It is important to note that if circumstances change and you choose to share information that you already have with a third party, but this was not explained in your privacy notices when the information was first obtained, you still need to check whether the person is entitled to the information (as well as the right to exemption). The following links contain instructions on what information should be included in a contract or data-sharing agreement. Contracts and data exchange agreements are not necessary for the exchange of data with colleagues or other departments within the university, but you must nevertheless take into account the risks associated with transmitting data with others within the organization and the data protection rights of the individuals concerned. The university may be required to disclose this information to third parties through a legal obligation or a choice, but it remains responsible for protecting the rights and privacy of individuals who have familiarized us with their personal data. We need some kind of legal agreement with the third party in order to meet that obligation. This describes the date on which a written contract is required and contains a checklist with mandatory information to be included in the contracts. Data exchange agreements may be more appropriate if the relationship with the third party is already established in another way or if the information should be used for a single exercise for the benefit of the university and/or the persons concerned. These circumstances are often supported by a Memorandum of Understanding. You should be prepared to provide legal services with a clear guide identifying the information you need to share and any specific requirements you want to include in the document you have invited to prepare. This document aims to provide guidance on how to determine the most appropriate form of the agreement and on the issues to be considered in the preparation of the agreement.
Within Durham University, contracts and data exchange agreements are prepared by the legal services team after receiving instructions from the budget owner/owner of information objects and signed by one of our authorized signatories. The General Data Protection Regulations (GDPR) do not contain new requirements of the Data Protection Act (DPA). However, the financial and reputational consequences of data non-compliance have increased significantly and the RGPD is firmly responsible for any abuse/loss of data on the university (as data manager). The university also needs a clear record of all data exchange agreements in the event that a person chooses to use some of his new rights under the RGPD, such as the ”right to be forgotten.” The indications as to when a contract or data processing contract or data-sharing agreement will be used are not explicit. A key element of the RGPD is the ”right to information,” which includes the requirement for organizations to provide ”fair processing information,” usually provided by a data protection statement. It also emphasizes transparency in the use of personal data and you should inform people if their information is being passed on to other organizations. The ICO has published updated guidelines for organizations on data processing contracts/agreements under the RGPD. ico.org.uk/media/for-organisations/documents/1067/data_sharing_checklists.pdf The University uses personal data on staff, students, researchers and others in almost all of its activities, and there is a legal requirement to ensure that this is complete, accurate and that their rights and privacy are protected.