Data controller and data processor
- who will be responsible for certain aspects of the information sharing process;
- who is responsible for the processing of the data; and
- who has overall responsibility.
A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
In relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:
(b) retrieval, consultation or use of the information or data;
(c) disclosure of the information or data by transmission, dissemination or otherwise making available; or
(d) alignment, combination, blocking, erasure or destruction of the information or data.
Key definitions of the Data Protection Act
Finding the information
Based on the data requirements identified earlier in the process, partners should undertake an information audit. This will ensure that relevant information needed by the project can be found easily.
The exercise can also be used to determine whether they already hold data that could act as a proxy measure. This will save the time and effort of collecting client information that might already be stored by partners.
Details will need to cover:
- what information is collected and from which source(s);
- where and how recorded information is stored;
- what the information is used for and how it passes between systems to end users; and
- who is responsible for the information at both an operational and a strategic level.
The Information and Records Management Society have produced a useful document to guide you through the process of an information audit. It is available from their website at this link.
Define the scope of the audit
The pre-agreed information requirements of the project should help to define the scope of the audit.
There may be particular types of information which an organisation does not wish to examine, such as aggregated data or invalidated data. Some information may also have legal restrictions or limitations and should therefore not be included.
Partners should attempt to gain a broad understanding of the situation, rather than try to analyse every single piece of information. Keeping the audit simple will give a clearer understanding of the task and help to avoid scope creep, which could compromise the exercise.
The most productive way of discovering the main systems and information flows is to talk directly to the people who manage them. Find out what managers are responsible for specifically, what information and systems managers depend on and who is responsible for those systems. It is also helpful to speak directly to the daily users of these systems as they may be aware of issues which are relevant to the audit.
Given that a key reason for undertaking this audit is to source the information required for the project, it is essential to document findings. This will form the basis of future data sharing and should consist of:
- A list of data-sets and owners
- Details of organisational information flows including:
4. Special requirements
- A list of the information contained in each data-set
To fully understand where information comes from and the way information flows work, it could be useful to produce a data flow diagram.
The example below may be useful:
What information do you need to share and where is it?
Before the legality of sharing information can be considered, it is important that work has been carried out to understand the purpose of the project as a whole. In particular, there should be a clear idea of how information sharing will be of benefit to the project and what information needs to be shared.
The information requirements for any project need to be discussed and identified to ensure that the correct information is gathered or collected from the most appropriate source. The earlier this can be done, the better as it will form the basis of the search for legal gateways to information sharing, as well as the development of information sharing protocols and agreements. It will also form the design of information gathering tools for use throughout the project and the later measurement of the success, or otherwise, of the project.
Discovering information requirements can be done most effectively by:
- Understanding the purpose of the overall project, including specific goals
- Identifying and understanding stakeholders
- Identifying the best sources of information
- Documenting the information requirements
Once these stages have been completed and the information requirements catalogue is available, the quality of the information should be assessed to ensure that it is fit for purpose.
How do you decide the legal basis for sharing?
Use the flow chart below to help you to work through the questions which you need to ask yourself to decide if there is a legal basis for your project or initiative to share information.
For a more in-depth look at this, please download the following document: Process-for-deciding-the-legal-basis-for-sharing-information and take a look at the Information Commissioner’s Office data sharing checklist
Deciding to share aggregate or anonymised data