3.5 Data sharing agreements
TABLE OF CONTENTS
- 3.5.1 Is data sharing necessary?
- 3.5.2 Can sharing be done risk-free?
- 3.5.3 Is a data sharing agreement enough?
Keep in mind
Many NGO activities require data sharing with other organisations/institutions/authorities. Data sharing agreements are essential to frame the latter and protect yourself as much as possible from illegitimate requests, whether they come from donors, local authorities or partners. Attention should also be paid to the particular case of public-private partnerships.
Remember to respect the do no harm intent in your contracts, more specifically the data minimisation principle, but also to ensure that your partners have sufficient knowledge of the topic to understand the terms and implications of the contract.
In a humanitarian response, organisations are often required - as part of their activities - to provide personal data to their stakeholders (for example, local partners or donors). In such a case, they can transfer (or share) data, i.e. “communicate, copy or move” the data to another structure (Source: CNIL).
Data sharing agreements are contracts that clarify the roles and responsibilities of the organisations involved, as well as the type of data targeted.
You can refer to OCHA’s guidance note N°8 Responsible Approaches to Data Sharing for additional insights into the sensitivity of data and the factors that determine data sharing. Here are the key factors OCHA recommends taking into account when deciding whether to share non-personal data:
- What is the utility of the data for other stakeholders? The utility of data depends on the level of detail, the number of people or the geographical area covered, its timeliness, and its relevance to analysis and decision-making in humanitarian response
- How sensitive is the data? Non-personal data may in some contexts represent sensitive data, which must be protected.
Here is the classification proposed by OCHA:
- What human and technical capacity do the organizations sharing and using the data have? Consider the human and technical resources and their capacity for responsible data management
- Which governance instruments apply? These instruments should inform how data is shared for responsible management
You can also refer to OCHA’s guidance note N°3 on Data responsibility in public-private partnerships. This type of public-private partnership generally involve financial contributions, provision of technologies or their joint development, in-kind technical advisory support or public-private data sharing.
When requesting data sharing, the first step is to check whether it is necessary. To support this approach, the ICO (British supervisory authority) has set up the following checklist:
- What is the sharing meant to achieve?
- Have you assessed the potential benefits and risks to individuals and/or society of sharing or not sharing?
- Is it fair to share data in this way?
- Is the sharing necessary and proportionate to the issue you are addressing?
- What is the minimum data you can share to achieve the aim?
- Could the objective be achieved without sharing personal data, or by sharing less personal data?
- What safeguards can you put in place to minimise the risks or potential adverse effects of the sharing?
- Is there an applicable exemption in the GDPR?
This initial assessment checks whether the transfer is justified.
It should be noted, for example, that humanitarian organisations are often solicited by the authorities and governments in their areas of intervention. While it is quite normal for the authorities to want to find out what humanitarian organisations are doing on their territory, it does not give them all the rights regarding the personal databases that NGOs have in their possession to operate. NGOs therefore need to question the legitimacy of these requests, to know how to position themselves and possibly suspend their collection activities if the risks are deemed too high.
You can refer to OCHA’s guidance note N’7 on Responsible data sharing with donors for additional insights.
To identify the nature of these data sharing requests, here are examples of legitimate reasons taken from a CALP Case study : Responsible data sharing with governments:
- When eligible populations are being included in a social registry run by a government;
- When there is a need to avoid duplication of benefits across programmes/agencies/organizations;
- When assuming responsibility for a population formerly served by humanitarians and/or as part of a handover or exit strategy;
- When complying with Know Your Customer (KYC) and Financial Action Task Force (FATF) global recommendations;
- When humanitarian or other agencies are suspected of corruption or bribery and government wants to undertake an audit.
- Note that, even if the reason for sharing data is legitimate, it remains essential to check whether sharing is necessary or not, upstream.
Following the first step, if the need for sharing is proven, questions must then be asked about the recipients, their legal context of intervention and their relationship to data protection, to make sure that it can be done without risk. Are they subject to the GDPR (see the Application of the GDPR section for more information)? To one or more other legal frameworks that may be questioning (obligation to share data to the State, etc.)? Are they subject to other partners and/or contradictory injunctions that may run counter to your duty to “do no harm”, particularly regarding data protection? Have you communicated with other actors on the recipients, or have you ever heard of problematic situations involving them? Does their level of data culture / ownership of the basic principles of responsible data management allow you to ensure that the spirit of the agreement will be respected, both in principle and in practice?
On the legal front, for instance, if an organisation needs to transfer data to a local or international partner located outside the EU and not subject to the GDPR, it is essential to know whether the laws of the country in which said partner is located have a level of personal data protection equivalent to the GDPR. Beyond, the partner’s location, if you’re going to the end of what a law such as the GDPR requires, you should check the legal context of any country in which data transits (for example, if your data-sharing tool has servers in another country…).
