Advice and guidance on information sharing, including information sharing agreements and privacy notices.
Information sharing agreements
The Local Information Sharing Agreement under the Derbyshire Partnership Forum Information Sharing Protocol between the Council, Derbyshire schools and academies has been reviewed and extensively updated to comply with GDPR and Data Protection Act 2018 legislation, as required under agreement terms. It covers all data sharing arrangements that involve the sharing of personal data between the Council, Derbyshire schools, Derbyshire academies and multi academy trusts with schools within Derbyshire where all the partners are acting as data controllers. We are asking all Derbyshire schools, academies and multi academy trusts to confirm they agree with updated terms of the agreement by completing the Agreement Sign Up web form by 30 September 2020.
On submission of the form your school or academy will be registered as a partner to updated agreement and you will receive a confirmation email for your records (the confirmation email will be from the ‘Microsoft Power Apps and Power Automate’ email address, check your Junk mail if necessary).
The web form will also provide an opportunity for your school to be registered as a partner to Derbyshire Special Education Needs and Disabilities ISA and, for schools in Derbyshire RM Integris Contract Only, the opportunity to register for or continue to use the secure pupil data sharing functionality provided as part of the RM Integris system.
Full copies of agreements and schedules can be found attached to this web page.
Please note, any data sharing arrangement involving the processing of personal data where one of the partners is acting a data processor rather than data controller should be subject to a specific agreement relating to the data processing activity.
The Information Commissioners Office (ICO) guidance on information sharing agreements, which it refers to as 'data sharing agreements or protocols', is as follows.
Data sharing agreements - sometimes known as 'data sharing protocols' - set out a common set of rules to be adopted by the various organisations involved in a data sharing operation. These could well form part of a contract between organisations. It is good practice to have a data sharing agreement in place, and to review it regularly, particularly where information is to be shared on a large scale, or on a regular basis.
A data sharing agreement should, at least, document the following issues:
- the purpose/s of the sharing
- the potential recipients or types of recipient and the circumstances in which they will have access
- the data to be shared
- data quality – accuracy, relevance, usability
- data security
- retention of shared data
- individuals’ rights – procedures for dealing with access requests, queries and complaints
- review of effectiveness/termination of the sharing agreement
- sanctions for failure to comply with the agreement or breaches by individual staff
For more information see the ICO data sharing code of practice Information Commissioners Office (ICO) guidance on information sharing agreements
Secure document transfer portals
To share confidential data securely and comply with statutory regulations in regard to the sharing of personal information, schools can access various secure data transfer systems.
Perspective Lite secure area
The Perspective Lite secure area provides secure two way communication between the local authority and schools. It is used to transfer confidential documents containing pupil details and/or staffing details.
Only a limited number of staff in schools will have permission to see this area and access to it must be authorised by the headteacher.
Department for Education (DfE) school to school website
This system allows schools to securely share pupil files with other schools, the DfE's missing pupil database and the Local Authority. It is normally used to share common transfer files relating to pupils transferring schools.
The Data Protection Act (DPA) requires that personal data be processed fairly. This means that people should generally be aware of which organisations are sharing their personal data and what it is being used for.
The DfE recommends as 'good practice' data controllers at all schools and academies issue parent or carers, pupils and staff a privacy notice which explains why personal information is being held and who it is being shared with.
They can be issued to new learners or staff by your school at the same time as other communications. For example, a pupil might receive the privacy notice as part of a school brochure or induction pack. For staff, a privacy notice might be included as part of a contract or induction pack, and/or posted on the staff notice board. The staff privacy notice should mention the data sharing requirement of the 'School Workforce Census'.
It is also good practice to publish your privacy notice on your schools website.
It is recommended you review and update your privacy notices on an annual basis and reissue updated versions.
For further information, see the DfE Guidance on data protection and privacy notices and data sharing code of practice which is attached to this page.