Data Sharing

Definitions
Agreed Purposes - Data shared through the Court Professional Access Scheme is only to be used for the provision of the Scheme, and cannot be used for any other purpose except as required by law.

Controller, data controller, joint controller, processor, data processor, data subject, personal data, processing, personal data breach and appropriate technical and organisational measures:  as set out in the Data Protection Legislation in force at the time.

Data Protection Legislation: (i) the Data Protection Act 2018, (ii) the General Data Protection Regulation ((EU) 2016/679) (GDPR) and any national implementing laws, regulations and secondary legislation, for so long as the GDPR is effective in the UK, and (iii) any successor legislation to the Data Protection Act 2018 and the GDPR.

Permitted Recipients: The parties to this agreement, the employees of each party, any third parties engaged to perform obligations in connection with this Agreement.
Processing: as defined in the Data Protection Legislation in force at the time.

Shared Personal Data: The personal data to be shared between the parties under this Agreement, set out in Annex 1.

Shared personal data
1.          Each party acknowledges that one party (LCCSA, the Data Discloser) will regularly disclose to the other party (HMCTS, the Data Recipient) shared personal data collected by the Data Discloser for the Agreed Purposes.
2.          The parties agree that where personal data is shared and disclosed its use is restricted to the operation of the Court Professional Access Scheme unless onward disclosure to other agencies is necessary in the public interest and is lawful.
3.          The parties are data controllers for different aspects of the processing activities needed to deliver the Court Professional Access Scheme. The LCCSA is the data controller for the data of solicitors who wish to join the Scheme, which they collect for various purposes, including the production of ID cards to be used in accessing the courts. When the data is shared with HMCTS, HMCTS uses the data on the cards to provide security checks and access to HMCTS buildings. The role of HMCTS regarding the data on the ID cards is that of a data controller as HMCTS has the duty to provide security checks in the courts and ensure the processing meets with a lawful basis under Article 6 (1) GDPR and in doing so determines the purposes and means of the processing activity.
Compliance with the Data Protection Legislation
4.          The specific lawful basis that underpins the processing of data between LCCSA and HMCTS is consent, art 6 1.(a) GDPR.  The specific lawful basis that underpins the processing of data by HMCTS for security checks at the Courts is Article 6 (1) (e) i.e. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
5.          Each party shall comply with all the obligations imposed on a controller in respect of the Shared Personal Data under the Data Protection Legislation and any material breach of the Data Protection Legislation by one party shall, if not remedied within 15 days of written notice from the other party, give grounds to the other party to terminate this agreement with immediate effect.
6.          Parties have a requirement under the Data Protection Legislation including the DPA and GDPR to provide data subjects with a Privacy Notice. Both parties agree to include details of this Data Sharing Agreement within their respective Privacy Notices.
7.          The parties agree to identify points of contact in their respective organisations to facilitate the sharing and disclosure of information.
a)    For LCCSA, the administrator Sara Boxer, admin@lccsa.org.uk
b)    For HMCTS, the Information Asset Owner is Craig Robb, Craig.Robb@justice.gov.uk
8.          The parties will exchange information to the extent permitted by law, and in a timely fashion, to enable each other to process it according to their own internal procedures. The parties will disclose the shared personal data with other organisations in accordance with their respective privacy policies.
Particular obligations relating to data sharing
9.          Each party shall:
a)    ensure that all processing activities are done lawfully and fairly and that necessary measures and safeguards are taken to enable lawful transfer of the Shared Personal Data to the Permitted Recipients for the Agreed Purposes;
b)    give full information to any data subject whose personal data may be processed under this Agreement of the nature of such processing;
c)     process the Shared Personal Data only for the Agreed Purposes; and
d)    ensure that all Processors or Sub Processors are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this Agreement.
10.       The parties shall not transfer any shared personal data received from the Data Discloser outside the EEA unless the transferor:
a)    complies with the provisions of Articles 26 of the GDPR (in the event the third party is a joint controller); and
b)    ensures that (i) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 GDPR; (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR; or (iii) one of the derogations for specific situations in Article 49 GDPR applies to the transfer.

