be downloaded from the Resources section in this website. The following resources are available:
IGPACK Pack instructions v201901
IGPACK Template for DOC00a IG Pack checklist v201901
IGPACK Template for DOC02a Risk Assessment Triage Tool v201901
IGPACK Template for DOC02b DPIA – Data Protection Impact Assessment v201901
IGPACK Template for DOC04 System Name SSP Full v6.2
IGPACK Template for DOC04 SSP Lite v4
IGPACK Template for DOC06a IA Registration Form v201901
IGPACK Template for DOC06b IA Data Recipients Registration Form v2019201