Answer: When it's an NHS Data Sharing Agreement
06 Jan 2021
Data Sharing is one of the areas of information governance that organisations find most challenging, along with confusion over the two main roles involved in the processing of personal information - (data) controller and (data) processor.
As a result, when we act as consultants or as Data Protection Officer, this is where we most often need to steer organisations in the right direction to ensure compliance with data protection legislation.
In reality the new NHS 'Agreement' is more of a checklist of good practice for organisations to follow; modelled on the recently updated ICO Data Sharing Code and set in an NHS context. The guidance that comes with the 'agreement' is fairly comprehensive, but unfortunately, the NHS perpetuates its practice of muddying the waters by turning a perfectly adequate guidance process into a document that looks like a binding agreement; complete with an expiry date and a signatory section. Please be aware that the NHS Data Sharing Agreement:
- is NOT a binding agreement
- is NOT a contract
- has NO legal force
- is NOT a Data Processing Agreement (which is legally binding) and does not replace the need for one where necessary
Signing up to best practice is always a good thing, and adopting this document as the norm for sharing NHS patient data should help. Organisations must nevertheless make the effort to understand the guidance and adopt it, whilst observing all data protection laws and the common law duty of confidentiality.
We applaud this attempt to update NHS guidance, but the danger remains that organisations will assume that by signing one of these 'Agreements' they have done everything needed in a 'one size fits all' way. They should instead analyse their situation thoroughly (possibly with the aid of its accompanying guidance) and take the additional steps that are frequently necessary.
If you are confused over your role in a 'data sharing' exercise with the NHS or the legality of your personal data processing, Exigia is here to help.
01 Jan 2021
Now that the 'Transition' period following the United Kingdom’s exit from the EU is over, the UK privacy regulation, also known as the “UK GDPR”, has come into force, replacing the EU GDPR.
Having also entered into a Trade & Co-operation Agreement, the transition period for personal data transfers from the EU (or EEA) to the UK has been extended for up to six months. During this period, the UK may not change its data protection laws without the EU’s agreement or the extended transition period will terminate.
The agreement, therefore, allows for the continued flow of personal data from the EU to the UK after which they will be considered as international transfers under the EU GDPR unless the EU has approved an 'adequacy' decision in the UK's favour.
For transfers from the UK, the UK GDPR adopts the EU's list of countries counted as adequate and transfers of personal data to these countries remain valid.
17 Dec 2020
On 17 December 2020 the ICO published its updated Code of Practice on Data Sharing, which is statutory guidance under section 121 of the Data Protection Act 2018.
The code focuses on ‘controller to controller’ sharing of personal data, rather than the fundamentally different situation of a controller using another organisation to process its data (i.e. 'data processing').
The code aims to "give individuals, businesses and organisations the confidence to share data in a fair, safe and transparent way in this changing landscape".
The code will be welcomed by charities and other organisations, confronted with difficult decisions about how to share the data of beneficiaries and staff.
The code makes the following general points:
- data protection law facilitates data sharing when approached in a fair and proportionate way
- data protection law is an enabler for fair and proportionate data sharing rather than a blocker. It provides a framework to help you make decisions about sharing data
- data sharing has benefits for society as a whole
- sometimes it can be more harmful not to share data
It reminds controllers to comply with the data protection principles when sharing personal data and that they should demonstrate accountability; ensure fair and transparent processing; have at least one lawful basis for sharing the data; and process it securely using appropriate organisational and technical measures.
One interesting area covered is 'Urgent processing".
Health, Social Care and Charity organisations in particular might encounter urgent or emergency situations that demand rapid decisions about whether or not to share personal data. The ICO makes it clear that, in an emergency, controllers should go ahead and share data as is necessary and proportionate. Not every urgent situation is an emergency, but an emergency could involve:
- preventing serious physical harm to a person;
- preventing loss of human life;
- protecting public health;
- safeguarding vulnerable adults or children;
- responding to an emergency; or
- an immediate need to protect national security
Among other topics covered, are data protection impact assessments, childrens' data, law enforcement, sharing data sets and data sharing agreements.
Data controllers who are planning a project or who are asked to share data on an ad hoc basis are advised to consider the ICO’s new Code before proceeding. Failure to follow good practice will not in itself lead to enforcement action, but compliance with the Code will help to ensure that data controllers stay on the right side of the law.
If you have a data sharing conundrum or are confused as to whether you are sharing or using a data processor - Exigia can help.