Information sharing agreement - Coventry City Council and Coventry Academies-Schools and Trusts 2023 - Print version

About

Complete the information sharing agreement form [https://forms.office.com/e/XxuXZRe15Y]

• View the information sharing agreement (HTML) [https://www.coventry.gov.uk/info/248/freedom_of_information_and_environmental_information_regulations/3878/information_sharing_agreement_ccc_and_schools_2021/2]

1. Definition of Data Protection Legislation

means all applicable data protection and privacy legislation in force from time to time in the UK including the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR); the Data Protection Act 2018 (DPA 2018) (and regulations made thereunder) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended and the guidance and codes of practice issued by the Information Commissioner or other relevant regulatory authority and applicable to a Party.

2. Background

• 1.1 This Data Sharing Agreement (“Agreement”) sets out how Personal Data will be shared (“Shared Personal Data”) between the Controllers as Data Controllers. It defines the principles and procedures the Controllers should adhere to and responsibilities to each other with regard to sharing personal data in accordance with the Data Protection Legislation as amended. Specifically, the purpose of this data sharing agreement is to enable the Council and academies/schools/trusts to share information, in compliance with relevant data protection legislation, in order to fulfil their statutory duties in regard to the education and welfare of all children/young people for whom they are responsible.

3. Controllers

This Data Sharing Agreement is between the following Controllers.

• 3.1. Coventry City Council whose administrative office are at Council House, Earl Street,
• Coventry CV1 5RR (‘the Council’)
• 3.2. [Insert Education Provider name and address] (‘academies/schools/trusts’)

4. Purpose and Scope

The Agreement covers the sharing of personal data and special categories of data, about data subjects, as defined by the Data Protection Legislation, and non-personal information for the following reasons:

• the statutory duty on the Council to ensure there are sufficient school places in their area, promote high education standards, ensure fair access to educational opportunity and promote the fulfilment of every child’s educational potential. The Council must also promote diversity and increased parental choice.
• the Council has a duty to ensure all children of compulsory school age receive and attend suitable educational provision under Education Act 1996
• academies/schools share information directly with each other relating to pupils who transfer from one setting to another, particularly in relation to attainment, attendance, SEND, health/wellbeing and safeguarding data. Data may also be shared where siblings attend different academies/schools to each other where necessary to ensure that safeguarding duties are carried out.
• the Council and academies/schools/trusts have statutory duties in relation to the safeguarding of children/young people
• the Council and academies/schools/trusts have statutory duties in relation to supporting children and young people who are eligible for SEND related
• provision.
• the Council and academies/schools/trusts have statutory duties in relation to the promoting the education, employment and training of young people which requires the exchange of data and the use of information not otherwise available to either organisation.
• the Council and academies/schools/trusts share information to support processes relating to statutory school census, school workforce census, Early Years Foundation Stage, Phonics, and other key stage pupil attainment and progress data.
• the Council uses data shared for pupil level and aggregated analysis to monitor pupil outcomes comprehensively at city level and associated aggregated spatial levels.
• the Council uses data shared to identify where pupils have transferred so as to make the task of tracking vulnerable pupils more secure and also to ensure appropriate services are extended to pupils needing additional support e.g. for reasons of health, exclusions, attendance or transport.

The Agreement covers the sharing of information for any of the purposes listed in Section 3.3 of this agreement. It also covers any subsequent information sharing activities within scope of agreement, as defined in clause 5. It does not cover any processing of personal data where the Council is acting as the Data Processor for the academy/school/trust, usually for subscription (traded) services. There will be separate data processing clauses and schedules in agreements for these services compliant with data protection legislation.

