Saturday 17 February 2018

Sharing data with Government (data-controller or data-processor)

Businesses hold a lot of data about staff, customers and contacts and under GDPR they need to keep that data  private, safe and secure.

Additionally where that data is held or shared with a third-party there needs to be some form of data-controller/data-processor agreement detailing the roles, goals and controls for the management of that data.

GDPR Checklist for Third Party Agreements
https://gdprjerseyarticles.blogspot.com/2018/02/gdpr-checklist-for-third-party.html

In many cases that third-party may be a government department. So it makes sense for the government department to detail is policy, procedures, templates etc., so as to be clear and consistent with all its dealings rather than create a bespoke solution and documentation for every organisation with whom it shares data.

Having a standard approach and template agreements will help reduce cost, raise awareness and ensure best practice. Surely this is better than every business having a slightly different approach with sharing data with that government department?

In the meantime I have been writing letters long the following line to support by clients becoming GDPR compliant and evidencing the roles, goals and controls for the management of data held for, or shared with government.

Dear XXXXXX                                                                          

FOI General Data Protection Regulation (GDPR).

Many organisations hold personal-data [as defined by GDPR] for the States or shared with the States (for example ID, Tax and SocSec Information, and in some cases special-category data like medical information)

What are the requirements of the States in relation to that data? Do you have guidance and model data-controller/data-processor agreements as required by GDPR that can be shared to encourage a standardised approach based on best-practice?

For Example

·        What personal-data should be held for the States or shared with the States (Examples DBS Checks? ID Records? Staff Records?)

·        What should the retention period be for personal-data for the States or shared with the States (Example: 1 year, 3 years, 10 years?)

·        What information security measures should be applied personal-data for the States or shared with the States (Example: Cyber Essentials? ISO 207001?)

Perhaps this is be better submitted as a Freedom of Information Request so that the reply can be used as a standard for all organisations seeking to address the requirements of GDPR?

Yours sincerely
Posted by at

3 comments:

  1. Tejuteju22 August 2018 at 04:03

    Thank you.Well it was nice post and very helpful information on Data Science online Training India

    ReplyDelete
  2. Niharika Sree18 June 2021 at 02:44

    Its very informative blog and useful article thank you for sharing with us , keep posting learn
    microstrategy online training | microstrategy training online

    ReplyDelete
  3. Niharika Sree21 July 2021 at 03:13

    Its very informative blog and useful article thank you for sharing with us , keep posting learn more
    Mulesoft Online training with 100% job Assistance and 24 X 7 Online Support. Visit us about mulesoft training | mulesoft online training
    Contact Information:
    USA: +1 7327039066
    INDIA: +91 8885448788 , 9550102466
    Email: info@onlineitguru.com

    ReplyDelete

Subscribe to: Post Comments (Atom)