Reference Click Number here to enter text. Memorandum of Understanding (MOU) for Information Sharing

This MOU does not replace the requirements on agencies to comply with: Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) Health Records and Information Privacy Act 2002 (NSW) (HRIP Act)

Please refer to the Guidelines for sharing Information between government agencies

Party A Click here to enter text. Type of NSW Agency Organisation Party B Click here to enter text. Type of NSW Agency Organisation

Information Information including datasets to be agreed as per Annexure A (Template attached). Transferred

Effective End Date Ongoing Start Date

Authorised Click here to enter text. Title Click here to enter text. Delegate for Party A

Signature ______Date ______

In the Click here to enter text. Presence of (Witness)

Signature ______Date ______

Authorised Click here to enter text. Title Click here to enter text. Delegate for Party B 0b30ce36bd7dcf05728ca1b89b77c5db.docx Page 1 of 13 Signature ______Date ______

In the Click here to enter text. Presence of (Witness)

Signature ______Date ______

1. Parties

1.1 This MOU is made between and binds the following parties: 1.1.1 [Insert agency A name] ([Insert agency A short name]) ABN: [Insert agency ABN] [insert agency address] 1.1.2 [Insert agency B name] ([Insert agency B short name]) ABN: [Insert agency ABN] [insert agency address]

2. Background

2.1.1 [insert background to the parties’ relationship]

2.1.2 [Insert agency A name] and [Insert agency A name] now wish to establish an ongoing relationship for sharing data and information between them.

2.1.3 By this MOU, the parties wish to:

3.a) record the general terms of that relationship, to facilitate the secure and timely flow of data and information between them; and

3.b) establish an efficient mechanism for entering into separate agreements from time to time (under the general operation of this MOU) in relation to the sharing of specific sets of data and information.

1 Operative provisions In consideration of the mutual promises set out in this MOU, the parties agree to be bound by the following terms:

3. Interpretation

3.1 Definitions

Unless the contrary intention appears, a capitalised term has the meaning shown opposite that term in the table below: Term Meaning Approved Purposes has the meaning given in item 1 of the Schedule. Authorised User has the meaning given in clause Use of Shared Information. Authorised the persons identified in item 2 of the Schedule. Representatives Commencement the date the coversheet to this MOU is last signed by a party’s Date authorised delegate. Confidential has the meaning given in clause Confidentiality. Information Data Custodian has the meaning given in clause responsibility for the Shared Information. Health Information has the meaning given to that term in HRIPA. HRIPA Health Records and Information Privacy Act 2002 (NSW). Information Sharing a schedule, substantially in the form of Annexure A, by which a Schedule specific set of Shared Information is to be Shared, and recording the terms and conditions specific to that Shared Information. MOU this memorandum of understanding. NSW Data and the NSW Data & Information Custodianship Policy v1.0 dated Custodianship June 2013. Policy IM Framework the framework set out at http://finance.nsw.gov.au/ict/information-management- framework and in related documents, or any website or information that supersedes this information. Personal has the meaning given to that term in PPIPA. Information PPIPA Privacy and Personal Information Protection Act 1998 (NSW). Share to disclose. Shared Information the information Shared by an Originating Party with a Recipient Party in accordance with this MOU, being information specified in a signed Information Sharing Schedule. Schedule the schedule to this MOU.

3.2 Interpretation

In this MOU:

a) where a word or phrase is defined, its other grammatical forms have a corresponding meaning;

b) a reference to any legislation or to any provision of any legislation includes any modification, re-writing or re-enactment of it, any legislative provision substituted for it, and all regulations and statutory instruments issued under it;

Page 3 of 13 c) a reference to a clause, annexure or schedule is to a clause of, annexure or schedule to this MOU;

d) a reference to this MOU includes any annexure or schedule;

e) words of inclusion are not words of limitation; and

f) the singular includes the plural and vice versa.

3.3 Commencement of the MOU

This MOU takes effect on and from the Commencement Date.