• 4.1. The Controllers agree to only process Shared Personal Data, as described in clause 5.
• 4.2. The Controllers consider this Agreement necessary as for the purpose of :
  • Safeguarding Children within the Local Authority Area
  • Offering SEND Support Services
  • Identifying children who have been absent from school, tracking Children Missing in Education and support to enforce the attendance of those children of compulsory school age in a suitable education provision Providing Education and Health Care Plans
  • Supporting integration of children into educational provision e.g. excluded pupils, children requiring behaviour support, SEND support and children with medical conditions.
  • Providing Virtual School Support for children in care
  • Providing an Alternative Provision Service
  • Providing Admissions and Appeals services for Education Providers
  • Providing Attendance and Inclusion Support Services
  • Supporting Education Providers in the Exclusion Process
  • Providing a Needs Assessment for pupils/students and assisting pupils/students with SEN
  • Provide Coventry Music Services
  • Providing Free School Provider Meals
  • Education Minority Achievement Service (EMAS)
  • Troubled Families Services
  • Providing Social Care and Education
  • Providing Services such as the Local Authority Designated Officer
  • Assisting with Work-Related Learning Programmes
  • Data can be shared with third parties when the academy/trust/school wishes the Council to pass on data on its behalf for specific programmes set up under the partnership working arrangements for example:
    • 1 to 1 tuition programmes
    • Alternative Provision and Work-Related Learning Programmes
    • NHS health programmes e.g. vaccinations, National Child Weight Measurement
    • Attainment and progress analysis and aggregated statistical and performance profiles obtained from the academy/school/trust, DfE, FFT Education and NCER Nexus as agreed between partners (see Appendix C)
  • Information to promote the participation in Employment Education and Training of young people under Education and Skills Act (Secondary Schools).
  • Providing Newly Qualified Teacher Support Services
  • Fulfilling statutory obligations to share as part of the DfE School Census
  • Daily exchange of FFT Aspire Assessment and Attendance data provided securely by FFT Aspire to both partners with agreements in place EYF Stage Profile KS1, 2, 4 and Post 16 pupil level results and FFT Aspire pupil level estimates uploaded and shared to the Council. Where assessment data items within FFT Aspire are not part of the statutory data sets, the LA will not amend/delete/edit/use this for any purpose unless explicitly agreed with the school.
  • Information the Council or academy/school/trust require to support planning and monitoring of education provision and services for children during public health emergencies.
  • Information required to monitor the use of part-time timetables for children in education to ensure children have suitable education provision.
  • Sharing pupil starters and leavers information at non-standard transition points (i.e. in year), via DfE School to School (S2S) secure portal and Coventry City Council Data Locker secure portal, using CMJ and CML files or shared directly from the pupils’ current school/academy to the receiving school/academy under Education (Pupil Registration) (England) Regulations 2006 (8 and 12) as amended in 2016. Services Provided by the Local Authority under SLA (please amend accordingly using the Microsoft Form):
  • Providing HR Advisory Services
  • Providing Outdoor Education Services
  • Schools and Library Services
  • Providing Occupational Health Services
  • Providing Legal Services
  • Providing Health and Safety Services
  • Providing Outdoor Education Services
  • Providing Work-Related Learning Services
  • Providing Attendance and Inclusion Services
  • Providing Data Team Services – People Directorate
  • Providing the Data Protection Officer Service (the “Agreed Purpose”).
• 4.3. The Controllers agree that this Agreement formalises a lawful transfer of Personal Data between the Controllers and presents no new or additional privacy concerns.
• 4.4. The Controllers shall not process Shared Personal Data in a way that is incompatible with the Agreed Purposes.
• 4.5. Both parties will store personal data shared between both partners on secure systems which can only be accessed by a restricted number of appropriate staff with appropriate security safeguards.
• 4.6. Both parties will use the data supplied for the purposes stated and will not pass such data to third party organisations outside the remit of specified partners in agreement without prior consent.
• 4.7. The academy/school/trust will ensure that up to date Privacy Notices are made available to every parent/guardian/carer, or the child/young person if appropriate.
• 4.8. The Council will ensure it has up to date Privacy Notices available on its website at www.coventry.gov.uk

5. Lawfulness

• 5.1 Data Protection legislation (General Data Protection Regulation (GDPR) and Data Protection Act 2018) requires that there should be a lawful condition for sharing Personal Data. Where special category data or criminal offence data is shared, additional requirements are necessary.
• 5.2 For the purposes of the Agreed Purposes as listed in clause 3.1 of this Agreement, each Controller shall ensure that it processes Shared Personal Data on the basis of one of the following legal grounds:
• 5.3 The lawful bases relied upon are:
  • Article 6 (1) (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • Article 6 (1) (b) processing is necessary for the performance of a contract to which the data subject is Controller or in order to take steps at the request of the data subject prior to entering into a contract;
  • Article 6 (1) (c) processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Article 6 (1) (d) processing is necessary to protect the vital interests of the data subject or of another natural person;
  • Article 6 (1) (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • Article 6 (1) (f) processing is necessary for the performance of a task carried out for the purposes of the legitimate interests pursued by the controller except where the processing is carried out by a public authority in the performance of their public duties;
  • Article 9 (2) (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes;
  • Article 9 (2) (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law;
  • Article (9) (2) (c) processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Article 9 (2) (g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject (where reliance on this ground is sought, Schedule 1 of the Data Protection Act 2018 shall apply and both Controllers will have the appropriate policy document in place – with respect to safeguarding it is anticipated that schools will mostly rely on Part 1, s6, statutory purposes (e.g. KCSIE) and Part 2, s18 Safeguarding of children and of individuals at risk);
  • Article 9 (2) (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional;
  • Article 9 (2) (j) Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistics purposes in accordance with Article 89(1) based on Union or member state law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
  • Where personal data relating to criminal convictions and offences is processed this is under Article 6.1(e) and the additional safeguard at GDPR Article 10 that such processing shall be: “carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.”
• 5.4 Human Rights Act 1998, Crime and Disorder Act 1998, public interest in common law, the Children Act 1989 and 2004 and Data Protection Act 2018 (DPA), the UK General Data Protection Regulation, as amended, European Union (Withdrawal Act) 2018, Freedom of Information Act 2000, the duties of LEAs and Governing Bodies in relation to welfare of children duty at s175 Education Act 2002 and any other similar legislation.
• 5.5 Any amendments to the UK General Data Protection Regulation will supersede the provisions referenced herein.

