Data Sharing Agreement
1.0 Process / Project
This document agrees the sharing of data between Inclusion Barnet, Volunteering Barnet (Groundwork London) and Young Barnet Foundation.
The parties will be processing and sharing data from organisation member’s, relating to the activities carried out under the umbrella of Barnet Together. This data may be shared in a number of different formats, such as (but not limited to) Excel spreadsheets, Outlook distribution lists, email, written or telephone correspondence.
1.1 Responsibilities of parties involved
All parties have confirmed they have data protection and data security policies and procedures in place to ensure compliance with the General Data Protection Regulation 2016 (GDPR) and the Data Protection Act 2018 (DPA2018).
Copies of each party’s Privacy Policy can be found online:
Inclusion Barnet – https://www.inclusionbarnet.org.uk/privacy-policy/
Volunteering Barnet – Terms and conditions (barnetvolunteersc19.co.uk)
Young Barnet Foundation – https://www.youngbarnetfoundation.org.uk/privacypolicy
It is the responsibility of each party to ensure that every employee processing personal data involved in this agreement knows how to obtain, use and share personal data in line with data protection law and the Data Protection Principles.
Each party will ensure its employees and or volunteers adheres to the training given to them by their organisation in relation to the Data protection policy.
Each party is responsible for their actions undertaken through this agreement.
1.2 Assessment and Review
A review of this data sharing agreement will take place on an annual basis. The aim of the review will be to ensure the purposes are still relevant, the scope has not slipped, the benefits to the data subjects and organisations are being realised, and the procedures followed for information security are effective.
Changes in legislation and developments in the areas of public sector data sharing will be considered as and when they arise.
1.3 Termination of Agreement
In the event of termination of this agreement, the parties agree that the termination of these clauses at any time, in any circumstances and for whatever reason does not exempt them from the obligations and/or conditions under the clauses as regards the processing of the personal data transferred.
2.0 Purpose & Benefits
This agreement covers the sharing of data for the purposes of establishing and maintaining an effective Barnet Together partnership.
This information sharing is required to enable the Barnet Together partnership to fully serve the sector and communities of Barnet, realising the vision of ‘a better Barnet for all those who live and work in the borough, based on real partnership and active collaboration’.
2.1 Benefits of the processing
The data sharing is intended to provide benefits to the sector by providing a seamless service between all parties. It aims to avoid multiple contact points, streamline processes and ensure value for money within Barnet Together.
2.2 Data sets
The information to be shared under this agreement will enable the Barnet Together partnership to fully serve the sector and communities of Barnet.
In accordance with the Data Protection Act, we will collect data which is necessary for our daily operations. This might be for evaluation purposes, ongoing improvement, future funding, research and sustainability or to monitor sector engagement (not an exhaustive list).
Data shared through this agreement includes (but is not limited to):
Registered member / organisation data
Registered member / organisation data, that has personal data included in contact information.
Member / organisation data shared may include personal and special category data such as names, contact details and demographic data.
All parties confirm they have considered the possibility of using anonymised data and it was not viable. Barnet Together have undertook a legitimate interest assessment to ascertain the legitimate interest in sharing of data sets outlined above for the purpose of Barnet Together deliverables.
During the sharing process all parties will consider whether data can be pseudonymised.
The sharing of above data sets will be completed upon registration of new members / orgnanisations to individual parties or as required by Barnet Together delivery plan.
The data will not be transferred outside the UK by any of the parties.
Data shared within the Barnet Together Partnership is to only be used based on the agreed purposes set out in this agreement.
2.3 Lawful basis for sharing data
Article 6 of the GDPR, Article 9 of the GDPR, and Schedule 8 of the DPA2018 set out the acceptable conditions for the processing and sharing of personal information.
Article 6 (1)
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes
or
Article 6 1(f)
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Article 9 (1 and 2)
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject
The legislation that requires or allows the processing under this agreement is listed below:
Legislation
GDPR/Part 2 of the DPA 2018 and under Part 3 of the DPA 2018
2.4 Other relevant legislation
The actual disclosure of any personal data to achieve these objectives must also be conducted within the framework of the Human Rights Act 1998 (HRA) and the Common Law Duty of Confidence.
Where accessing data is requested and or queried we will follow each party’s recognised procedures and policies on GDPR and information requests and complaints from members of the public.
Each party will seek advice/opinion from the other parties where there is concern about that information being released and any impact it is likely to have. The final decision to disclose or not will lie with the party who holds the information.
3.0 Individuals
Organisations processing personal data are required to consider and uphold the privacy of an individual’s data before we begin and throughout the processing taking place.
Each party takes responsibility for ensuring that an organisation / individual can easily gain access to all their personal data that has been shared.
3.1 Data Subject Rights
Individuals have rights under data protection legislation known as the Subject Access Rights.
All parties confirm that they obey the transparency requirements of GDPR and will issue appropriate privacy notices which inform the data subject what information is being processed, who it will be shared with under this agreement, the purposes for which it will be shared, and how long the data will be retained.
All parties confirm that they will make information available to data subjects regarding their data subject rights under the GDPR and the DPA 2018.
3.2 Data Subject Requests
Each organisation must have in place appropriate policies and processes in place to handle data subject requests made in line with data protection law, to ensure they are responded to within deadline and in an appropriate manner.
If an individual successfully requests the erasure or limitation of use of their data (right to erasure, right to rectification, right to restrict processing, right to object), or withdraws their consent for processing (where consent is the lawful basis condition), the party that has been informed by the data subject will communicate this to the other parties. In each case each party is responsible for securely disposing of such information or limiting its processing/exposure.
3.3 Complaints process
Each party must have a clear and objective complaint policy. Any concerns raised in relation to this agreement must be passed on to the Barnet Together Organisation working group.
4.0 Data
4.1 Data handling and security
All parties have in place appropriate technical and organisational security measures to ensure the confidentiality, integrity and availability of personal data which will protect against accidental loss, destruction, damage, alteration or disclosure. These measures must be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction or damage to the personal data and having regard to the nature of the personal data which is being processed.
All the data and information collected by providers will be collected in strict adherence to GDPR.
4.2 Secure sharing of personal data
Personal data must be shared securely. All parties agree that:
Any physical transfers of personal data will be appropriately packaged and securely transferred, to mitigate any loss or unlawful disclosure of data.
All staff or volunteers having access to the data will have a DBS check where appropriate, in line with best practice.
Any individual no longer required to have access will promptly have such access revoked by the relevant party.
All data held electronically will be stored in a secure network area with password protected entry and appropriate back-up functionality. The area/system will be auditable so that it is possible to establish who has accessed the system.
All laptops, computers, and any other portable devices will be encrypted.
Paper records will be kept to a minimum and kept secure, whether in the office, home or during transit. Appropriate security methods will be applied when storing or disposing of paper records.
4.3 Sharing under this agreement
The data described in this agreement will be shared between staff in the Barnet Together partnership.
4.4 Data Quality
Data quality will be managed by each party, who will ensure the data is fit for the purpose it is intended.
4.5 Retention
The data retention period will last for the duration of the Barnet Together partnership.
4.6 Data breach incidents
All parties must have a clear policy and procedure for reporting and handling data protection breaches or data loss incidents. All parties agree to inform the other parties as appropriate if the incident has an impact on the processing of the other parties.
5.0 Risk
All parties will follow the Barnet Together risk assessment procedures in regards to information sharing and handing of information under this agreement and undertake actions to mitigate risks the confidentiality, integrity and accessibility of the data shared between the parties.