4. Agreement to Share information 4.1.1 By this MOU, the parties express their mutual intention to identify opportunities to share data and information, in a manner that aligns with their business objectives and with the Approved Purposes. 4.1.2 To alter the Approved Purposes, the receiving party must consult the originating party. The originating party must agree to the change before the receiving party may use the data. 4.1.3 Each party agrees to use reasonable endeavours to enter into an Information Sharing Schedule for each jointly identified opportunity, under the general terms and conditions set out in this MOU. 4.1.4 Each party agrees to procure the establishment of internal procedures to ensure that the authority to approve and sign an Information Sharing Schedule is delegated to an appropriate officer within the organisation with relevant responsibilities and accountabilities.

5. Licence The Originating Party grants to the Recipient Party a non-exclusive, non- transferable, royalty free licence to use, reproduce and adapt the Shared Information for the Approved Purposes (on the terms, and subject to the restrictions, set out in this MOU).

6. Use of Shared Information

Each party agrees, as a Recipient Party, that:

6.1.1 it will:

a) use the Shared Information for the Approved Purposes only, in consultation with the Originating Party;

b) where necessary (that is, in relation to Shared Information that includes Personal Information or Health Information), nominate certain authorised users to have access to the Shared Information (Authorised Users) and ensure that only Authorised Users have access to the Shared Information; and c) seek the authorisation and approval of the Originating Party before making public, or disclosing to any third party, the Shared Information or any document incorporating Shared Information; and

6.1.2 it will not:

a) permit access, or release any Shared Information, to a third party (except as set out in clause 12.2 or with the express consent of the Originating Party); or

b) produce any information based on, or incorporating, the Shared Information that generates Personal Information or Health Information (that is, it re- identifies a person), unless permitted by law.

6.1.3 For the purposes of this clause 6, another division within the Recipient Party is not deemed to be a third party. Any specific restrictions on intra-agency transfer should be noted in the relevant Information Sharing Schedule.

7. Quality and responsibility for the Shared Information

7.1.1 The Originating Party must ensure that the Shared Information complies with the requirements specified in the relevant Information Sharing Schedule, and must use its best efforts to ensure that the Shared Information is fit for purposes for which it was created with respect to its accuracy, completeness and quality.

7.1.2 The receiving party is responsible for ensuring the fitness of the data for any further use. The receiving party must take appropriate measures to ensure that the most ‘up to date’ version of the data is used and that the information fit to support the new process.

7.1.3 The data custodianship of information will be determined as follows:

a) the Originating Party remains the data custodian of the Shared Information in the form it was Shared, and it delegates certain management responsibilities in relation to the Shared copy of that information to the Recipient Party; and

b) the Recipient Party will be the data custodian of information generated by it, which incorporates the Shared Information,

the relevant party in the circumstances being the ‘Data Custodian’.

7.1.4 The applicable Data Custodian must, in relation to the Shared Information:

a) exercise functions relating to access to information under the Government Information (Public Access) Act 2009 (NSW);

b) exercise functions relating to State records under the State Records Act 1998 (NSW), if the State records relate to or are made in connection with the exercise of its other functions; and

c) comply with the NSW Data and Information Custodianship Policy and other aspects of the IM Framework, as applicable.

Page 5 of 13 7.1.5 If a Recipient Party receives a request under the Government Information (Public Access) Act 2009 (NSW) in relation to the Shared Information for which the Originating Party is the Data Custodian, it must transfer that request to the Originating Party.

8. User Support The Originating Party will provide the Recipient Party with technical assistance to the extent reasonably required to permit use of the Shared Information in accordance with the Approved Purposes.

9. Information and records management arrangements

9.1 Transfer of the Shared Information

9.1.1 The Originating Party must deliver applicable Shared Information to the Recipient Party in accordance with the agreed specifications and timing set out in the relevant Information Sharing Schedule and the security requirements set out in clause Security arrangements. 9.1.2 The Originating Party must notify the Recipient Party in writing of any delay in the arrangements for the provision of the Shared Information.