Providing Admissions Services

1. Education Providers are required to co-ordinate admissions with the Local Authority at either First Time Admissions or Secondary Transfer stages. The School Admissions Code of Practice outlines the need for data sharing if a Local Authority is the relevant Admissions Authority for the Education Provider.

Providing SEND and Social Care and Education Services:

1. Section 14 of the Education Act 1996 requires local authorities to provide sufficient schools and equipment for pupils of all different ages, abilities and aptitudes and for the different periods for which they may be expected to stay at Education Provider. Provision must include practical instruction and training appropriate to the pupils’ different needs and must secure diversity in the provision of Education Providers and to increase opportunities for parental choice.
2. Section 436A of the Education Act 1996 imposes a duty on the LA to identify and monitor children missing in education.
3. Section 444 of the Education Act 1996 places responsibilities on the LA to enforce attendance at Schools.
4. Section 10 of the Education & Skills Act 2008 requires local authorities in England must ensure that its functions are exercised to promote the effective participation in education or training of persons belonging to its area.
5. Section 10 of the Children Act 2004 requires Children’s Service Authorities and their relevant partners to cooperate in order to improve the well-being of children and young people in relation to the following:
   • physical and mental health and emotional well-being
   • protection from harm and neglect
   • education, training and recreation
   • the contribution made by them to society
   • social and economic well-being
6. Section 11 of the Children Act 2004 Duty on key persons and bodies to make arrangements to ensure their functions are discharged with regard to the need to safeguard and promote the welfare of children.
7. Section 47 Children Act 1989 Section 47 places a duty on local authorities to make enquiries where they have reasonable cause to suspect that a child in their area may be at risk of suffering significant harm. Local authorities shall make, or cause to be made, such enquiries as they consider necessary to enable them to decide whether they should take any action to safeguard or promote the child's welfare.
8. Section 17 Children Act 1989 Local authorities have duties to safeguard and promote the welfare of children within their area who are in need and so far as is consistent with that duty, to promote the upbringing of such children by their families by providing a range and level of services appropriate to those children's needs.
9. Working Together to Safeguard Children (as updated from time to time) and Keeping Children Safe in Education (as updated from time to time) statutory guidance sets out how inter-agency organisations and individuals should work together to safeguard and promote the welfare of children.
10. Section 28 Children and Families Act 2014
11. Where reliance on a substantial public interest is sought, Schedule 1 of the Data Protection Act 2018 shall apply and both Controllers will have the appropriate policy document in place.
12. Section 35 Digital Economy Act 2017 allows for the sharing of personal data in relation to Early Help Intervention and Troubled Families Programme.

Providing Occupational Health, Health and Safety Services and Human Resources Services:

1. Employments Right Act 1986
2. Health and Safety Legislation and The Equality Act 2010
3. The Education Provider Staffing (England) Regulations 2009
4. When relying on Article 10 Processing personal data relating to criminal convictions and offences reliance on Data Protection Act, Schedule 1 of the Data Protection Act 2018 shall apply and both Controllers will have the appropriate policy document in place.
5. Where reliance on a substantial public interest is sought, Schedule 1 of the Data Protection Act 2018 shall apply and both Controllers will have the appropriate policy document in place.

