Information Sharing Agreement generated by the Information Sharing Gateway
Information Sharing Gateway
Lancashire Enterprise Partnership Business Support Support Portal Lancashire Enterprise Partnership Business Support Evolutive Portal
Information Sharing Agreement
This document has been produced from the ISG for reference purposes and is accurate only on the day it is produced. Please refer to the ISG for the current, definitive version.
Page 1 of 17 Information Sharing Agreement generated by the Information Sharing Gateway
Introduction
The Parties to this Information Sharing Agreement (ISA), except where indicated under "Parties to this Agreement", are signatories to the Information Sharing Gateway (ISG) Memorandum of Understanding.
This Memorandum of Understanding sets out the general principles of Information Governance that all organisations who access and use the Information Sharing Gateway have agreed to. It provides a framework for safeguarding the processing of all personal confidential information. General principles 1. The Information Governance Toolkit1 defines the minimum standards for Information Governance for health and social care. Where applicable, each organisation is committed to undertaking, following and complying with the Information Governance Toolkit as a minimum of Level 2. Where Level 2 has not been met, an action plan for necessary improvements agreed with either a lead or partner organisation. 2. Each organisation shall have appointed a responsible / accountable officer who will ensure the protection of personal information for example a Caldicott Guardian or senior manager2 responsible for data protection. 3. Each organisation will be take appropriate organisational and technical measures towards compliance with Data Protection Act 1998, Caldicott Principles, ISO 27001 Series of Information Security Standards, Freedom of Information Act 2000 and national guidance and rules around processing personal confidential information and other relevant legislation. 4. Each organisation is committed to identifying, documenting and risk assessing their data flows with any mitigating actions defined and agreed. 5. Each organisation is committed to ensuring staff are appropriately trained and comply with organisational policies in relation to Information Governance, including data protection, Confidentiality, Caldicott Principles, Information Security, Records Management and Freedom of Information. 6. Organisations will promptly notify other partner organisations any Information Governance breach, vulnerability or threat that could affect the security of the data being shared. 7. Organisations will agree to allow partner or lead organisations, or its representatives, to carry out audits or visits to confirm compliance with agreed assurance requirements. 8. Each organisation commits to ensure that the data is shared in a safe and secure manner meeting the agreed purpose of the sharing. 9. Any requests for information under the Freedom of Information Act 2000 or the Data Protection Act 1998 should be directed to the original organisation's data protection officer. 10. Organisations may not create or establish onward sharing without the explicit permission of the original organisation's data protection officer.
1 The Information Governance Toolkit is an online performance tool produced by the Department of Health (DH) and hosted by the Health and Social Care Information Centre (HSCIC). It allows NHS organisations and partners to assess themselves against DH information governance policies and standards.
2 In Health and local authorities, this may be the Senior Information Risk Owner (SIRO). Other agencies may not have these identified roles and, therefore, it will be a senior manager responsible for ensuring compliance with Data Protection.
This document has been produced from the ISG for reference purposes and is accurate only on the day it is produced. Please refer to the ISG for the current, definitive version.
Page 2 of 17 Information Sharing Agreement generated by the Information Sharing Gateway
Parties named in this Agreement
The Parties listed below recognise their responsibilities for ensuring this agreement complies with all legislation and other requirements relevant to the personal data being shared, including the specific governance measures set out in this ISA.
