Answer: When it's an NHS Data Sharing Agreement
06 Jan 2021
Data Sharing is one of the areas of information governance that organisations find most challenging, along with confusion over the two main roles involved in the processing of personal information - (data) controller and (data) processor.
As a result, when we act as consultants or as Data Protection Officer, this is where we most often need to steer organisations in the right direction to ensure compliance with data protection legislation.
In reality the new NHS 'Agreement' is more of a checklist of good practice for organisations to follow; modelled on the recently updated ICO Data Sharing Code and set in an NHS context. The guidance that comes with the 'agreement' is fairly comprehensive, but unfortunately, the NHS perpetuates its practice of muddying the waters by turning a perfectly adequate guidance process into a document that looks like a binding agreement; complete with an expiry date and a signatory section. Please be aware that the NHS Data Sharing Agreement:
- is NOT a binding agreement
- is NOT a contract
- has NO legal force
- is NOT a Data Processing Agreement (which is legally binding) and does not replace the need for one where necessary
Signing up to best practice is always a good thing, and adopting this document as the norm for sharing NHS patient data should help. Organisations must nevertheless make the effort to understand the guidance and adopt it, whilst observing all data protection laws and the common law duty of confidentiality.
We applaud this attempt to update NHS guidance, but the danger remains that organisations will assume that by signing one of these 'Agreements' they have done everything needed in a 'one size fits all' way. They should instead analyse their situation thoroughly (possibly with the aid of its accompanying guidance) and take the additional steps that are frequently necessary.