Need to share data or information with a third party?
Perhaps you want data from another organisation for some research, or want to work as a consortium with other universities. You may need an Information Sharing Agreement (also known as a Data Sharing Agreement) that sets out your intentions. This is particularly important if you are sharing information about individuals.
If you have been given a sharing agreement from elsewhere then the Information Assurance Manager can check it for you. If the other organisations you are working with can't supply such a document then we may need to draw one up. Don't worry - the Information Assurance Manager can help you with that, but you'll need to think through the basics first. This checklist will help you do just that.
What you need to think about - 13 point checklist
1. Who you're sharing with
Who is involved in the sharing? Which organisations? Do they have sub-contractors or other organisations working on their behalf?
2. Why you're sharing
What is the reason for sharing the data? What is the purpose of your project or collaboration?
3. What you're sharing
What are you sharing? Exactly what is being shared? If it is information about individuals is it anonymised? Is it sensitive personal data? Is it data about children or vulnerable people? (You might find the ICO definitions of personal data helpful.)
4. How you're sharing
How are you sharing? Think about both the frequency and timing and the practicalities. How will data get from one organisation to the other? Is it a one off transfer or something that happens frequently or event continuously? How will you make sure it doesn't get lost on the journey?
What is your legal basis for sharing data? Have you asked participants for consent?
How is data stored? Is there somewhere in particular that the data is stored? Are there particular rules that set our how the data will be kept secure?
How is accuracy checked? Who is responsible for checking the accuracy of the data being shared? What are the mechanisms for reporting and amending inaccuracies?
What happens if someone asks to see a copy of their personal information or if there is a more general request under the Freedom of Information Act? Does one organisation lead on that? Is it just co-operation between organisations? Is there any agreement that some information will not be shared with others?
How long will the information normally be kept for? What happens at the end of that period? Is personal data anonymised after a set period of time or is it destroyed or returned to the originating organisation?
What is the process for handling complaints from people whose information is being shared? Does one organisation lead on that?
What happens if information is accidentally wrongly shared or lost? Who must that be reported to? How soon?
What happens when the agreement ends? (Think about end dates, the potential for extensions, what happens to the data when the agreement ends. Consider what happens if one party wants to pull out early, and are there any circumstances under which you’d want to force one party out?)
Agreement and review. (Who will sign off your agreement? Will the agreement be reviewed during its lifetime – if so, who will conduct that review, and when will it happen?)
What to do next
When you have the answers to these questions then the Information Assurance Manager can draw up a draft for you to share with your collaborators for comment. Send them to firstname.lastname@example.org including a timeline for when the agreement is needed, and a brief outline or description of your project or collaboration.