Why Have a Data Sharing Agreement
A data exchange agreement is a formal contract between two or more parties that clearly documents what data is shared and how the data can be used. Good data can help inform policy-making, programme development and evaluation, and help authorities identify areas for improvement. Recent actions by the Washington State Legislature now require local governments to have data exchange agreements for certain types of data. This blog provides an overview of the bill, focusing on the types of data involved. Category 3 data is confidential information protected by law against disclosure or disclosure. Examples include Social Security numbers, a driver`s license number or Washington ID number, account numbers (e.B. utility account), credit card numbers, security codes, or passwords. In addition, it contains data stored in personal folders, such as. B, telephone numbers and addresses of individuals, personal mobile phone numbers, home addresses and emergency contact information. All data concerning the infrastructure and security of computer and telecommunications networks are also included.
If you use consent as the legal basis for disclosure, your agreement must include a model declaration of consent. You must also deal with issues related to the refusal or withdrawal of consent. For example, the agreement should explain what to do when an organisation receives a request for access to shared data or other information, be it data protection or freedom of information rules. In particular, it should be clarified that an employee (usually a DPO in the case of personal data) or an organisation has overall responsibility for ensuring that the data subject has easy access to all his or her personal data that has been shared. The SCO has until 1 December 2021 to report on its recommendations on best practices in the areas of data exchange and protection, data exchange contracts and compliance with data protection guidelines. Data sharing also promotes accountability and transparency, allowing researchers to validate each other`s results. Finally, data from multiple sources can often be combined to allow for comparisons that transcend national and departmental boundaries. For joint controllers, Article 26 of the UK GDPR and Article 58 of the 2018 DPA for processing in Part 3 require you to indicate in the agreement which controller is the contact point for the data subjects.
For public authorities, the agreement should also cover the need to include certain types of information in your freedom of information publication system. Here is a list of the elements that are typically included in a data sharing agreement. While this list may cover the basics, additional concerns may be relevant to a particular dataset or vendor agency. This does not mean that it immunizes you against non-compliance or regulatory measures if you conflict with the law. To avoid compliance gaps, you must ensure that you and the people with whom you share personal data comply with the terms of your agreement. Whether you`re drafting a data exchange agreement or other documents, such as privacy notices and policies, HR documentation, business contracts, or international data transfers, you don`t have to risk doing it alone. You must document the relevant processing conditions to the extent appropriate under the UK GDPR or the 2018 DPA, where the data you share contains a special category of data or criminal offences under the UK GDPR, or if there is sensitive processing within the meaning of Part 3 of the 2018 DPA. Your agreement must clearly state all the organisations that will be involved in the data sharing and provide the contact details of their Data Protection Officer (DPO) or any other relevant employee responsible for data sharing, and preferably for other key employees. It should also include procedures for the inclusion of additional organisations in the data sharing agreement and for addressing cases where an organisation needs to be excluded from sharing.
Designing and complying with a data-sharing agreement should help you comply with the law, but it does not provide immunity from violations of the law or the consequences of the law. However, the ICO will take into account the existence of a relevant data exchange agreement when it comes to assessing the complaints we receive about your data sharing. Regardless of the terminology, it is recommended to reach an agreement on data sharing. ESSB 5432 was adopted during this last legislature and requires certain public sector bodies to enter into data exchange agreements when sharing Category 3 or 4 data. The new requirement can be found in RCW 39.26.340 (public procurement) and RCW 39.34.240 (inter-local agreements). A data exchange agreement is a formal contract that clearly documents what data is shared and how the data can be used. Such an agreement has two objectives. First, it protects the authority that provides the data and ensures that the data is not misused.
Local authorities should start preparing their audits by the Court of Auditors and ensure that they have data sharing agreements in place when sharing Category 3 or 4 data with other bodies. Local governments should begin by assessing their need for data exchange agreements and ensure that these agreements are consistent with the guidelines established by the PO once these policies have been published. A public health professional contacted the network to ask if it could provide model data use agreements for use by local health authorities. The GDPR establishes stricter controls for the processing of special categories of personal data. This includes information about a person`s race, religion, political opinions, trade union membership, sexual orientation, health information, biometric data and genetic information. They should establish procedures for the respect of individual rights. This includes the right to information as well as the right to object and requests for correction and deletion. You must make it clear in the agreement that all managers remain responsible for compliance, even if you have processes that determine who should perform certain tasks. With a data sharing agreement, you can demonstrate that you are meeting your liability obligations under the UK GDPR.
Second, it avoids misunderstandings on the part of the data provider and the agency receiving the data by ensuring that all issues relating to the use of the data are discussed. Before the data is shared, the provider and recipient must speak in person or by phone to discuss data sharing and use issues and reach a common understanding, which is then documented in a data exchange agreement. In this blog, we`ll help you understand why data exchange agreements are essential and how to create one tailored to your organization`s needs. Government agencies and certain other public bodies (for example. B, regulators, law enforcement and law enforcement agencies) may enter into a Memorandum of Understanding between themselves containing provisions on data sharing and fulfilling the role of a data sharing agreement. Organizations that act as joint data controllers with another organization must define their responsibilities in writing. Local governments should review the entire checklist for a full discussion of all categories of data. WaTech recommends that if a local government employee or elected official is unsure of the category level for certain data, they should consult with the employee responsible for managing the agency`s public records. .