Guidance for Controllers relating to the Register of Information Sharing Agreements under Part 5 of the Digital Economy Act
Updated 12 February 2020
© Crown copyright 2020
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/digital-economy-act-2017-part-5-codes-of-practice/guidance-for-controllers-relating-to-the-register-of-information-sharing-agreements-under-part-5-of-the-digital-economy-act
Introduction
Part 5 of the Digital Economy (DE) Act 2017 introduced a number of new information sharing provisions for specified purposes. Codes of practice related to these information sharing provisions have been published. The codes of practice provide details to practitioners on how information sharing powers under the DE Act 2017 must be operated. The codes of practice relating to public service delivery (PSD), debt and fraud and civil registration place a requirement on the Controller(s) to set out information about their information sharing agreement (ISA) - made under chapters 1 (PSD), 2 (civil registration), 3 (debt) and 4 (fraud) of Part 5 of the DE Act - within a publicly available register. This guidance should be read alongside the code of practice for the PSD, debt and fraud provisions and the code of practice for civil registration data. This guidance sets out:
-
guidance for Controllers concerning the information required for inclusion in the register of information sharing and how they should be submitted; and
-
the process and rules by which the Department for Digital, Culture, Media & Sport (DCMS), the General Register Office (GRO), and the Cabinet Office (CO) will act as custodians of register entries pertaining to powers for which they are responsible
What are the registers and why do they need to be completed?
The codes of practice relating to PSD, debt and fraud and civil registration provisions include a requirement for information about ISAs to be captured in a publicly available register. This requirement is not imposed by any specific provision of the DE Act 2017. It is a Government policy which is supported by the statutory code of practice.
The General Data Protection Regulation (GDPR) via the Data Protection Act 2018 places greater emphasis on transparency and the rights of data subjects. The register of ISA’s helps public authorities to operate more transparently and is aligned to Principle 1 of Article 5 of the GDPR that personal data be processed lawfully, fairly and in a transparent manner in relation to the data subject.
The requirement to provide information about sharing under these powers for inclusion in a public register applies to all persons listed in the relevant schedules to the DE Act. The schedules set out the specified persons able to share information under each of the information powers in Part 5 of the DE Act. All persons disclosing and using information under the powers are expected to have regard to the register policy in the code of practice. Where a government-controlled authority is involved in an information share, adhering to the register obligations will be a condition of its participation. Bodies that fail to have regard to relevant requirements of the code may be removed from the schedule.
The register of ISAs provides a number of benefits, including making information about how the information powers in Part 5 of the DE Act are being used publicly available. The register will also help public authorities understand how the powers are being used. This will help them better determine how they could use the powers to improve their respective services and deliver better outcomes for citizens. The register also enables the government to monitor how the powers are being used and to better understand their impact.
Who has to provide information for inclusion in the register?
Responsibility for submitting the required information about an ISA for a disclosure or group of disclosures under the PSD provisions rests with the Controller. A Controller under the GDPR is defined as a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. For the purpose of this guidance, responsibility for submitting information about an ISA for inclusion in the register falls with the Controller or Controllers as identified and agreed in the ISA. If there is more than one Controller, they should work together to provide information for a single entry in the register.
For ISAs for debt and fraud pilots, a lead authority may be identified to determine information for inclusion in the register. In the case of the debt and fraud provisions, lead authorities will work with the secretariat for the Review Board, who will be responsible for providing the information for the register entry to the Government Digital Service for uploading into the register.
For civil registration, the information for the register will be provided by the Registrar General. Where an agreement establishes several disclosures over a period of time such as a data feed, a single entry is sufficient.
Which information sharing agreements are in scope of the register?
Every ISA which uses the provisions within chapters 1, 2, 3 & 4 of Part 5 of the Digital Economy Act (PSD civil registration, debt and fraud) to disclose and use data are in scope of the register. There may be instances where there are national programmes of work which result in individual agreements being made with a large number of public authorities. The policy intention is to reduce burdens on Controllers but it is important that entries under the register also provide accurate summary information relating to the agreement to support transparency objectives such as method of data transfer. Controllers may wish to consider creating agreements that cover multiple bodies or agree common text for key fields such as description of agreement and anticipated benefits.
What information needs to be provided?
The following table sets out the fields of information that need to be included in the Information Sharing Agreement Register for each ISA. The table below includes the rules around each data field.
