Surrey MAISP Tier 1
The Multi Agency Information Sharing Protocol (MAISP)
- Provides guidance to staff on how and when to share personal data
- Provides a checklist of requirements before data sharing
- Helps with the requirements in the Data Protection Act and UK-GDPR around transparency and accountability
- Can form part of Record of Processing Activities
The MAISP does NOT
- Give an automatic right to share any data
- Make any data sharing mandatory
- Automatically override any local practice or organisation's own Data Protection Officer advice
- Constitute any form of legal advice and should not be relied on or treated as a substitute for specific advice relevant particular circumstances
Handling of complaints, information requests or breaches of the MAISP
The Surrey MAISP Action Group should be notified of any complaints or breaches of the MAISP. Email: email@example.com
MAISP Tier 1
Signing up to MAISP Tier 1 means that your organisation is committed to promoting responsible, legitimate and ethical data sharing and that you will provide any resources to meet those commitments.
The MAISP Tier 1 outlines the principles and practices that signatory organisations already have or will work towards putting in place before any data sharing takes place. It outlines all the necessary arrangements to ensure the secure and appropriate sharing of information and data, whilst safeguarding the rights and privacy of the individuals that have trusted organisations with their personal information.
Data sharing protocols and agreements are not mandatory. They put in place good practice so that it is beyond doubt what each signatory organisation's responsibilities and obligations are, what security measures will be in place when the data is shared and who the relevant contacts are for each organisation.
Where personal data is to be disclosed the signatories commit to the following:
Each organisation will identify the lawful basis for sharing the data. The lawful basis will be identified before any sharing takes place. You cannot "swap" lawful basis once sharing starts but you can identify more than one at the start. If it is necessary to change lawful basis of an ongoing data sharing agreement then you should contact the Surrey MAISP Action Group for advice.
If processing special category data, then you need to identify an additional lawful basis and special category condition. If you are processing data about criminal convictions, criminal offences or related security measures, you need both a lawful basis for processing and an additional condition. You should also list any relevant legislation or statute empowering this sharing activity.
Remember, signing up to this protocol is not in itself a lawful basis for sharing data.
Each organisation will clearly outline and agree the purpose of the processing and any benefits that will result from the sharing with all who will share the data.
Data Privacy Impact Assessments (DPIAs)
Each organisation will:
- Identify if there is a need for a DPIA using either local practices or the Information Commissioner's (ICO) screening checklist
- Complete a DPIA where any of the processing is likely to result in a high risk to the rights and freedoms of individuals
- Assign the processing to an already completed DPIA where appropriate
Each organisation will be clear of the roles and responsibilities at the outset:
- Controller - The organisation that determines the purposes and means of the processing of personal data
- Joint data controllers - Two or more controllers or data owners that jointly determine why and how to process personal data
- Processor - The organisation which processes personal data on behalf of the controller
Information shared becomes the responsibility of the receiving organisation and the receiving organisation will manage the information received in accordance with the duties of a data controller.
Each organisation will:
- Identify all the rights that the data subject has under the processing
- Have a process to comply with the exercise by data subjects of those rights
- Right of access
- Right to rectification
- Right to be forgotten
- Right to restriction
- Right to data portability
- Right to object
- Right not to be subject to a decision based solely on automated decision-making, including profiling
Each organisation will:
- Have the necessary processes and checks to ensure the accuracy of the information shared
- Agree it is the originating organisation who remains responsible for the accuracy of the data shared
- Ensure that there is a process to rectify any inaccurate data and ensure that they can cascade any changes or rectifications made
All organisations should, where practical, work towards ISO 9001 (although accreditation to that standard is not necessary) and/or apply relevant sector guidance/standards to the quality of their data.
- The Data Standards Authority (DSA) recommendations on the use of new open data standards to improve data sharing across government
- The Government Data Quality Framework. The framework complements existing ambitions to improve the quality of government data and analysis
Each organisation will ensure the appropriate levels of security for the volume and scope of the data to be shared. Consideration must be given to the data both in transit and at rest. The arrangement must:
- comply with the Data Protection Act 2018 and the UK-GDPR
- be proportionate to the risk
- ensure adequate staff training and appropriate accreditation
- be adequately maintained and/or updated
- comply with any sector specific requirements such as the NHS Data Security and Protection toolkit
Data and security breaches
In the case of any data or security breaches that affect any data shared they must be brought to the attention of the nominated officer or the data controller in each organisation. All involved organisations must be informed without delay and at least within 48 hours of the breach being detected.
Accountability and transparency
Each organisation must be able to demonstrate compliance with the accountability and transparency principles in the Data Protection Act 2018 and UK-GDPR. For example, being transparent with service users about how their personal data is going to be used by ensuring that their privacy or fair processing notices properly reflect their data sharing arrangements.
Each organisation will ensure that appropriate staff training on information sharing and management of shared data takes place regularly.
Records, retention and disposal
Each organisation should have:
- retention and weeding policies which they can follow
- commit to not holding that data for any longer than is necessary for the purpose that the data was shared
It remains each organisations responsibility that the personal data is held in accordance with the law and any data sharing agreements entered into by each organisation.
Being a signatory to the MAISP does not mean that you should automatically share data. You must be confident that there is a legitimate reason for doing so, the protections are adequate, and there are appropriate safeguards in place before you share. If you are in any doubt, or hesitant, contact your organisation's Data Protection Officer or Information Governance Team.
- There is nothing in the MAISP, Data Protection Act 2018 or UK-GDPR that stops you sharing data in an emergency or critical situation
- The signatories to MASIP Tier 1 will be open and act in good faith in their dealings with each other
- If a complaint is received in relation to the sharing of information under the MAISP, the respective signatories will keep each other informed of any developments, progress and lessons learned
- Signatories will commit to supporting the work of the Surrey MAISP Action Group as it relates to this protocol and to provide appropriate resourcing
Review: The Surrey MAISP Action Group will review and update the MAISP Tier 1 at least every three years. Any changes will be communicated to the signatories.