Providing Coventry Music Services:

1. Children (Performances) Regulations (1968),
2. Children (Performances) (Miscellaneous Amendments) Regulations (1998) [Children and Young Persons Act]

Other Legislation

1. Academies Act 2010
2. Learning and Skills Act 2000
3. Equality Act 2010
4. Education and Inspections Act 2006
5. Education and Skills Act 2008
6. Education Act 2011
7. the School Discipline (Pupil Exclusions and Reviews) (England) Regulations 2012
8. the Education (Provision of Full-Time Education for Excluded Pupils) (England) Regulations 2007, as amended by the Education (Provision of Full-Time Education for Excluded Pupils) (England) (Amendment) Regulations 2014
9. Health and Safety Act 1974
10. Managing Health and Safety at Work Act 1999
11. The Coronavirus Act 2020 and subsequent regulations

6. Information shared

6.1 Personal Data will only be shared to meet the stated objectives of the Controllers involved as outlined in this agreement.
6.2 Only the minimum data required will be shared and where appropriate anonymisation or pseudonymisation should be considered.
6.3 Information shared as part of this Agreement will be in line with satisfying the Agreed Purpose.
6.4 For details of the Personal Data will be shared as part of this Agreement see Appendix A.
6.5 Personal Information will be shared:
a. electronically with the appropriate security measures in place to ensure the safe transfer of personal data such as the use of Capita One, DataLocker and/or secure email such as Microsoft TLS (encrypted/password-protect document); and/or
b. Hard copy by post with the appropriate security measures in place such as tracked or special delivery or by bonded courier. Hard copy data sent by post should include a return address and label the packaging ‘For Addressee Only’.

7. Fairness and Transparency

7.1 Data Protection Legislation requires that in order for processing to be fair and transparent the Controllers must make certain information available to the individuals. This includes:

• The identity of the organisation(s) processing the information
• Contact details of the Data Protection Officer
• Why the information is being collected and how it will be used including lawful basis
• Any other organisation the information will be shared with
• Source of the information if not directly obtained from the individuals
• How individuals can exercise their rights

7.2 Coventry City Council provide privacy notice for all service areas on their website
7.3 The academy/school/trust provides the main privacy notice on their website or provides this to appropriate individuals before data processing takes place.
7.4 Where a processor software provider is used for sharing between the Controllers, these will be governed by a data protection compliant contract outlining the appropriate safeguards in place whilst any personal data is processed.

8. Individuals Rights and Controller Obligations

• 8.1. Individuals should also be informed of their rights which include:
  • How to gain access to their information
  • How to rectify incorrect information
  • How to ask for their information to be erased if no longer needed
  • If applicable, how to restrict how their information is used or object to it being used
  • How to withdraw consent where this has been relied upon
  • How to lodge a complaint with the ICO
• 8.2. Both the Education Provider and the LA must ensure that they support individual rights when sharing personal data. An example of this is notifying one another of inaccuracies or discrepancies in the data.
• 8.3. If a Controller receives a request under the subject access provisions of the Data Protection Legislation and/or Freedom of Information Act 2000, and the data is identified as belonging to another Controller, the receiving Controller will contact the other Controller to determine if the latter wishes to claim an exemption.
• 8.4. Each Controller shall have policies and procedures in place to respond to requests and handle complaints relating to an individual’s inability to exercise their rights. Individuals must be provided with information about these policies and procedures where appropriate. Complaints relating to shared information under this agreement will be the responsibility of the Controller receiving the complaint if it relates to information they have shared.
• 8.5. All Controllers shall provide each other with full co-operation and assistance in relation to any complaint or request made, including, without limitation:
• Providing full details to the other Controllers (as appropriate) of the complaint or request.
• Complying with subject access requests within the relevant timescales
• Providing the other Controllers (as appropriate) with any information that may help in responding to or resolving the complaint or request.
• 8.6 The Local Authority will provide advice and guidance to support the data transfer process.
• 8.7 Both Controllers agree to provide information to one another and work in respect of achieving the Agreed Purposes.
• 8.8 The key contact in each organisation will be responsible for coordinating requests, complaints and information security incidents.

