Information Sharing


Information Sharing Agreement


1        Introduction

1.1      Policy statement

In accordance with the NHS England Information Sharing Policy[1] all employees working in the NHS are bound by a legal duty of confidence to protect personal information they may come into contact with during the course of their daily work. This policy outlines the requirement for robust measures to ensure that information sharing is appropriate and authorised.

1.2      Status

The practice aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have in regard to the individual protected characteristics of those to whom it applies.

This document and any procedures contained within it are non-contractual and may be modified or withdrawn at any time. For the avoidance of doubt, it does not form part of your contract of employment.

1.3      Training and support

The practice will provide guidance and support to help those to whom it applies understand their rights and responsibilities under this policy. Additional support will be provided to managers and supervisors to enable them to deal more effectively with matters arising from this policy.

2       Scope

2.1      Who it applies to

This document applies to all employees of the practice. Other individuals performing functions in relation to the practice, such as agency workers, locums and contractors, are encouraged to use it.

2.2      Why and how it applies to them

This document has been produced to provide all staff at Whitley Road Medical Centre with the necessary level of information to ensure that information follows the good practice recommendations in line with the NHS(E) Information Sharing Policy.

3       Definition of terms

3.1      Information sharing

The disclosure of personal information from one or more organisations to a third-party organisation or organisations, or information shared internally within an organisation.1

3.2      General Data Protection Regulation

The GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way in which organisations across the region approach data privacy.

3.3      Data subject

A natural person whose personal data is processed by a controller or processor.

3.4      Data processor

The entity that processes data on behalf of the data controller.


4       Information sharing

4.1      Considerations

Prior to entering into any agreement involving the sharing of information, the following are to be considered:

  • What are the objectives of sharing the data?
  • What data needs to be shared to achieve the objectives?
  • Is it possible to achieve the intended objectives without sharing the data?
  • How is the data going to be shared?
  • When should the data be shared?
  • What control measures are in place to safeguard the data
  • at are the associated risks with sharing the data?

Where doubt exists, the data controller is to be contacted and advice sought. If the sharing of data is large-scale, then in accordance with the GDPR, a Data Protection Impact Assessment (DPIA) is to be conducted. Furthermore, it is considered good practice to complete a DPIA prior to partaking in a data-sharing agreement as it is the most effective way for Whitley Road Medical Centre to meet their data protection obligations and the expectations of their data subjects.

5       Information-sharing agreements

5.1      Requirements

Information-sharing agreements must include the following information:

  • The purpose(s) for sharing the data
  • The legal basis for sharing
  • The intended recipients
  • The data to be shared
  • Who the data controller and data processors are
  • How the security of the data can be assured
  • The retention period of the shared data
  • Data subjects’ rights
  • Actions to manage breaches to the agreement

5.2      Template

An information-sharing agreement template can be found at Annex A. This template is to be used by Whitley Road Medical Centre when entering into any data-sharing agreement.

6       Summary

When there is a requirement to share information, it is essential that the information being shared is protected and only disclosed to the intended recipient(s). Failure to adhere to the terms of the agreement could result in a data breach, the consequences of which could be of detriment to both Whitley Road Medical Centre and the data subject(s).    

Annex A – Information-sharing agreement

Information-sharing agreement Whitley Road Medical Centre


This information-sharing agreement is between Whitley Road Medical Centre and [insert name]. The purpose/s for sharing information is/are given in the box below.

Include the specific purpose/s for sharing the information and the rationale for sharing.






To ensure compliance with the GDPR, the legal basis for sharing this information is shown below: (tick as applicable)

·         The data subject has given consent to the processing of his or her personal data for one or more specific purposes ¨

·         Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract ¨

·         Processing is necessary for compliance with a legal obligation to which the controller is subject ¨

·         Processing is necessary in order to protect the vital interests of the data subject or another natural person ¨

·         Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller ¨

·         Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child ¨



The intended recipient/s for the purpose of information sharing is:

Give details of the organisation or individuals with whom data is being shared.









The information being shared is:

Give details of the information that is being shared and where that information is currently held. Be as specific as possible.






Give details of the data controllers and data processors involved:


Data controller:

Data processor/s:




Data controller:

Data processor/s:


Security assurances:

Give details of the measures in place to minimise the risk of a data breach, e.g. information is shared using end-to-end encryption.







The retention period of the shared information is:

Give details of how long the shared information will be retained (use the retention schedule to support this). Also include the disposal process once the retention period has lapsed.






Data subjects’ rights in accordance with the GDPR:

Give details as to how data subjects can access their data and confirm their data is being processed lawfully. Also explain how data subjects know why and when their information is being shared – think privacy notices.  






Actions to be taken in the event of a breach of the agreement:

Insert details as to how any breaches to the terms of this agreement would be managed and if any sanctions would be imposed. Any incidents that affect the confidentiality, integrity or availability of personal data are classed as data breaches and the appropriate action must be taken.








Signature of acceptance




Position held:


Phone number:











Position held:


Phone number:








NHS(E) Information Sharing Policy

Call 111 when you need medical help fast but it’s not a 999 emergencyNHS ChoicesThis site is brought to you by My Surgery Website