9.2 Information management 9.2.1 The Recipient Party must create appropriate and accurate records of any document or information incorporating the Shared Information. 9.2.2 The Recipient Party will develop a plan for managing the Shared Information that is consistent with its approach to compliance with the IM Framework. 9.2.4 If applicable, the Receiving Party will retain the master list of how the source data unique identifier from the Originating Party links to their source system unique identifier. This list will only contain source system unique identifiers and will not contain Personal Information.

9.3 Retention and disposal The Recipient must only dispose of Shared Information:

a) according to the agreed transfer, storage and disposal method and timeframe agreed in the schedule (substantially in the form of Schedule 1) that applies to the Shared Information;

b) in accordance with the Recipient’s internal standards or procedures;

c) in accordance with the State Records Act 1998 (NSW) and related authorities and guidance, and d) inform the originating agency (if required by the originating agency).

10 Security arrangements 10.1 Transfer The Originating Party must deliver the Shared Information securely to the Recipient Party by transferring it in accordance with the security measures and to the named person specified in the relevant Information Sharing Schedule. 10.2 Secure storage 10.2.1 Once received by the Recipient Party, the Recipient Party is responsible for ensuring the security of the Shared Information until it is disposed of in accordance with clause 9.3. 10.2.2 The Recipient Party must comply with:

a) the NSW Government Digital Information Security Policy,

b) Information Classification and Labelling Guidelines,

c) Information Classification Handling Guidelines (available late 2014), and

d) the NSW Government Cloud Services Policy and Guidelines (where applicable), in relation to the Shared Information, and must make reasonable arrangements to ensure that the Shared Information is secure from any unauthorised use or disclosure (using its information security management system, where appropriate). Such arrangements should take into account the confidential nature of the Shared Information and the existence of Personal Information or Health Information, where applicable. 10.2.2 The Shared Information will have the classification and labelling status set out in relevant Information Sharing Schedule.

11 Compliance with laws and policy

11.1.1 Each of the parties will comply with laws and policies applicable to it, including those specifically mentioned in this MOU, and otherwise.

11.1.2 The parties will agree a source of authority for the Sharing of Shared Information that includes Personal Information or Health Information before such Shared Information is transferred.

11.1.3 The parties acknowledge that this MOU is not, of itself, a source of authority for collection, retention, use or disclosure of Personal Information or Health Information.

12 Confidentiality

12.1 Non-disclosure 12.1.1 Each Recipient Party acknowledges and agrees:

a) that all Shared Information Shared pursuant to the terms of this MOU is confidential (except where the Originating Party has agreed otherwise or the information is already publicly available) (Confidential Information), and is of value to the Originating Party; and

Page 7 of 13 b) to keep the Confidential Information confidential at all times. 12.1.2 Each Recipient Party must:

a) take all reasonable steps and do all things that may be reasonably required by the Originating Party to keep the Confidential Information confidential, including all documents, and all other things recording, containing, setting out or referring to any Shared Information, under effective management of the Recipient Party and protected from any unauthorised use or access;

b) immediately notify the Originating Party if it becomes aware of any unauthorised access to, or use or disclosure of, any Confidential Information; and

c) take steps to ensure that the Confidential Information is not given to a person who is not an Authorised User, including by the measures specified in clause 10. 12.1.3 This MOU does not exclude the operation of any principle of law or equity intended to protect and preserve the confidentiality of the Confidential Information.

12.2 Disclosure as required by law 12.2.1 The Recipient Party may disclose Confidential Information to the extent that is it is required to disclose such information in accordance with law. 12.2.2 The Recipient Party undertakes to provide the Originating Party with as much notice as is reasonably practical to enable the Originating Party to seek a protective order or other relief from disclosure and to provide all assistance and co-operation which the Originating Party reasonably considers necessary for that purpose.

