News and comment

When is an Agreement not an Agreement?

Answer: When it's an NHS Data Sharing Agreement

06 Jan 2021

Data Sharing is one of the areas of information governance that organisations find most challenging, along with confusion over the two main roles involved in the processing of personal information - (data) controller and (data) processor.

As a result, when we act as consultants or as Data Protection Officer, this is where we most often need to steer organisations in the right direction to ensure compliance with data protection legislation.

In reality the new NHS 'Agreement' is more of a checklist of good practice for organisations to follow; modelled on the recently updated ICO Data Sharing Code and set in an NHS context. The guidance that comes with the 'agreement' is fairly comprehensive, but unfortunately, the NHS perpetuates its practice of muddying the waters by turning a perfectly adequate guidance process into a document that looks like a binding agreement; complete with an expiry date and a signatory section. Please be aware that the NHS Data Sharing Agreement:

• is NOT a binding agreement
• is NOT a contract
• has NO legal force
• is NOT a Data Processing Agreement (which is legally binding) and does not replace the need for one where necessary

Signing up to best practice is always a good thing, and adopting this document as the norm for sharing NHS patient data should help. Organisations must nevertheless make the effort to understand the guidance and adopt it, whilst observing all data protection laws and the common law duty of confidentiality.

We applaud this attempt to update NHS guidance, but the danger remains that organisations will assume that by signing one of these 'Agreements' they have done everything needed in a 'one size fits all' way. They should instead analyse their situation thoroughly (possibly with the aid of its accompanying guidance) and take the additional steps that are frequently necessary.

If you are confused over your role in a 'data sharing' exercise with the NHS or the legality of your personal data processing, Exigia is here to help.

---

Copyright © Exigia Ltd., All rights reserved

Personal Data Transfers to the EEA - BAU for now

01 Jan 2021

Now that the 'Transition' period following the United Kingdom’s exit from the EU is over, the UK privacy regulation incorporated in the Data Protection Act, 2018 and also known as the “UK GDPR”, has come into force, replacing the EU GDPR.

Having also entered into a Trade & Co-operation Agreement, the transition period for personal data transfers from the EU (or EEA) to the UK has been extended for up to six months. During this period, the UK may not change its data protection laws without the EU’s agreement or the extended transition period will terminate.

The agreement, therefore, allows for the continued flow of personal data from the EU to the UK after which they will be considered as international transfers under the EU GDPR unless the EU has approved an 'adequacy' decision in the UK's favour.

For transfers from the UK, the UK GDPR adopts the EU's list of countries counted as adequate and transfers of personal data to these countries remain valid.

---

 Copyright © Exigia Ltd., All rights reserved