14. Data Sharing Agreement
If the data controller (disclosing data controller) wishes to share data with another data controller (receiving data controller) including, but not limited to:-
- insurance companies;
- legal representatives; and
- *tenants of a data controller’s premises.
It is good practice that a Data Sharing Agreement is put in place between the two parties. Typically, this would apply to CCTV footage, persons of interest images and access control data.
* Unless the Data Controller states to the contrary in its privacy notice, the purpose of its surveillance and security systems is to achieve the legitimate interest of protecting the property, ensuring the safety of visitors, tenants and clients, and assisting with the prevention and detection of crime. It could therefore be seen that a request could be refused if it relates to time and attendance or other HR related issues. Clause 4 of the generic VeriFi Data Sharing Agreement (see below) refers to this matter.
VeriFi includes provision of a generic Data Sharing Agreement within the annual service charge, it is for the parties to take legal advice if there is any doubt as to its suitability.
If this service is adopted, VeriFi will complete the generic document ready for signature on behalf of the disclosing data controller.
Find more data sharing guidance from the Information Commissioners Office.
SAMPLE DATA SHARING AGREEMENT
This generic Data Sharing Agreement is offered in this form only, it is for the disclosing data controller and the receiving data controller to take legal advice if there is any doubt as to its suitability. It may subsequently be decided not to adopt this option and for both parties to develop and agree to a bespoke agreement.
Personal data will only be shared if the receiving data controller has a current registration with the Information Commissioners Office relating to the processing of personal data.
This Agreement is between;
- [name of company] of [registered office or principal place of business] who is registered with the ICO as a data controller with registration number [insert] (the “disclosing data controller”); and
- [name of company] of [registered office or principal place of business] who is registered with the ICO as a data controller with registration number [insert] (the “receiving data controller”)
This information must be checked against the Data Protection Public Register at www.ico.org.uk to ensure that it is current, prior to release of any data.
Failure to comply may result in an infringement of Data Protection Legislation.
The “Premises” are [address of the premises subject of this Agreement]
- The receiving data controller accepts the terms of this Data Sharing Agreement and undertakes to ensure that personal data obtained from the disclosing data controller for the Premises is processed in accordance with the requirements of current Data Protection Legislation applicable in the UK.
- The receiving data controller undertakes to take all reasonable steps to ensure the safe custody of any personal data released to it by the disclosing data controller.
- Subject to the terms of this Agreement and upon receipt of a written application stating the receiving data controller’s intended use of the requested data the disclosing data controller may permit the receiving data controller to have access to CCTV surveillance and other security related personal data connected with the Premises.
- Data sharing requests relating to HR issues will not be fulfilled unless the receiving data controller can demonstrate, to the disclosing data controller’s satisfaction, that the affected data subjects had been previously informed that the surveillance and security systems operated by the disclosing data controller may be used to monitor those data subjects when carrying out work duties. The disclosing data controller’s decision on this matter shall be final.
- Data/images will only be released in the form of controlled media decided by the disclosing data controller. In cases where personal data is to be transferred electronically to the receiving data controller, such transfer shall be via a secure file hosting service which meets the requirements of the disclosing data controller. The receiving data controller will supply the file hosting service.
- Prior to release/transfer of the personal data to the receiving data controller, a Data Release Log (VeriFi ref DRL:01) must be completed by the disclosing data controller and signed for by the Representative of the receiving data controller (see clause 8) or a Nominated Deputy (see clause 9)
- The receiving data controller accepts that its representatives may be required to provide photographic ID in the form of a drivers licence, passport or company ID badge before they are permitted to view or receive personal data from the disclosing data controller:
- “Representative” of the receiving data controller:
[Title | Full name | Position]
- “Nominated Deputies” of the receiving data controller:
[Title | Full name | Position]
[Title | Full name | Position]
[Title | Full name | Position]
SIGNED BY the receiving data controller acting by its authorised signatory:
SIGNED BY the disclosing data controller acting by its authorised signatory:
© 2019 VeriFi CCTV Ltd. Doc ref. VF 2DSA Issue Date 18/11/2019
IN CASES WHERE THE RECEIVING DATA CONTROLLER INTENDS TO APPLY ANY OTHER DATA IN CASES THAT MAY RESULT IN EMPLOYMENT LAW DISPUTES THE FOLLOWING IS OF INTEREST IN RELATION TO CLAUSE 4 OF THE ABOVE SAMPLE AGREEMENT.
Employees Right to Privacy
The right to privacy under Article 8 of the European Convention on Human Rights (ECHR) has been invoked in cases brought by employees who have been monitored using CCTV in their workplaces, even where the filming took place in public areas.
The case of Lopez Ribalda v Spain set out the following guidance on factors to be considered in deciding whether employee surveillance is proportionate under Article 8 ECHR:
- Whether the employee has been notified of the possibility of video-surveillance measures being adopted by the employer and of the implementation of such measures. While in practice employees may be notified in various ways, depending on the particular factual circumstances of each case, the notification should normally be clear about the nature of the monitoring and be given prior to implementation.
- The extent of the monitoring by the employer and the degree of intrusion into the employee’s privacy. In this connection, the level of privacy in the area being monitored should be taken into account, together with any limitations in time and space and the number of people who have access to the results.
- Whether the employer has provided legitimate reasons to justify monitoring and the extent of the monitoring. The more intrusive the monitoring, the weightier the justification that will be required.
- Whether it would have been possible to set up a monitoring system based on less intrusive methods and measures. In this connection, there should be an assessment in the light of the particular circumstances of each case as to whether the aim pursued by the employer could have been achieved through a lesser degree of interference with the employee’s privacy.
- The consequences of the monitoring for the employee subjected to it. Account should be taken, in particular, of the use made by the employer of the results of the monitoring and whether such results have been used to achieve the stated aim of the measure.
- Whether the employee has been provided with appropriate safeguards, especially where the employer’s monitoring operations are of an intrusive nature. Such safeguards may take the form, among others, of the provision of information to the employees concerned or the staff representatives as to the installation and extent of the monitoring, a declaration of such a measure to an independent body or the possibility of making a complaint.
Under the Data Protection Act, employees are entitled to make a “subject access request” regarding personal data about themselves. This includes the right to see CCTV recordings. Any such requests need to be handled appropriately and in accordance with the timings set out in the GDPR.
The guidance suggests that employers should have in place (if they use or plan to use CCTV):
- A CCTV policy to be inserted into the staff handbook;
- Data protection impact assessment regarding the use of CCTV;
- Make sure employee privacy notice (and general data protection policy) covers the use of CCTV and if not, update this.
In order that a Data Sharing Agreement can be set up by VeriFi the following information must be provided:-
- name of the receiving data controller;
- registered office or principal place of business of the receiving data controller; and
- ICO registration number of the receiving data controller.
VeriFi will then provide a PDF copy of the agreement to print two copies for signature, one for the Recipient and the other being the disclosing data controller’s hard copy for filing, an electronic copy will be saved in the VeriFi EIDOS document library.
A tenant that issues the data controller with personal data relating to its staff for access control administration purposes may require the data controller to enter into a Data Processing Agreement.