The DSAs used across the health and care sector vary; almost all of them contain more information and binding requirements than necessary. These requirements often give the appearance of contractual requirements or legally enforceable rights and lawsuits. However, these are not binding in an ODA. If enforceable fees are required of one or all parties, they must be set out in a data processing agreement and not in a DSA. This section describes in detail the organizations between which the agreement exists. All parts must be listed here. Organizations that process data on behalf of the parties covered by this Section are not included. If there are many controllers covered by this DSA, you can fill out an appendix. An example of this could be two hospitals that decide to aggregate asthma patient data to understand local needs and service delivery in the region. A DSA would be appropriate for this type of release. The end date refers to the end of the release. After this date, certain processing elements may continue to terminate the .B business completely, such as returning data to the original provider or archiving data in a secure location.
If a breach occurs, you should document how it is handled by the parties involved. It is impossible to document the process for each type of breach here, but the main types should be covered here – an example is inappropriate or accidental disclosure or data loss. More information on reporting violations to the ICO can be found here. It may also be necessary to inform the data subject of the disclosure of inaccurate information and of the measures that have been taken to correct the situation. It will also be important to know with whom the information has been shared, as data subjects have the right to know which organisations have accessed their data. There may be possibilities with respect to data sharing that one party has a specific obligation or task that others do not. If so, they should be listed here, indicating what the obligation is and which party is responsible for it. A DSA can be used between the parties to demonstrate compliance with the General Data Protection Regulation (GDPR), common law privacy and other data protection laws that go beyond the strategic vision of the Data Protection Impact Assessment (DPIA). A DPA can be used to operationalize and support the DPIA. This should help you justify your data sharing and show that you have considered and documented relevant compliance issues. Specify here how you will manage the rights of the data subject.
For example (and not exhaustive): It may be useful to add a data flow diagram to illustrate the proposed data sharing. Ideally, these additional concerns should be taken into account in the data-sharing agreement in order to facilitate clear communication and, if necessary, to put in place additional safeguards: the ODA should be reviewed regularly and the parties can decide on the length of this review period. The purpose of the ODA will contribute to the definition of the review period. For example, a long-term sharing program may review the DSA every two years, but a DSA for high-level sharing or a sensitive topic may be reviewed every six months. A single ODA does not require verification because the target is achieved after the publication of the data and the end of the ODA. Indicate here which of the ten processing conditions referred to in Article 9 you rely on when processing personal data of special categories. A person`s health information is classified in a special category, and in order to share it under the DSA, you must identify a condition under Section 9. Usually, this is 9 2 (h) for healthcare, but the controllers listed in this DSA must identify this condition for themselves, depending on the purpose of release. Specify here how long the shared information will be retained, what will happen to it once it reaches the end of this retention period, and the criteria to be used to determine retention. Disposal does not always mean destruction and the signatory parties to the ODA must agree on what will happen to the data. Options can include shredding data (with permission from the source organization), returning it to source organizations for remanufacturing or destruction, or prolonged retention (with justification). The NHS Code of Practice for Records Management can help.
If the results or analyses are to be shared by organisations, this should be explained here, together with an explanation of why sharing these results is acceptable, necessary and proportionate (e.g.B the results are anonymous). Another example is that if both hospitals used a processor to collect and analyze information on their behalf, a written contract would be required. Hospitals could hold the processor liable, for example, through the contract, e.B. for the non-provision of services. The exchange of data between the parties must also be in accordance with section 8 of the Human Rights (Right of the Individual to Family and Private Life) Act 1998. You must show how you will comply with the duty of trust. For the appropriate type of publication for a data sharing agreement, this can be done in two ways: The date on which the DSA begins is specified here. This may not be the date of signature of the ODA. It could be at some point in the future to allow processes to be put in place before information is exchanged. .