How the three tiers of the Information Sharing Protocol work

MAISP Tier 1 States the overarching requirements that both organisations would expect as a minimum in order to be able to share personal data. Check that you can fulfil the requirements in the check list and then sign up. You can then check if other organisations are signed up. If they are you can be confident that they also have fulfilled the requirements in the check list.

MAISP Tier 2 Surrey wide centrally approved Information Sharing Protocols (ISPs) that any organisations who regularly share data can complete. They are then published on the MAISP website, either in full or giving title and overview. There is a general blank template and sector specific templates that you can choose to sign up to.

MASIP Tier 3 Individual bespoke information sharing protocols between specific agencies, normally processors and controllers. These may include business sensitive information or other sensitive data. They may be contained as part of specific contract driven requirements. The titles will generally be published on the MAISP website

MAISP Tier 1

Signing up to MAISP Tier 1 means that your organisation is committed to promote responsible, legitimate and ethical data sharing and that you will provide any resources to meet those commitments.

This Tier outlines the principles and practices that signatories either already have, or will work towards putting, in place before any data sharing takes place. It outlines all the necessary arrangements to ensure the secure and appropriate sharing of information and data, whilst remaining responsible for safeguarding the rights and privacy of the individuals that have trusted us with their personal information.

Data sharing agreements are not mandatory but are a good practice to put into place so that it is beyond doubt what each party's responsibilities and obligations are, what security measures will be in place when the data is shared and who the relevant contacts are at each organisation.

Where personal data is to be disclosed the signatories commit to the following:

Legal basis

Each organisation will identify the legal basis for sharing the data. The legal basis will be identified before any sharing takes place. You cannot "swap" legal basis once sharing starts but you can identify more than one at the start. If it is necessary to change legal basis of an ongoing data sharing agreement then you should contact the MAISP Surrey User Group for advice.

If processing special category data then you need to identify an additional lawful basis and special category condition. If you are processing data about criminal convictions, criminal offences or related security measures, you need both a lawful basis for processing and an additional condition. You should also list any relevant legislation or statute empowering this sharing activity.

Remember, signing up to this protocol is not in itself a legal basis for sharing data.

Purpose

Each organisation will clearly outline and agree the purpose of the processing and any benefits that will result from the sharing with all who will share the data.

Data Privacy Impact Assessments (DPIAs)

Each organisation will:

  • Identify if there is a need for a DPIA using either local practices or the ICO screening checklist
  • Complete a DPIA where any of the processing is likely to result in a high risk to the rights and freedoms of individuals
  • Assign the processing to an already completed DPIA where appropriate

Responsibilities

Each organisation will be clear of the roles and responsibilities at the outset:

  • Controller - The organisation that determines the purposes and means of the processing of personal data
  • Joint data controllers - Two or more controllers or data owners that jointly determine why and how to process personal data
  • Processor - The organisation which processes personal data on behalf of the controller

Information shared becomes the responsibility of the receiving organisation and the receiving organisation will manage the information received in accordance with the duties of a data controller.

Individual rights

Each organisation will:

  • Identify all the rights that the data subject has under the processing
  • Have a process to comply with the exercise by data subjects of those rights
    • Right of access
    • Right to Rectification
    • Right to be forgotten
    • Right to Restriction
    • Right to data portability
    • Right to object
    • Right not to be subject to a decision based solely on automated decision-making, including profiling

Data quality

Each organisation will:

  • Have the necessary processes and checks to ensure the accuracy of the information shared
  • Agree it is the originating agency who remains responsible for the accuracy of the data shared
  • Ensure that there is a process to rectify any inaccurate data and ensure that they can cascade any changes or rectifications made
  • All agencies should, where practical, work towards ISO 9001 (although accreditation to that standard is not necessary) and/or apply relevant sector guidance/standards to the quality of their data.

See also:

  • The Data Standards Authority (DSA) recommendations on the use of new open data standards to improve data sharing across government
  • The Government Data Quality Framework. The framework complements existing ambitions to improve the quality of government data and analysis

Security

Each organisation will ensure the appropriate levels of security for the volume and scope of the data to be shared. Consideration must be given to the data both in transit and at rest. The arrangement must:

  • comply with the Data Protection Act 2018 and the UK-GDPR
  • be proportionate to the risk
  • ensure adequate staff training and appropriate accreditation
  • be adequately maintained and/or updated
  • comply with any sector specific requirements such as the NHS Data Security and Protection toolkit

Data and security breaches

In the case of any data or security breaches that affect any data shared they must be brought to the attention of the nominated officer of the data controller in each organisation. All involved Partners must be informed without delay and at least within 48 hours of the breach being detected.

Accountability and transparency

Each organisation must be able to demonstrate compliance with the accountability and transparency principles in the DPA and UK-GDPR. For example being transparent with service users about how their personal data is going to be used by ensuring that their privacy or fair processing notices properly reflect their data sharing arrangements.