Organisation ISG Status Responsible Officer / Contact Email
BLACKBURN WITH DARWEN MoU Signed:06/09/2016 Sarah Slater BOROUGH COUNCIL (ICO: Z6166514) Assurance: Significant [email protected] Providing and Receiving Data
BLACKPOOL COUNCIL (ICO: MoU Signed:21/05/2015 Debbie Topping Z5720508) Assurance: Significant [email protected] Providing and Receiving Data
BOROUGH OF PENDLE (ICO: Not signed up to ISG MOU Z9180064) Assurance: Not submitted [email protected] Providing and Receiving Data
BURNLEY BOROUGH COUNCIL (ICO: MoU Signed:19/05/2017 Lukman Patel Z7271323) Assurance: Expired Providing and Receiving Data
CHORLEY BOROUGH COUNCIL (ICO: MoU Signed:08/12/2017 Emma Marshall Z477084X) Assurance: Limited [email protected] Providing and Receiving Data
FYLDE BOROUGH COUNCIL, FY8 1LW MoU Signed:05/12/2017 Stephen Smith (ICO: Z6894652) Assurance: Significant [email protected] Providing and Receiving Data
Growth Lancashire Ltd, PR1 8XJ (ICO: MoU Signed:23/08/2017 Steven Cochrane Z1785636) Assurance: Significant [email protected] Providing and Receiving Data
HYNDBURN BOROUGH COUNCIL, BB5 MoU Signed:07/07/2017 Fiona Goodfellow 0PF (ICO: Z2090478) Assurance: Significant [email protected] Providing and Receiving Data
LANCASHIRE COUNTY COUNCIL (ICO: MoU Signed:01/09/2015 Ian Young Z542705X) Assurance: Significant [email protected] Providing and Receiving Data
Lancaster City Council, LA1 1PJ (ICO: MoU Signed:31/07/2017 Anne Streeter Z7414144) Assurance: Significant [email protected] Providing and Receiving Data
PRESTON CITY COUNCIL (ICO: MoU Signed:18/09/2017 Alison Brown Z5613272) Assurance: Significant Providing and Receiving Data
Ribble Valley Borough Council (ICO: MoU Signed:18/05/2017 Stuart Haworth Z6400958) Assurance: None [email protected] Providing and Receiving Data
Rossendale Borough Council (ICO: MoU Signed:20/11/2017 Guy Darragh Z4916821) Assurance: Not submitted [email protected] Providing and Receiving Data
This document has been produced from the ISG for reference purposes and is accurate only on the day it is produced. Please refer to the ISG for the current, definitive version.
Page 3 of 17 Information Sharing Agreement generated by the Information Sharing Gateway
SOUTH RIBBLE BOROUGH COUNCIL, MoU Signed:07/09/2017 John Healey PR5 1DH (ICO: Z496241X) Assurance: Significant [email protected] Providing and Receiving Data
West Lancashire Borough Council, L39 MoU Signed:26/09/2017 TINA SPARROW 2DF (ICO: z5399931) Assurance: Significant [email protected] Providing and Receiving Data
WYRE BOROUGH COUNCIL, FY6 7PU MoU Signed:31/08/2017 Joanne Billington (ICO: Z5682712) Assurance: Expired [email protected] Providing and Receiving Data
Responsible Senior Officers
The Responsible Senior Officers named above provide assurance that: The details captured in this Information Sharing Agreement accurately describe the data sharing practices and the controls in place to govern them. Their organisation and its staff will make every effort to ensure that the controls are monitored and maintained and data sharing will only happen as described herein. Should their organisation wish to deviate from the practices and controls described here, they will review this data flow to ensure that these changes are captured.
Purpose and Justification for Sharing
Purpose The Parties agree to use shared information only for the specific purposes set out in this document and to support the effective administration, audit, monitoring, regulatory inspection of services and reporting requirements.
The Parties accept that shared information shall not be regarded as general intelligence for the further use by recipient organisations unless that further purpose is defined in this agreement and respective service users have been informed of this intended change of use.
The purpose, specific to this information sharing arrangement, is identified as:
This information is required to better assess the impact of business support initiatives on the economy of Lancashire and the companies supported. The information is also required to monitor the effectiveness of external funding such as the European Regional Development Fund and other funding allocated to the Lancashire Enterprise Partnership.
The reasons for sharing information in relation to this programme of work are; • Greater knowledge and awareness of business support projects available within Lancashire • Improved customer experience due to greater awareness and better coordination • More joined up, comprehensive performance management information to feed into future funding bids for the area
This document has been produced from the ISG for reference purposes and is accurate only on the day it is produced. Please refer to the ISG for the current, definitive version.
Page 4 of 17 Information Sharing Agreement generated by the Information Sharing Gateway
Benefits
The benefits derived from this information sharing arrangement, are identified as:
The benefits of information sharing includes giving all parties involved a clearer picture of the clients’ requirements and tracking which services individual clients have received. Failure to appropriately share information would result in clients having to repeat their requirements to various organisations within the partnership. This could lead to duplicated effort and the partnership not being able to effectively track the allocated funding and support that the client has received from other partners.
Data relating to the client journey and the value of public sector support is also required to comply with the State Aid De Minimis regulations specifically to monitor total support against the ceiling of 200,000 Euros in any three year period. This legislation is enforced across all UK Government and European funded business support projects.
Restrictions on other use and further disclosure It is recognised that unless the law specifically requires or permits this, shared information will not be used for different purposes or further disclosed. Even where the law permits further disclosure, in line with good practice the originating data controller will be consulted first and depending on the circumstances, it may be necessary for the data subject to be informed of the disclosure.