| Title of data field | Purpose | Note |
|---|---|---|
| ID | The ID number for the information sharing agreement. | The ID number will be generated by DCMS |
| Name | A short description or title of the information sharing agreement | Up to 150 characters |
| Purpose | A longer description setting out what the information sharing is intended to achieve | Up to 600 characters |
| Information sharing benefits | Short description summarising the anticipated benefits of the information sharing agreement | Text up to 600 characters |
| Legal power disclosure | The chapter or specific objective under the PSD chapter under which the information is disclosed | This information is drawn from a separate register of chapters/objectives under Part 5 of Digital Economy Act |
| Disclosed information | A description of the information disclosed by the controller under the agreement | A list of specific data fields from a particular data set(s) |
| Controllers | Unique codes of the Controllers disclosing information under the agreement. | This information is drawn from a separate register of specified persons able to disclose or receive information under the relevant chapter. |
| Controller names | Names of specific Controllers within a class of specified persons within the relevant schedule, such as a specific local authority. | Free text: Provide the name of the organisation(s) and the class of specified person(s) e.g Surrey CC, a County Council in England (number 11 of the PSD schedule in the DE Act 2017). Where a controller is a non public sector organisation providing services in connection with a specified objective, please provide the name of the organisation and the public authority to which it is providing a service e.g. a charity providing services to Surrey CC. |
| Information sharing method | A brief description of the method of transferring data. | Examples of descriptions of methods could include but are not limited to: via email across open internet network; via email within assured transport network; via encrypt and send (message and attachment are encrypted and stored on secure message server); standard file transfer protocol; secure file transfer protocol; removable storage devices; telephone/mobile phone; Internet based collaborative sites (such as peer to peer or cloud file sharing); information by post; or hand delivery/collection. |
| Processors | Unique codes of the processors or recipients of information under the agreement. | This information is drawn from a separate register of specified persons able to disclose or receive information under the relevant chapter. |
| Processor names | Names of specific processors within a class of specified persons within the relevant schedule, such as a specific local authority. | Free text: Provide the name of the organisation(s) and the class of specified person(s) e.g Surrey CC, a County Council in England (number 11 of the PSD schedule in the DE Act 2017). Where a processor is a non public sector organisation providing services in connection with a specified objective, please provide the name of the organisation and the public authority to which it is providing a service e.g. a charity providing services to Surrey CC |
| Retention period | How long the information will be held by the recipient | A period of time expressed according to the ISO8601 time interval standard e.g. P2Y = two years; e.g. P1Y2MT3D = 1 year, two months and three days; e.g. 2018-02-27/P2Y = 2 years starting 27 February 2018 |
| Start date | Date when the information sharing agreement comes into effect | A date expressed according to the ISO 8601 standard i.e. yyyy-mm-dd |
| End date | Date when the information sharing agreement comes to an end | A date expressed according to the ISO 8601 standard i.e. yyyy-mm-dd |
| Review date | Date when the information sharing agreement will be reviewed by the governance or Controllers with oversight responsibility for information sharing agreement where the data sharing is not a one-off sharing agreement | A date expressed according to the ISO 8601 standard i.e. yyyy-mm-dd |
| Contact | Contact details for any subject access requests or general enquiries about the information sharing agreement | Given the fact people move on from roles, the recommendation is that the register entry includes email addresses for managed mailboxes rather than specific individuals. |
Reference registers which link to the information sharing agreement register
The reference registers for the legal powers under which information is disclosed under Part 5 of the DE Act 2017 and the Specified Persons able to disclose and use data under those provisions will be maintained by DCMS. As objectives and specified persons able to use and disclose information for those objectives must be made via regulations, these two registers will be amended by DCMS following appropriate Parliamentary approval and before the regulations come into effect.
Descriptions of information sharing agreements related to combating fraud
There may be instances where publication of information about an ISA may in itself risk the objectives of the data share, such as where it pertains to national security, counter-fraud or criminal investigations. In such instances an entry should still be submitted to the appropriate body (to DCMS where the entry relates to the PSD power, to Cabinet Office where it relates to the debt or fraud powers and to GRO where it relates to the civil registration power) and a description agreed for publication and audit purposes.
For counter-fraud ISAs, the Secretariat for the Review Board based in the Cabinet Office should be provided with a full description of the agreement along with a suggested description for inclusion in the register. In instances where the inclusion of information might damage the integrity of the pilot, or jeopardise the objectives, then the lead authority is permitted to redact this information. When submitting information to the Secretariat for the Review Board in instances such as this, the lead authority must:
-
Highlight where there are redactions
-
Set out specifically what information is being redacted and
-
Explain why the information is being redacted
For civil registration, either the GRO or individual local registration service responsible for updating the register will ensure that details of ISAs entered on the register that pertain to national security, counter-fraud or criminal investigations do not put any policy objectives at risk. Information submitted will redact any sensitive information to safeguard the integrity and purpose of the data sharing arrangement.
Information about sharing agreements should be submitted via the following email addresses:
-
Information about ISAs made under the PSD provisions should be submitted to the secretariat for the PSD Review Group based in DCMS via ISAregister@culture.gov.uk
-
Information about ISAs made under the debt and fraud provisions should be submitted to the secretariat for the Review Board based in Cabinet Office via DEA-data-sharing-fraud-and-debt@cabinetoffice.gov.uk
-
Information about ISAs made under the civil registration provisions should be submitted to the General Register Office via DataGRO@gro.gov.uk
When information about an agreement should be submitted?
Information about an ISA should wherever possible be published on the register when the agreement has been signed and agreed by all participants. Agreements should state when the agreement or sharing of information will commence. The register helps individuals to exercise their rights under GDPR, such as the right of access, right of erasure or the right to protest. To optimise the effectiveness of the register to support individuals exercise their rights, information about agreements should be published wherever possible before data is shared.
What happens to the information after you submit it (responsibilities of custodians)?
The Controller or Controllers and participants will need to agree what information is to be submitted before the details on the information sharing agreement are submitted to the relevant custodian. Once you submit an entry for the register it will be reviewed by the relevant custodian (DCMS, Cabinet Office or GRO). The custodian may come back with queries or suggested modifications for the entry. The information will not be added to the register until it has been checked and agreed by the relevant custodian, data controller and participants. Once the entry has been reviewed and approved it will be submitted to DCMS who will upload the entry on to the register within 2 working days. This timeframe will be kept under review and is subject to the volumes of ISA’s being submitted to DCMS for uploading into the register.