Training

Each organisation will ensure that appropriate staff training on information sharing and management of shared data takes place regularly.

Records, retention and disposal

Each organisation should have

  • retention and weeding policies which they can follow
  • commit to not holding that data for any longer than is necessary for the purpose that the data was shared

Withdrawal from the MAISP Tier 1

Any organisation can withdraw from the MAISP Tier 1 by writing by email to the MAISP Surrey User Group and giving at least 4 weeks' notice.

All information that has been shared or gathered under the Protocol will either be securely destroyed or will continue to be held in accordance with the Protocol agreement they were collected under.

It remains each organisations responsibility that the personal data is held in accordance with the law and any data sharing agreements entered into by each organisation.

There is nothing in the MAISP, DPA 2018 or UK-GDPR that stops you sharing data in an emergency or critical situation.

The signatories to MASIP Tier 1 will be open and act in good faith in their dealings with each other.

If a complaint is received in relation to the sharing of information under this Protocol, the respective signatories will keep each other informed of any developments, progress and lessons learned.

Signatories will commit to supporting the work of Surrey MAISP User Group as it relates to this protocol and to provide appropriate resourcing.

How to sign up: Have the person in your organisation who has the authority to commit to the principles either sign the MAISP Tier 1 form or simply email the Surrey MAISP User Group at surreymaisp@surreycc.gov.uk. Your organisation name will be published on the Surrey County Council (SCC) MAISP website.

Review: The Surrey MAISP User Group will review and update the MAISP Tier 1 at least every three years. Any changes will be communicated to the signatories.

MAISP Tier 2

MAISP Tier 2 provides a centrally approved template data sharing agreement for organisations to use.

Once completed each MAISP Tier 2 ISP is either published fully on the SCC website or brief details of the Title, Purpose and Signatories. This means that everybody can search for those organisations already signed up.

There is no requirement for you to complete and publish a full MAISP Tier 2 ISP and you may choose to rely on local practices or Information Sharing Agreements. However, the MAISP Tier 2 ISP is designed to ensure that for the specific data sharing your organisations are undertaking you are complying with Data Protection Act 2018 (DPA), General Data Protection Regulation (UK-GDPR) and the ICO statutory code of practice on data sharing. It will help with the requirements placed on you to demonstrate accountability, transparency and due diligence while making sure that the people whose data you share have access to all their rights.

It is best for organisations that routinely share data.

How to sign up: Complete a MAISP Tier 2 ISP and have the relevant person in your organisation sign it (Data Protection Officer, SIRO, Caldicott Guardian). Remember that the contact details may be used for getting in touch with you so it's vital that you include the most relevant contact details and ensure that they are kept up to date.

Send the completed MAISP Tier 2 to the Surrey MAISP User Group at surreymaisp@surreycc.gov.uk who will publish it. Signing means that you commit to publishing the full MAISP Tier 2, or an abstract, and keeping all the information up to date.

Signing up to a MAISP Tier 2 automatically signs you up to the MAISP Tier 1

Review: Individual organisations are responsible for reviewing MAISP Tier 2. Any MAISP Tier 2 that is 3 months past its published review date will be removed from the SCC site and the organisations will be emailed.

MAISP Tier 3

MAISP Tier 3 are individual bespoke information sharing agreements between agencies, normally Controllers and Processors, that may include business confidential elements or other sensitive data. In general, they will be part of a wider contract between the agencies and will be written to include specific requirements.

Access to the detailed content of these individual MAISP will only be through the relevant agencies. It is still a good idea to publish the title, signatories and purpose on the SCC website to help with transparency and accountability obligations. Please contact the Surrey MAISP User Group at surreymaisp@surreycc.gov.uk for further information.

How to sign: Sign up is under local procedures.

Review: Is under local procedures or included directly in the MAISP Tier 3.

Summary

Make sure you know which level of MAISP you are sharing data under. Remember, nothing in the MAISP means that you should automatically share data. You must be confident that there is a legitimate reason for doing so, the protections are adequate, and there are appropriate safeguards in place before you share. If you are in any doubt, or even hesitant, contact your organisations Data Protection Officer, Information Governance Team or the named contact on the relevant MAISP Tier 2.

There is nothing in the MAISP, DPA 2018 or UK-GDPR that stops you sharing data in an emergency or critical situation.

Updating and review

If any partner wants to remove themselves from the MAISP they must let the MASIP Surrey User Group know in writing, giving them at least 4 weeks' notice of withdrawal. All information that has been shared or gathered under the Protocol will either be securely destroyed or will continue to be held in accordance with the Protocol agreement they were collected under. It remains each organisations responsibility that the personal data is held in accordance with the law.

To remove themselves from an MAISP Tiers 2 and 3 data sharing agreement or data processing agreement the partner should follow the withdrawal or termination clauses in each individual agreement. The partner must also inform the MAISP Surrey User Group (giving them at least 4 weeks' notice) so that the partner's information can be removed.