The Information Being Shared
Types of Information
The types of information, to be shared under this agreement, are identified as:
Personal Personal Sensitive Low Risk e.g. medical records
Data Subjects
The data subjects, whose information is to be shared under this agreement, are identified as:
Advisers, consultants and other professional experts Customers and clients Staff (NOT including volunteers, agents, temporary and casual workers)
Data Fields to be Shared
The data fields, to be shared under this agreement, are identified as:
Company Name Company Address Company contact details
This document has been produced from the ISG for reference purposes and is accurate only on the day it is produced. Please refer to the ISG for the current, definitive version.
Page 5 of 17 Information Sharing Agreement generated by the Information Sharing Gateway
Company Personnel Contact details Nature of business Individual Client Name Individual Client Contact details Details of the client journey/hours spent Ethnicity of business owner Disability of business owner Age of business owner D.O.B (In some cases) Gender Employment status Nature of business enquiry Notes relating to business enquiry Outcome of any grant fund awarded including amount Outcome of any job creation including details of the job (ethnicity, gender etc) Turnover Gross Value Added
Information Security & Confidentiality
Organisational and technical measures The Parties shall take appropriate technical, security and organisational measures against unauthorised or unlawful processing of the personal data and against accidental loss or destruction of, or damage to, personal data. Data Transfer Modes and Controls
Transfer Mode Controls
Electronic data transferred via automated Access data via a secure network link Secure system to system connection / system e.g. https
Frequency of Exchange Number of Records
Instant Batch 1,0015,000
Post Transfer Storage and Security
Physical location and method of storage:
Off site server UK based
Data security after transfer:
Area accessed by key / keypad / access card Password protection
This document has been produced from the ISG for reference purposes and is accurate only on the day it is produced. Please refer to the ISG for the current, definitive version.
Page 6 of 17 Information Sharing Agreement generated by the Information Sharing Gateway
Smartcard / system password
Access controls after transfer:
Key allocation Key issue log System login
This document has been produced from the ISG for reference purposes and is accurate only on the day it is produced. Please refer to the ISG for the current, definitive version.
Page 7 of 17 Information Sharing Agreement generated by the Information Sharing Gateway
Privacy Impact Assessment
Legal basis for sharing personal information
Statutory duty / power to share
The legislation and/or regulations providing a mandatory duty or discretionary express or implied power for each of the relevant public authority partners to this agreement to share personal data for the purposes described in this agreement, are:
Data Protection 1998 SCHEDULE 2
1 The data subject has given his consent to the processing.
SCHEDULE 3
1 The data subject has given his explicit consent to the processing of the personal data.
General Data Protection Regulation
On the 25th May 2018 the Data Protection Act 1998 will be replaced by the General Data Protection Regulation (GDPR). The condition for processing under the GDPR will be: Article 6 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; Article 9 2. Paragraph 1 shall not apply if one of the following applies: (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes.
Sharing on the basis of informed consent
The consent model(s) used for this sharing arrangement is / are:
Explicit / Express Implied / Implicit (this must be covered by a Fair Processing notice)
DPA legitimising conditions
The Schedule 2 conditions relied on for this agreement are:
Consent of the data subject
The Schedule 3 conditions relied on for this agreement are:
This document has been produced from the ISG for reference purposes and is accurate only on the day it is produced. Please refer to the ISG for the current, definitive version.
Page 8 of 17 Information Sharing Agreement generated by the Information Sharing Gateway
Explicit consent of the data subject
Informing Individuals
The privacy notice / ammendments relevant to this data sharing arrangement are:
Not specified.
Adequacy, relevance, necessity
The following checks have been made regarding the adequacy, relevance and necessity for the collection of personal and / or sensitive data:
Not specified.
Provisions for the accuracy of the data
The following provisions have been made to ensure information will be kept up to date and checked for accuracy and completeness by all organisations:
Assurance in place (e.g. IGT, PSN) Staff aware of responsibilities when working with data Clear retention schedules Integrity checks maintained
Retention and disposal requirements
The following arrangements have been made to manage the retention and dispoal of data by all organisations:
Assurance in place (e.g. IGT, PSN) Policies and procedures which state / define Retention schedules Policies and procedures which state / define Disposal methods and criteria
This document has been produced from the ISG for reference purposes and is accurate only on the day it is produced. Please refer to the ISG for the current, definitive version.
