Common use of Joint Data Controllers Clause in Contracts

Joint Data Controllers. This is where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers (see GDPR Article 26). For S2C HCP this is the responsibilities of partner organisations when they are acting as joint data controllers in delivering health and care utilising the information available from the shared records from each participating organisation. The partner organisations will comply with their data protection and other legal obligations in relation to the processing of personal data with the Share2Care HCP provisions. GDPR also requires that joint controllers determine their respective responsibilities for compliance “...in a transparent manner...by means of an arrangement between them...” The Share2Care HCP Data Sharing Agreement meets this requirement of determining respective responsibilities for compliance. The GDPR further requires that the arrangement “...shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.” Collectively Signatories are responsible for: • reviewing and monitoring the effectiveness of the arrangement and amending when required; • administering membership of, and compliance with, the agreement; • fostering a culture of data sharing among Signatories; • supporting the development of Data Sharing and Processing Agreements; and • sharing and promoting best practice. In addition, individually each Signatory shall accept responsibility for independently or jointly auditing its own compliance with the Data Sharing Agreement to which it is a Signatory on a regular basis (at least annually) and provide assurance of compliance to the Share2Care HCP Board.

Joint Data Controllers. This is where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers (see GDPR Article 26). For S2C C&M HCP this is the responsibilities of partner organisations when they are acting as joint data controllers in delivering health and care utilising the information available from the shared records from each participating organisation. The partner organisations will comply with their data protection and other legal obligations in relation to the processing of personal data with the Share2Care C&M HCP provisions. The GDPR also requires that joint controllers determine their respective responsibilities for compliance “...in a transparent manner...by means of an arrangement between them...” The Share2Care C&M HCP Data Sharing Agreement meets Agreements meet this requirement of determining respective responsibilities for compliance. The GDPR further requires that the arrangement “...shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.” Collectively Signatories are responsible for: • reviewing and monitoring the effectiveness of the arrangement and amending when required; • administering membership of, and compliance with, the agreement; • fostering a culture of data sharing among Signatories; • supporting the development of Data Sharing and Processing Agreements; and • sharing and promoting best practice. In addition, individually each Signatory shall accept responsibility for independently or jointly auditing its own compliance with the Data Sharing Agreement to which it is a Signatory on a regular basis (at least annually) and provide assurance of compliance to the Share2Care C&M HCP Board. Access and Security Procedures Partners to the Tier Zero will ensure that personal information is transferred and shared in a secure manner. Any electronic transfer or other risk media are the subject of local Data Sharing Agreements (Tier Two), and organisational Safe Haven Policy and procedures. Staff either representing the partners or who will facilitate this Tier One or related local Data Sharing Agreements (Tier Two) shall be identified by name. Those responsible for information sharing at an operational level shall also be named as part of any individual local agreements. Furthermore, it is the responsibility of the partner organisations to ensure that such information is always kept up to date. Staff representing the partners to the Tier Zero should only have access to personal information on a ‘need to know’ basis in order to perform their duties in connection with one or more of the defined purposes. Information must be used for the purpose for which it was obtained and only if it is appropriate and necessary to do so. Partners will take all reasonable care to both safeguard and protect the physical security of information technology and the data contained within it. They will ensure that mechanisms are in place to address the issues of physical security, security awareness and training, security management, systems development and system specific security policies. Evidence must be in the form of a local Strategy and/or an Information Security Policy. C&M HCP Documents Formal adoption will follow the signing of the Tier Zero by a responsible person for each of the respective organisations. The Tier One will be freely available to any representative of any organisation that shares personally identifiable information with the partner organisations. Copies of the Tier Zero, Tier One and Tier Two will be lodged with the C&M HCP Programme Office. The Tier Zero must be supplemented by individual local Tier Two agreements pertinent to any specific information sharing arrangements. It is recommended that all these agreements/tiers be displayed on the organisation’s website for the information of staff and public alike. Also for public scrutiny to supplement information already provided to the general public on matters of information sharing.

Joint Data Controllers. This is where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers (see GDPR Article 26). For S2C HCP C&M ICS this is the responsibilities of partner organisations when they are acting as joint data controllers in delivering health and care utilising the information available from the shared records from each participating organisation. The partner organisations will comply with their data protection and other legal obligations in relation to the processing of personal data with the Share2Care HCP C&M ICS provisions. The GDPR also requires that joint controllers determine their respective responsibilities for compliance “...in a transparent manner...by means of an arrangement between them...” The Share2Care HCP C&M ICS Data Sharing Agreement meets Agreements meet this requirement of determining respective responsibilities for compliance. The GDPR further requires that the arrangement “...shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.” Collectively Signatories are responsible for: • reviewing and monitoring the effectiveness of the arrangement and amending when required; • administering membership of, and compliance with, the agreement; • fostering a culture of data sharing among Signatories; • supporting the development of Data Sharing and Processing Agreements; and • sharing and promoting best practice. In addition, individually each Signatory shall accept responsibility for independently or jointly auditing its own compliance with the Data Sharing Agreement to which it is a Signatory on a regular basis (at least annually) and provide assurance of compliance to the Share2Care HCP C&M ICB Board. Access and Security Procedures Partners to the Tier Zero will ensure that personal information is transferred and shared in a secure manner. Any electronic transfer or other risk media are the subject of local Data Sharing Agreements (Tier Two), and organisational Safe Haven Policy and procedures. Staff either representing the partners or who will facilitate this Tier One or related local Data Sharing Agreements (Tier Two) shall be identified by name. Those responsible for information sharing at an operational level shall also be named as part of any individual local agreements. Furthermore, it is the responsibility of the partner organisations to ensure that such information is always kept up to date. Staff representing the partners to the Tier Zero should only have access to personal information on a ‘need to know’ basis in order to perform their duties in connection with one or more of the defined purposes. Information must be used for the purpose for which it was obtained and only if it is appropriate and necessary to do so. Partners will take all reasonable care to both safeguard and protect the physical security of information technology and the data contained within it. They will ensure that mechanisms are in place to address the issues of physical security, security awareness and training, security management, systems development and system specific security policies. Evidence must be in the form of a local Strategy and/or an Information Security Policy. C&M ICS Documents Formal adoption will follow the signing of the Tier Zero by a responsible person for each of the respective organisations. The Tier One will be freely available to any representative of any organisation that shares personally identifiable information with the partner organisations. Copies of the Tier Zero, Tier One and Tier Two will be lodged with the C&M ICS Programme Office. The Tier Zero must be supplemented by individual local Tier Two agreements pertinent to any specific information sharing arrangements. It is recommended that all these agreements/tiers be displayed on the organisation’s website for the information of staff and public alike. Also for public scrutiny to supplement information already provided to the general public on matters of information sharing.