Mutual assistance
11.       Each party shall assist the other in complying with all applicable requirements of the Data Protection Legislation. In particular, each party shall, insofar as it relates to the other party:
a)    provide the other party with reasonable assistance in complying with any data subject access request;
b)    assist the other party in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
c)    notify the other party within 48 hours on becoming aware of any breach of the Data Protection Legislation;
d)    at the written direction of the Data Discloser, delete or return Shared Personal Data and copies thereof to the Data Discloser on termination of this agreement unless required by law to store the personal data;
e)    maintain complete and accurate records and information to demonstrate its compliance with this Agreement and the Data Protection Legislation; and
f)      provide the other party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the Data Protection Legislation, including the procedures to be followed in the event of a data security breach, and the regular review of the parties’ compliance with the Data Protection Legislation.

Data security
12.       In accordance with Article 32(1) of the GDPR and Section 66 (1) of the Data Protection Act 2018, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the parties will ensure that they have in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of the Shared Personal Data and against accidental loss or destruction of, or damage to, the Shared Personal Data. This includes, but is not limited to, the below measures:
a)    the encryption of shared personal data;
b)    the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c)     password protecting documents;
d)    the ability to restore the availability and access to shared personal data in a timely manner in the event of a physical or technical incident; and
e)    a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Review
13.       The parties agree that the Agreement will be effective by [date].
14.       The parties will monitor the operation of the Agreement and formally review it every year. Meetings to discuss any issues arising will be held as necessary to monitor its effectiveness.
15.       The purpose of these meetings is to:
a)    provide feedback on the quality of the sharing and disclosure of information;
b)    review the effectiveness of processes in place to support the sharing and disclosure of information;
c)    discuss issues of wider concern that may impact on how the parties operate together;
d)    alert each other to and discuss emerging trends, issues, risks or other activities that may be of interest; and
e)    discuss any other issues of concern to either of the parties.

Duration
16.       This agreement shall commence [date agreement is signed] and shall continue, unless terminated earlier in accordance with clauses 23-24 (Termination), until either party gives to the other 30 days' written notice to terminate, expiring on or after 14th June 2022. This agreement may be extended by up to two one-year periods by HMCTS giving LCCSA written notice of no less than 2 weeks.

Termination
17.       Without affecting any other right or remedy available to it, either party may terminate this agreement on giving not less than 30 days’ notice to the other party.
18.       Following the termination or expiry of this Agreement HMCTS must promptly:
a)    stop using the Data and, at the direction of LCCSA;
b)    destroy all copies of the Data when they receive LCCSA written instructions to do so or 12 calendar months after the End or Expiry Date, and provide written confirmation to LCCSA that the data has been securely destroyed, except if the retention of Data is required by Law; and
c)    work with the other party on any ongoing work required to wind down either a) the Professional User’s Access Scheme or b) LCCSA membership of it.

Indemnity
19.       Each party undertakes to indemnify the other and hold each other harmless from any claim, liability, cost, charge, damages, expense or loss which they cause each other as a direct result of their personal data breach. Subject to clause 23, each party’s total liability in any 12-month period to LCCSA shall not exceed £500,000. For these purposes each 12-month period commences on [date agreement is signed] each year.
20.       Neither party excludes or limits liability to the other party for: (a) fraud or fraudulent misrepresentation; (b) death or personal injury caused by negligence; or (c) any matter for which it would be unlawful for the parties to exclude liability.
Assignment or transfer of rights
28.1    Subject to clause 28.2, neither party shall assign, transfer, mortgage, charge, subcontract, delegate, declare a trust over or deal in any other manner with any or all of its rights and obligations under this Agreement without the prior written consent of the other party (such consent not to be unreasonably withheld or delayed).
28.2    The parties agree that no prior written consent shall be required under clause 28.1 above from HMCTS where, due to government re-organisation, HMCTS shall cease to exist and its powers and duties are to be transferred to another part of government.

Variation
29.       No variation of this Agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).