Page 9 of 17 Information Sharing Agreement generated by the Information Sharing Gateway
Subject access requests
Subject Access Requests for individual records will be dealt with as follows:
Assurance in place (e.g. IGT, PSN) Clearly defined procedures in place for Subject Access Requests for individuals Clearly defined procedures in place to handle rectification and blocking of data
Technical and organisational measures
The receiving organisation's policies, processes and standard operating procedures can be described as follows:
Assurance in place (e.g. IGT, PSN) Clearly defined Uptodate Readily available Understandable (in plain English) for staff to use
The receiving organisation's manage incidents according to the following:
Reviewed including any root cause analysis and action plans
The receiving organisation's training for both the system and data can be described as:
Assurance in place (e.g. IGT, PSN) Users are aware of their responsibilities when using the asset Regularly trained and tested on their understanding Understand what to do in the event of a breach or incident
The receiving organisation's security control for the asset can be described as:
Assurance in place (e.g. IGT, PSN) Secure storage (e.g. locked cabinet) Secure connection (e.g. https:) Secure access (e.g. password protected) Managed so only authorised persons can access and access routinely checked Audit trail of interactions
This document has been produced from the ISG for reference purposes and is accurate only on the day it is produced. Please refer to the ISG for the current, definitive version.
Page 10 of 17 Information Sharing Agreement generated by the Information Sharing Gateway
The receiving organisation's business continuity arrangements are:
Assurance in place (e.g. IGT, PSN) Clear business continuity arrangements Users are aware of arrangements and appropriately trained Regularly reviewed and updated (at least annually)
The receiving organisation's disaster recovery arrangements are:
Assurance in place (e.g. IGT, PSN) Regularly reviewed and updated (at least annually) Electronic part of a disaster recovery testing regime, regularly tested
The third party / supplier contracts contain all the necessary Information Governance clauses including information about Data Protection (1998) and Freedom of Information (2000):
Yes
This document has been produced from the ISG for reference purposes and is accurate only on the day it is produced. Please refer to the ISG for the current, definitive version.
Page 11 of 17 Information Sharing Agreement generated by the Information Sharing Gateway
Risk Assessment
Description Controls Initial Actions Final Rating Rating
Automated electronic transfer Controls in place: Low is taking place over a Access data via a controlled platform. Security secure network link controls should still be Secure connection / implemented and maintained. system e.g. https
Servers hosted within the UK Controls in place: Low are bound by UK Law and Off site server UK legislation. You must ensure based that the necessary due diligence and checks are made. Make sure access is controlled.
At least one control is in Controls in place: Low place which enables the Key allocation information to be accessed Key issue log securely in the receiving System login organisation.
At least one control is in Controls in place: Low place which enables the Area accessed by key information to be accessed / keypad / access card securely in the receiving Password protection organisation. Smartcard / system password
All of the minimum Controls in place: Low recommended controls are in Assurance in place place relating to the accuracy (e.g. IGT, PSN) and completeness of the Staff aware of data. responsibilities when working with data Clear retention schedules Integrity checks maintained
All of the minimum Controls in place: Low recommended controls are in Assurance in place place relating to the retention (e.g. IGT, PSN) and disposal of the data. Policies and procedures which state / define Retention
This document has been produced from the ISG for reference purposes and is accurate only on the day it is produced. Please refer to the ISG for the current, definitive version.
Page 12 of 17 Information Sharing Agreement generated by the Information Sharing Gateway
schedules Policies and procedures which state / define Disposal methods and criteria
All of the minimum Controls in place: Low recommended controls are in Assurance in place place relating to subject (e.g. IGT, PSN) access requests. Clearly defined procedures in place for Subject Access Requests for individuals Clearly defined procedures in place to handle rectification and blocking of data
Policies, processes and Controls in place: Low standard operating Assurance in place procedures for the (e.g. IGT, PSN) asset/data are clearly Clearly defined defined, uptodate, Uptodate understandable and readily Readily available available. Understandable (in plain English) for staff to use
Incidents are reviewed Controls in place: Low appropriately. Reviewed including any root cause analysis and action plans
Users of the data are Controls in place: Low regularly trained, aware of Assurance in place their responsibilities and (e.g. IGT, PSN) understand what to do in the Users are aware of event of breach. their responsibilities when using the asset Regularly trained and tested on their understanding Understand what to do in the event of a breach or incident
The asset / data is secure, Controls in place: Low
This document has been produced from the ISG for reference purposes and is accurate only on the day it is produced. Please refer to the ISG for the current, definitive version.
