between Independent Living Fund (ILF) Scotland and Scottish Local Authorities
| Current Version number | 00.7 |
| Title | Data Sharing Agreement for Independent Living |
| Summary | An official Agreement between the Independent Living Fund Scotland and Scottish Local Authorities. This Agreement takes account of the regular and routine sharing of personal data relating to Applicants for / Recipients of ILF Scotland funding between the parties to this Agreement. |
| Date | <<Insert Date>> |
| Author | Privacy and Improvement Manager |
| Owner | Director of Digital and Information Services |
| Date | Version | Summary of Changes | Author |
| 09/12/2021 | v00.1 | Working Draft | Marianne Craig |
| 15/02/2024 | v00.2 | Comments & corrections | Laura Earley |
| 23/01/2023 | v00.4 | Formatting changes | Laura Earley |
| 14/02/2023 | v00.5 | Comments & corrections | CLO |
| 15/02/2023 | v00.6 | Formatting changes & corrections | Laura Earley |
| 26/03/2024 | v00.7 | Working Draft & changes to data sharing approach | Laura Earley / Paul Hayllor |
| Term or expression | Definition |
| Agreed Purpose | has the meaning given to it in paragraph 5 |
| Agreement | means this data sharing Agreement |
| Applicant | means an individual applying to receive an ILF Scotland Award |
| Award Manager | means an individual made responsible by the Recipient for managing an ILF Scotland award, whether by choice or by virtue of reduced capacity in relation to an impairment |
| Controller | shall have the meaning given in the UK GDPR |
| Data Loss Event | means any event that results, or may result in unauthorised access to Personal Data held under or in connection with this Agreement, and / or actual or potential loss and / or destruction and / or corruption of Personal Data in breach of this Agreement, including but not limited to any Personal Data Breach |
| Data Protection Legislation | means (i) the UK GDPR and any applicable national implementing laws as amended from time to time; (ii) the Data Protection Act 2018 to the extent that it relates to the Processing of Personal Data and privacy; and (iii) any other law in force from time to time with regards to the processing of Personal Data and privacy, which may apply to either party in respect of its activities under the Agreement |
| Data Subject | shall have the meaning given in the UK GDPR |
| Data Subject Request | means a request made by, or on behalf of, a Data Subject in accordance with access and other rights granted to the Data Subject pursuant to the Data Protection legislation in respect of their Personal Data |
| GDPR | means the UK General Data Protection Regulation |
| ILF Scotland Award | means funding from ILF Scotland awarded to a Recipient |
| Information Commissioner’s Office | means the United Kingdom’s Supervisory Authority |
| Personal Data | shall have the meaning given in the UK GDPR Processed by either party in connection with this Agreement |
| Personal Data Breach | shall have the meaning given in the UK GDPR |
| Process | shall have the meaning given in the UK GDPR and Processing shall be construed accordingly |
| PSN | means a Public Service Network which is an assured network used by the public sector to securely share data |
| Recipient | means an individual receiving an ILF Scotland Award |
| Scottish Local Authority | means a public body incorporated under the Local Government etc. (Scotland) Act 1994 |
This Agreement has been prepared to support the regular and routine sharing of data between:
| Legal name of parties to the Agreement & Head Office address | Role for the purposes of the Data Protection Legislation e.g. Controller / Processor |
| Independent Living Fund Scotland Limited, a company limited by guarantee registered in Scotland (Company Number SC500075) and having its registered office at St Andrews House, Edinburgh, EH1 3DG | Controller |
| [Insert Local Authority], a local authority incorporated under the Local Government etc. (Scotland) Act 1994 and having its head office at [insert office address] | Controller |
The above are hereafter referred to as the parties.
The parties acknowledge that for the purposes of the Data Protection Legislation, each party is a Controller in its own right in respect of the processing of Personal Data on its own behalf and in particular:
Each party shall comply with all applicable laws and regulations (as amended from time to time) in relation to the performance of this Agreement, in particular each party shall:
This Agreement takes account of the sharing of legitimate and proportionate information relating to the social care provision for new Applicants and / or Recipients of ILF Scotland funding. The information will be shared between ILF Scotland staff within the Self-Directed Support Teams and Social Work or Occupational Health professionals within the Scottish Local Authority.
This Agreement will commence on [INSERT DATE] and shall continue in force until terminated in accordance with paragraph 15 below.
The aim of this Agreement is to:
The following table sets out the personal data categories which can be shared between the parties:
| Data Category | Controller(s) |
| the Applicant / Recipient’s full namefinancial details of the Applicant / Recipient’s ILF Scotland Awardthe Applicant or Recipient’s contributionsthe case reference numberpostal addressNational Insurance Numberdate of birthname and contact information for Managers of award funding where a Recipient does not manage their own fundingdetails of conversations held between Award Managers, Recipients and ILF Scotland Assessorsdetails of health and physical disabilities, including medical diagnoses (from a third-party healthcare professional) which may require changes in funding provision | ILF Scotland |
| the Applicant / Recipient’s full namedetails of any funding made to the Applicant / Recipient by the Local Authoritydetails relating to the Applicant / Recipient’s support needs, assessment and support plandetails of conversations held between Award Managers, Recipients and Social Work Professionalsdetails of health and physical disabilities, including medical diagnoses (from a third-party healthcare professional) which may require changes in funding provision | Local Authority |
The parties consider the sharing of this data to be necessary to meet the aims outlined in section 2.1 above. The sharing will benefit the individuals applying for / in receipt of an ILF Scotland Award by aiding the effective management of such ILF Scotland Award and will benefit society by aiding the proper administration of public funds.