13 Privacy

13.1 Privacy 13.1.1 The parties acknowledge and agree that in addition to being Confidential Information, Shared Information may also comprise Personal Information or Health Information. In respect of such Personal Information or Health Information, each Recipient Party agrees:

a) to comply as if it were an agency bound by the Information Protection Principles under PPIPA and the Health Privacy Principles under HRIPA;

b) that it will inform each of its Authorised Users of, and procure that each undertake in writing, to observe the provisions of this MOU and laws and policies applicable to it;

c) to take all reasonable measures to ensure that the Shared Information is protected against loss and against unauthorised access, use, modification, disclosure or other misuse and that only Authorised Users have access to it, including by the measures specified in clause 10;

d) not to transfer such information outside Australia, or allow parties outside Australia to have access to it, without the prior written approval of the Originating Party; e) the Originating party will provide amended personal/health information to the Recipient party if an individual seeks alteration to his/her personal/health information;

f) to immediately notify the Originating Party when it becomes aware of a breach or likely breach of any of the provisions of PPIPA or HRIPA; and

g) to notify the Originating Party of, and co-operate with, the Originating Party in the resolution of, any complaint alleging an interference with privacy. 13.1.2 The Recipient Party’s obligations are in addition to, and do not restrict, any obligations it may have under applicable law, or any codes of practice or directions listed in the relevant Information Sharing Schedule.

14 Authorised Representatives

14.1.1 Each party must nominate an authorised representative (Authorised Representative) to be the key contact person responsible for monitoring compliance with this MOU. Any notice required to be given by one party to the other should be directed to the Authorised Representative using the details set out in the Schedule, or as notified from time to time as contemplated by clause 14.1.3. 14.1.2 At the Commencement Date, each party has nominated the applicable person specified in item 2 of the Schedule as its Authorised Representative. 14.1.3 A party may replace its Authorised Representative (and provide the new appointee’s details) by notice in writing to the other party.

15 Review

The parties will arrange a meeting between their Authorised Representatives at least annually to assess the operation of this MOU.

Page 9 of 13 Schedule 1

Item Topic Detail 1 Approved [Insert general description of the approved purposes. It is Purposes anticipated that this will often relate to the sources of authority that enable the information sharing] 2 Authorised [Insert party A name] Representatives Name: Title: Phone: Email:

[Insert party B name] Name: Title: Phone: Email: Annexure A

Information Sharing Schedule

[Insert party A name] and [Insert party B name] are parties to a Memorandum of Understanding dated [insert date] (MOU).

By this schedule the parties wish to agree to share the information described in this schedule on the terms and conditions contained in this schedule.

The terms of the MOU (and relevant definitions) apply to the sharing of information contemplated by this schedule.

This schedule is valid until xxx.

Item Topic Detail 1 Period of agreement 2 Originating Party 3 Recipient Party 4 Shared Information [Describe the dataset or information to be shared] 5 Quality 6 Validity period of the data 7 Date the data set generated from the originating system 8 Frequency of [Is it an ongoing arrangement, a one off arrangement, or provision some type of automatic feed]

9 Format 10 Classification and [Eg. Unclassified – Sensitive] Labelling Status 11 Statement of [To be consistent with one or more of the approved purposes Approved Purposes of the MOU]

12 PIA undertaken [Yes, or No and summary of reasoning] 13 Authorised Users nominated by Recipient Party 14 Means of transfer [Consider encryption]

Attention: 15 Specific security and storage measures required Page 11 of 13 Item Topic Detail

16 Special conditions on [Consider any necessary limitations on intra-agency transfer] use and disclosure

17 Sources of authority [Eg. Chapter 16A of the Children and Young Persons (Care and Protection) Act 1998 (the Care Act).

Section 71 of the Housing Act 2001 (Housing Act)]

18 Applicable codes of practice or directions, principles or protocols

19 Specific retention or disposal requirements

Approved by:

Authorised Click here to enter text. Title Click here to enter text. Delegate for Party A

Signature ______Date ______

In the Click here to enter text. Presence of (Witness)

Signature ______Date ______

Authorised Click here to enter text. Title Click here to enter text. Delegate for Party B

Signature ______Date ______In the Click here to enter text. Presence of (Witness)

Signature ______Date ______

Page 13 of 13