Page 13 of 17 Information Sharing Agreement generated by the Information Sharing Gateway controlled and interactions Assurance in place recorded. (e.g. IGT, PSN) Secure storage (e.g. locked cabinet) Secure connection (e.g. https:) Secure access (e.g. password protected) Managed so only authorised persons can access and access routinely checked Audit trail of interactions
Business continuity Controls in place: Low arrangements are clear, Assurance in place users are aware and trained (e.g. IGT, PSN) with regular reviews and Clear business updates. continuity arrangements Users are aware of arrangements and appropriately trained Regularly reviewed and updated (at least annually)
Disaster recovery Controls in place: Low arrangements are in place Assurance in place with regular review and (e.g. IGT, PSN) testing where appropriate. Regularly reviewed and updated (at least annually) Electronic part of a disaster recovery testing regime, regularly tested
Commencement, Termination and Review
This agreement will be reviewed every 12 months post commencement unless an earlier review for policy or legislative reasons is necessary.
The start date for this agreement is:
01/08/2017
This document has been produced from the ISG for reference purposes and is accurate only on the day it is produced. Please refer to the ISG for the current, definitive version.
Page 14 of 17 Information Sharing Agreement generated by the Information Sharing Gateway
The scheduled review date for this agreement is:
01/08/2018
This ISA shall be effective from the start date indicated above and shall continue in force until such time as the data sharing ends, this ISA is terminated by either Party, or this ISA is replaced by a new one.
Signatories
Organisation: BLACKBURN WITH DARWEN BOROUGH COUNCIL
Signed By: Sarah Slater
Position: Senior Officer
Date: 08/08/2017
Organisation: BLACKPOOL COUNCIL
Signed By: Debbie Topping
Position: Senior Officer
Date: 01/09/2017
On Behalf Of: Anthony Doyle
On Behalf Of Role: Senior Officer
Organisation: BOROUGH OF PENDLE
Signed By: Wayne Forrest
Position: Senior Officer
Date: 07/08/2017
Organisation: BURNLEY BOROUGH COUNCIL
Signed By: Lukman Patel
Position: Senior Officer
Date: 05/09/2017
Organisation: CHORLEY BOROUGH COUNCIL
Signed By: Emma Marshall
This document has been produced from the ISG for reference purposes and is accurate only on the day it is produced. Please refer to the ISG for the current, definitive version.
Page 15 of 17 Information Sharing Agreement generated by the Information Sharing Gateway
Position: Senior Officer
Date: 12/12/2017
Organisation: FYLDE BOROUGH COUNCIL, FY8 1LW
Signed By: Stephen Smith
Position: Senior Officer
Date: 05/12/2017
Organisation: Growth Lancashire Ltd, PR1 8XJ
Signed By: Steven Cochrane
Position: Senior Officer
Date: 23/08/2017
Organisation: HYNDBURN BOROUGH COUNCIL, BB5 0PF
Signed By: Fiona Goodfellow
Position: Senior Officer
Date: 06/12/2017
Organisation: LANCASHIRE COUNTY COUNCIL
Signed By: Charlotte Hammond
Position: Senior Officer
Date: 01/08/2017
Organisation: Lancaster City Council, LA1 1PJ
Signed By: Anne Marie Harrison
Position: Information Asset Owner
Date: 01/09/2017
Organisation: PRESTON CITY COUNCIL
Signed By: Alison Brown
Position: Senior Officer
This document has been produced from the ISG for reference purposes and is accurate only on the day it is produced. Please refer to the ISG for the current, definitive version.
Page 16 of 17 Information Sharing Agreement generated by the Information Sharing Gateway
Date: 21/09/2017
Organisation: Ribble Valley Borough Council
Signed By: Stuart Haworth
Position: Senior Officer
Date: 28/11/2017
Organisation: Rossendale Borough Council
Signed By: Guy Darragh
Position: Senior Officer
Date: 28/11/2017
Organisation: SOUTH RIBBLE BOROUGH COUNCIL, PR5 1DH
Signed By: Mark Gilmore
Position: Senior Officer
Date: 05/12/2017
Organisation: West Lancashire Borough Council, L39 2DF
Signed By: TINA SPARROW
Position: Senior Officer
Date: 08/12/2017
Organisation: WYRE BOROUGH COUNCIL, FY6 7PU
Signed By: Joanne Billington
Position: Senior Officer
Date: 25/08/2017
This document has been produced from the ISG for reference purposes and is accurate only on the day it is produced. Please refer to the ISG for the current, definitive version.
Page 17 of 17