Personal Data is shared by the parties pursuant to this Agreement for the following purposes, to allow the parties:
(all points listed above are taken to be the Agreed Purpose).
Personal Data shall only be shared for the Agreed Purpose, and the parties shall not process Personal Data in a way that is incompatible with the Agreed Purpose.
The parties have a responsibility to check the quality and accuracy of the financial information and Personal Data which they hold, with particular emphasis on checking the accuracy and quality of data to be shared.
Each party undertakes to notify the other as soon as practicable if an error is discovered in, or changes are made to, the financial information or Personal Data which has been provided to the other party to ensure that the parties are then able to correct or update their respective records.
Without detriment to any other lawful basis that may be applicable, the following are the core legal bases for each of the parties to process Personal Data shared in line with this Agreement:
| Party | GDPR Article 6 Condition(s) Personal Data | GDPR Article 9 Condition(s) Special Categories of Personal Data |
| ILF Scotland | 6(1)(b) – Processing is necessary for the performance of a contract to which the Data Subject (the Applicant / Recipient) is party, or in order to take steps at the request of the Data Subject prior to entering into a contract. | 9(2)(h) – Processing is necessary for the purposes of the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law. |
| Local Authority | 6(1)(e) – the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. |
Each party shall ensure that it has in place throughout the term of this Agreement appropriate technical and organisational measures to protect against a Data Loss Event, having taken account of (i) the nature of the Personal Data (and that personal data potentially includes Special Category Data) to be protected, (ii) the harm that might result from a Data Loss Event; (iii) the state of technological development; and (iv) the cost of implementing any measures to mitigate against the occurrence of a Data Loss Event.
The primary means of data transfer will be by the secure LA portal which is managed by ILF Scotland. Each Local Authority Social Worker making an application on behalf of a data subject will have a secure login to the system supported by multifactor authentication prior to allowing them to access the applications portal. This is the same portal that is used currently to confirm the details of the Care Schedule and meets the security requirements of both Scottish Government and the Local Authority Digital Office. This is now in full use across all local authorities in Scotland and should be considered as the primary secure data sharing platform.
Both parties shall ensure that there is either (i) a fully secured and encrypted email system in place for the exchange of Personal Data or Special Category Data as foreseen by this Agreement, or (ii) an alternative secure method for the exchange of information agreed between the parties, which might include telephone If the Local Authority does not have appropriate encryption measures in place on its email servers, ILF Scotland will arrange for an alternative secure system such as Huddle to be used to enable secure and restricted access to data for designated individuals within Local Authority Offices.
Each party will ensure that the other party is notified of any Data Loss Event, or significant data security risks, affecting shared Personal Data within 24 hours of becoming aware of the same.
The parties will, where appropriate, work together to rectify any such Data Loss Event or mitigate any such risk to data security, including notification to the Information Commissioner’s Office and to affected individuals if required.
Both parties will clearly inform Data Subjects about how their Personal Data will be processed in connection with the Agreed Purpose in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
During the terms of this Agreement, within one (1) month following the date of the cessation of an ILF Scotland Award pursuant to or in connection with which the sharing of Personal Data by the parties was undertaken, each party shall:
In either case, if a party is required by law to retain any Personal Data, that party shall advise the other in writing of such requirement.
Where either party receives a Data Subject Request, it shall be responsible for actioning the same in accordance with the Data Protection Legislation.
The parties each agree to provide such assistance as is reasonably required to enable the other party to comply with Data Subject Requests relating to the Agreed Purpose within the time limits imposed by the Data Protection Legislation.
All parties are subject to the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004 and / or any other codes or regulations applicable from time to time relating to access to public authorities’ information (FOI).
All parties agree to provide reasonable cooperation, upon written request, to enable any party to comply with its obligations under or in relation to FOI or FOISA.
The final decision on disclosure of any information under FOI or FOISA will be made by the organisation to which the request was directly made.
All parties agree that in the event that Personal Data pursuant to this Agreement is required to be transferred outside of the UK, all other parties shall be notified in writing and ensure that any such transfer complies with the Data Protection Legislation.
The primary data sharing approach will be via the secure applications portal and thereafter via email, letter and / or in-person / telephone conversations. All data collected in this way will then be imported and stored in secure database systems which will only be accessible to approved personnel on a need-to-know basis only. This secure database will subsequently be used to push email notifications to the approved local authority personnel to notify them of updates and confirmation requirements of new care packages and request them to log in to the portal to review and approve new updates. The intention behind this is to reduce and limit the sharing of personal data in transit with as much as possible being completed in the LA Portal. Any data shared via email must use fully encrypted public sector networks and be minimised as much as possible by both parties. ILF Scotland has access to separate secure file sharing tools and these can be used on specific cases by exception if required but would be discussed separately (Huddle is the secure system).
Agreement
This Data Sharing Agreement will terminate upon the date of cessation of all Recipients of ILF Funding Awards, unless terminated earlier by either party by serving not less than three (3) months’ notice in writing to the other party.
This Agreement will be reviewed every five years or sooner if appropriate.
This Agreement shall be governed and construed in accordance with Scots law and both parties hereby irrevocably submit to the exclusive jurisdiction of the Scottish Courts.