Several sites, to varying degrees up-to-date or complete, can be looked at to carry out this analysis: the DLA Piper (a Swiss law firm providing a comparison of laws on the protection of personal data, setting out the procedures to be followed in the event of personal data transfers between organisations/partners in two different countries), the UNCTAD, research from the University of New South Wales…
Excerpt from the map provided by DLA Piper below:
In any case, if data protection is deemed insufficient from a legal standpoint, then it is mandatory to provide for “additional measures”.
This means that sharing is possible (if you don’t see any other reasons than statutory to ban it), but that it should be highly regulated as the risks of data breaches are higher and organisations need to implement specific safeguards to reduce them.
Keep in mind that the data of affected populations are not always the only ones “at risk” - for example in certain contexts where human rights are not respected - those of your employees themselves may be, depending on the state or non-state actors present on the territory. Think of situations like in Afghanistan, where the Taliban’s takeover gave them access to many databases that put people at risk of retaliation for those who worked with the previous government, whether in the field of Humanitarian Aid and International Development or not.
- WARNING: The purpose of data transfer risk assessment is to check whether the transfer contains the appropriate safeguards to protect the personal data (source: CNIL) and, if not, to determine the necessary measures to regulate it.
- This analysis should be differentiated from the Data Protection Impact Assessment (DPIA), which determines whether the collection and processing of data has a sufficient level of protection. It is a tool and process for assessing the protection impacts on data subjects in processing their personal data, to identify and assess the risks and their levels of severity.
Here is a checklist template used by Handicap International/Humanity and Inclusion, which will allow you to look at all components prior to a transfer of personal data: analysis of the recipient structure profile, the purpose of data sharing, the presence or not of sensitive data; and to assess the risks of the transfer and subsequently implement appropriate additional measures. It should be combined with an analysis of the risks incurred by the populations and mitigation measures.
Here is a template of data sharing agreement made by Solidarités International that you can use as a model to clarify your data transfers.
If the need for data sharing is confirmed, once it has been reviewed and its overall context and risk identification has been assessed, the following step is to consider the regulatory framework that applies to the recipient. The question is whether the latter is subject to the GDPR or to legislation considered “equivalent” by the EU, or not, to determine the tools that will accompany the data sharing process.
In the case of a transfer or sharing of personal data with an organisation (partner, funder, public institution…) subject to the GDPR or considered to have an equivalent level of protection (the list of countries is available here), a data sharing agreement or contract (in this part, we consider the terms “contract” and “agreement” synonymous, so as not to get into the subtleties of the subject that we deemed unnecessary here) is mandatory.
It is deemed good practice to have a data sharing agreement. It makes it possible:
- to establish the responsibilities of each of the organisations involved: who is data controller, and who is data processor (good practice: anticipate and include all organisations that will be involved in data sharing and those that should be excluded as well)
- to specify the purpose or purposes of the data processing: purpose of the transfer (why is the transfer necessary to achieve this purpose) and details of each of the processing steps
- to identify the type of personal data that is concerned: sensitive data or not
- to jointly define procedures: to implement the right of access to their data to the populations concerned (Source: ICO).
WARNING: a simple memorandum of understanding, without clearly stipulating these details, does not fulfil the function of data sharing agreement. As a reminder, the MoU establishes parameters on labour relations (for example, partnerships), but has no binding legal value (Source: French Ministry of Culture).
The ICO has shared a simple blank data sharing agreement template that you can use. ReliefWeb has shared an example of a data sharing agreement from the World Food Programme, which we are mentioning as concrete complementary illustration.
In the case of a transfer or sharing of data with an organisation not subject to the GDPR, or whose legal framework is deemed not to have an equivalent level of protection (which is the case for countries not listed here):
- A data sharing agreement is required (see previous subsection)
- In addition to the data sharing agreement, additional measures to reduce risks are essential to secure the sharing
Among potential additional measures are the standard contractual clauses: many models of standard contractual clauses exist, such as the model contracts for the transfer of personal data by the European Commission (in the appendix). There are other tools for data sharing outside the EU such as certifications (the certification guidelines) that demonstrate the observance of data protection legislation and compliance with the GDPR, ensuring an adequate level of protection.
Organisations should also make sure that the sharing mechanism includes information to the data subjects on (source: DLA Piper):
- The precise data that will be shared
- The recipients of their data
- The reason for the transfer
- The sharing mechanism that will be used to transfer their data
- The obligations of the data recipient
- The security measures put in place
In any case, beyond what is signed in the sharing contracts/agreements, it is your responsibility to the populations whose data you hold, to verify the proper compliance of the agreements by the partners in whom you have trusted or to support them as necessary, through training or awareness-raising or monitoring of the agreement.