|
|
|
Content of data-sharing agreement
|
| |
19. (1) A data-sharing agreement shall—
|
|
| |
(a) specify the names of the parties to the agreement in a schedule to the agreement,
|
|
| |
(b) specify the information to be disclosed,
|
|
| |
(c) specify the purpose of the data-sharing,
|
|
| |
(d) specify the function of the public body concerned to which the purpose referred to in paragraph (c) relates,
|
|
| |
(e) specify the legal basis for the data-sharing and for any further processing, by the parties to the agreement, of the information to be disclosed under the agreement,
|
|
| |
(f) specify whether the impetus for the disclosure of information under the agreement will come from a data subject or a public body,
|
|
| |
(g) specify whether, where information is disclosed under the agreement, the disclosure will be of information in relation to individual data subjects or classes of data subjects,
|
|
| |
(h) specify whether the disclosure of information under the agreement will be on a once-off or ongoing basis,
|
|
| |
(i) specify how the information to be disclosed is to be processed following its disclosure,
|
|
| |
(j) specify any restrictions on the disclosure of information after the processing referred to in paragraph (i),
|
|
| |
(k) include an undertaking by the parties to the agreement to comply with Article 5 of the General Data Protection Regulation in disclosing information under the agreement,
|
|
| |
(l) where a data protection impact assessment has been carried out in relation to the data-sharing, include a summary of the matters referred to in Article 35(7) of the General Data Protection Regulation in a schedule to the agreement,
|
|
| |
(m) specify the security measures to apply to the transmission, storage and accessing of personal data, in a manner that does not compromise those security measures,
|
|
| |
(n) specify the requirements in relation to the retention of—
|
|
| |
(i) the information to be disclosed, and
|
|
| |
(ii) the information resulting from the processing of that information,
|
|
| |
for the duration of the agreement and in the event that the agreement is terminated,
|
|
| |
(o) specify the method to be employed to destroy or delete—
|
|
| |
(i) the information to be disclosed, and
|
|
| |
(ii) the information resulting from the processing of that information,
|
|
| |
at the end of the period for which the information is to be retained in accordance with the agreement,
|
|
| |
(p) specify the procedure in accordance with which a party may withdraw from the agreement,
|
|
| |
(q) include such other matters as may be prescribed under subsection (2),
|
|
| |
(r) include in a schedule to the agreement a statement summarising the analysis of the parties in relation to the extent to which—
|
|
| |
(i) the disclosure of the information is necessary for the performance of the functions in relation to which the information is being disclosed, and
|
|
| |
(ii) the disclosure and safeguards applicable to that disclosure are proportionate in the context of the performance of those functions and the effects of the disclosure on the rights of the data subjects concerned.
|
|
| |
(2) The Minister may prescribe matters, in addition to those listed in subsection (1), to be included in a data-sharing agreement where he or she is satisfied that the inclusion of those matters would—
|
|
| |
(a) be consistent with Article 5(1) of the General Data Protection Regulation, and
|
|
| |
(b) (i) improve transparency as regards the sharing of information by public bodies, or
|
|
| |
(ii) facilitate good governance in the sharing of information by public bodies.
|
|
| |
(3) A data-sharing agreement may provide for matters in addition to those listed in subsection (1).
|
