Data Sharing Agreement
This Data Sharing Agreement (the Agreement) reflects the reasons, processes and procedures for sharing Personal Data. It was signed in May 2018.
Parties to the sharing of Personal Data
|Smart School Councils, and||Bernie Grant Arts Centre, Enterprise Unit 12, Town Hall Approach Road, London, N15 4RX|
|Outlandish||149 Fonthill Rd, London N4 3HF|
Review of Agreement
This Agreement will be reviewed Annually. The date of the next review is in May 2019. The person responsible for instigating this review is Greg Sanderson, Co-Founder, Smart School Councils.
Purpose/reason for sharing and benefits:
|Purpose/reason||Benefits for school|
To ensure individuals who suggest actions are supported, and for schools to track involvement.
|Sharing personal data provides improved service provision for schools. Using the Class Meeting Tool, they can track involvement who has had an idea for a project and can support that individual to make it happen.|
Details of the type/s of data to be shared:
|First name, class/form group, school|
Data storage used:
|AWS RDS MySQL Database||Ireland|
|Smart School Councils information management systems||UK only|
|The processing of Personal Data must be both fair and lawful. State why you have arrived at this decision referencing any relevant legislation||It is fair and lawful for schools to provide data which allows them to improve educational provision and outcomes.
No sensitive data is being shared.
|State the Data Protection Act, 1998, Schedule 2 (and Schedule 3 if Sensitive Personal Data is to be shared) conditions that allows the sharing – see DPA schedules.||[S2.2]|
|How will you gain explicit consent if you are sharing Sensitive Personal Data?||N/A|
Data storage and transfer:
|Software format/s used e.g. Word, Excel, CSV etc.||All data stored in a MySQL Database. Data available to download as a CSV.|
|Will all software formats use encryption to secure data?||Encrypted in line with Outlandish and Smart School Council Security Policy. CSVs downloaded over secure (HTTPS) connections only.|
|Physical transfer method/s e.g. memory stick, laptop, paper documents etc.||All communication will be by email|
It is important that Personal Data is kept accurate and up to date. Include a statement to commit to the accuracy and completeness of the data exchanged, including a process for informing all relevant parties of any inaccuracies identified
|Data quality statement|
|Smart School Councils is responsible for ensuring information is entered accurately into their systems
Frequency, retention and monitoring
|Frequency of data sharing e.g. monthly, weekly etc.||On an ad hoc request basis|
State the person or authority who is responsible for keeping the master file and the period of retention of data.
If several master files are to be involved, provide this information for each.
|Smart School Councils is responsible for maintaining files and data. Files are retained for the period of the membership plus one year.|
Who will monitor that the processes above are taking place and are effective? What checks will be made?
|Smart School Councils will be responsible for ensuring staff are aware of this Agreement. Regular monitoring of processes is undertaken as part of staff development.|
Data security management
|Information Security Breaches (ISBs) –
How will any breaches of security, inappropriate disclosure or loss of data be reported and managed?
What will be the procedure to update this protocol in the light of any findings?
|The school will inform Smart School Councils immediately any ISB involving transferred information is discovered by emailing firstname.lastname@example.org
Smart School Councils Data Protection Officer will be responsible for coordinating activity in relation to any ISB and for updating this protocol as necessary
|Training – State how awareness of this Data Sharing Agreement will be raised amongst staff.
State any other training requirements that have been identified in relation to data protection and the plans to address these requirements.
|Smart School Councils will be responsible for ensuring staff are aware of this Agreement through electronic updates and team meetings|
|Subject Access Requests
State how individuals will access their information and include a statement which identifies the rights of the data subjects
|Smart School Councils will process SARs in accordance with information management and data protection policies and procedures. Individuals are informed about information sharing through the Privacy Statement for our Customers.|
|Principle 8 of the Data Protection Act 1998 relates to data being transferred to other countries. State if this is applicable and if so what measures are to be implemented to ensure data security.||N/A|
|I the undersigned certify that the Personal Data will not be disclosed to unauthorised persons and will be used only for the stated purpose/s.
The Data and their Purposes of Use are Notified under the Data Protection Act 1998 and my organisation/company is committed to compliance with the Data Protection Principles.
|On behalf of:||Smart School Councils|
GLOSSARY OF TERMS
Within this document, the following definitions apply:
|Data Controller||Any person (including company organisation or individual) who (either alone or jointly or in common with other persons) determines how and for what the purposes any Personal Data is to be processed.|
|Data Processor||Any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.|
|Data Subject||An individual who is the subject of the Personal Data.|
|Personal Data or Personal Information||Data which relates to a living individual who can be identified from that data or that data together with other information which is in the possession, or is likely to come into the possession, of the Data Controller.|
|Processing||Means obtaining, recording, holding the information or data or carrying out any operation on the information including organisation, adaptation or altering, retrieval, consultation, use, disclosure, alignment, combining, blocking or erasure, or destruction of information or data.|
|Sensitive Personal Data||Personal data consisting of:
● Racial or ethnic origins of the data subject
● Political opinions
● Religious beliefs or other beliefs of a similar nature
● Trade union membership (or non-membership)
● Physical or mental health or condition
● Sexual life
● Criminal or alleged criminal activities
● Criminal proceedings, convictions or any sentence imposed by the court
|Subject Access Request (SAR)||All individuals have a right to request the information that an organisation holds on them and we have a responsibility to deal with these requests within a defined timeframe. Any written enquiry that asks for information you hold about the person making the request can be taken as a Subject Access Request (SAR). However, in some cases there will be no need to treat it as such; if you would usually deal with the request in the normal course of your job, you can do so.|
Data Protection Act 1998
The conditions for processing are set out in Schedules 2 and 3 to the Data Protection Act, 1998. Unless a relevant exemption applies, at least one of the following conditions must be met whenever you process Personal Data:
Schedule 2 – conditions relevant for the processing of any Personal Data
S2.1 The individual who the Personal Data is about has consented to the processing.
S2.2 The processing is necessary:
– in relation to a contract which the individual has entered into; or
– because the individual has asked for something to be done so they can enter into a contract.
S2.3 The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract).
S2.4 The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident.
S2.5 The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.
S2.6 The processing is in accordance with the “legitimate interests” condition.
Schedule 3 – Conditions relevant for the processing of Sensitive Personal Data
Conditions of Schedule 2 apply plus the following:
S3.1 The processing is necessary because of a legal obligation that applies to you in connection with employment
S3.2 The processing is necessary:
– to protect the vital interests of the individual; or
– to protect the vital interests of another person where consent by or on behalf of the individual has been unreasonably withheld.
S3.3 The information contained in Personal Data has been made public as a result of steps deliberately taken by the individual.
S3.4 The processing is necessary in connection with legal proceedings, obtaining legal advice, or exercising or defending legal rights.
S3.5 The processing is:
– disclosure or processing by a member of an anti-fraud organisation;
– necessary for preventing fraud or a particular kind of fraud.
S3.6 The processing is necessary for medical purposes and is undertaken by a health professional or someone with a duty of confidentiality equivalent to a health professional.
S3.7 The processing of Sensitive Personal Data related to racial or ethnic origin is necessary for monitoring equal opportunity of treatment between people with a view to enabling equality to be promoted or maintained and is carried out with appropriate safeguards for the rights and freedoms of individuals.
The Information Commissioner’s Office has relevant documentation and additional resources available at http://www.ico.org.uk/
ICO advice line – 0303 123 1113