9. Data Security and Access

• 9.1. Controllers to this Agreement will have appropriate organisational and technical measures in place to safeguard all information shared as part of this agreement against accidental loss, destruction, damage, alteration or disclosure. This includes but is not limited to staff training, data protection policies, records of processing activities and access controls.
• 9.2. Signatory parties are expected to train their relevant staff and promote awareness of the major requirements of information sharing, including responsibilities in confidentiality and data protection.
• 9.3. Access to information subject to this agreement will only be granted to those professionals who ‘need to know’ to effectively discharge their duties.
• 9.4. The information to be shared under this Agreement is personal data and is classified as ‘OFFICIAL – Sensitive’ under the Government Security Classifications Scheme April 2014.
• 9.5. Controllers shall immediately notify each other of any security breach in relation to the information being obtained or shared as part of this Agreement and shall keep a record of such breaches. Where there is a risk to individuals, the notification should be within 24 hours of becoming aware of the breach.
• 9.6. The Controller where the breach has occurred should do its best to contain the breach and shall conduct a full investigation of the breach and the findings of the investigation will be shared with the other Controllers.
• 9.7. All Controllers shall co-operate fully in any investigation that another Controller considers necessary to undertake as a result of any breach.
• 9.8. The Education provider’s Senior Leadership Team under the guidance of their Data Protection Officer will take responsibility for notifying the Local Authority of any breach of the LA’s personal data where this is appropriate.
• 9.9. The Local Authority’s Information Governance Team under the guidance of their Data Protection Officer will take responsibility for notifying the Education Provider of any breach of the Education Provider’s personal data where this is appropriate.
• 9.10 The Controllers will discuss (within 48 hours of recognising the breach) who will take responsibility for informing the ICO, where appropriate and the data subject,
• where appropriate, of the breach.
• 9.11 When using ‘Data Locker’ the Senior Leadership Team is responsible for ensuring that only authorised staff within the school/academy/trust have access to the documents containing sensitive data shared via the portal.
• 9.12. The academy/trust/school should have procedures in place for reviewing who has access to the portal and ensuring staff that leave or change roles in the schools/academy/trust have their access rescinded.

10. Data Quality and Retention

• 10.1 Controllers shall agree that different retention schedules apply and these will be available on their individual websites.
• 10.2 Parties will ensure that all information shared under this agreement, regardless of format, will be securely retained, managed, stored and securely destroyed in accordance with their own local policies and procedures to ensure compliance with the Data Protection Act 2018 and any subsequent relevant legislation.
• 10.3. When information is no longer needed either at the end of the retention period or when the agreement is terminated, the Controller providing the information must be informed that the information has been securely disposed of or deleted or returned to the original Controller.
• 10.4. Each Controller is responsible for ensuring that the Personal Data they share is accurate and up to date. In so far as is possible, the Controllers will inform one another of a validly received request for rectification or where data is discovered to be inaccurate, out of date or inadequate for the purpose. The relevant Data Controller responsible for notifying all other recipients of the information who must also ensure the correction is made.
• 10.5. The quality and accuracy of personal data will be managed in accordance with each Controllers Data Protection Policy.

11. Review

• 11.1. This Agreement will be reviewed annually or at any time when there is a need to vary it due to changes in its requirements or Controllers to the agreement.

12. Other Data Protection Legislation Requirements

• 12.1. Where appropriate, explicit and informed consent must be sought and freely given. Controllers must ensure that consent is appropriately and clearly documented.
• 12.2. Where the need to complete a Data Privacy Impact Assessment (DPIA) is identified before sharing of any Personal Data, the process will be undertaken by the Data Controller(s) of the information. In addition to providing robust justification for the sharing of personal data for specified purposes, DPIAs will evidence compliance with the principles of the Data Protection Legislation and any other relevant legislation including Caldicott Principles where applicable.
• 12.3. Each Controller will be responsible for its own compliance with the current Data Protection Legislation and all relevant associated legislation. This includes ensuring that it has the appropriate local policy and process frameworks in place to underpin best practice.

13. Termination

• 13.1. Where applicable, any Controller may terminate this Agreement by giving one month’s [can be varied to 3 months based on the amount of data shared] notice in writing to other Controllers unless the data is required to be shared in order to comply with a legal obligation. Any information disclosed to the Controller should be securely returned following the agreed termination date. Obligations of confidentiality imposed on the Controllers by this agreement shall continue in full force and effect after the expiry or termination of this agreement.

14. Statement of Compliance

• 14.1. In signing this Agreement all Controllers accept that they will follow the procedures within it when sharing information in a manner compliant with statutory and legal requirements.
• 14.2. Each Controller shall not knowingly or negligently process Shared Personal Data in such a way that it places any Controller in breach, or potential breach, of the Data Protection Legislation or any relevant associated legislation.
• 14.3. Controllers will comply with any specific requirements specified by the Data Controller(s) regarding the processing of personal information which the Data Controller(s) share(s) through this agreement.
• 14.4. Controllers will only disclose Shared Personal Data with it through this Agreement where permission for that disclosure has first been agreed by the Data Controller which provided the information unless the Controller considers that there is a clear legal obligation for disclosure without the Data Controller’s consent.
• 14.5. Compliance with the Agreement will be monitored by each Controller in accordance with their own policies and procedures.
• 14.6. Controllers will keep all other Controllers fully indemnified against any and all costs, expenses and claims arising out of any breach of this agreement incurred as a result of the Controller’s failure to comply with the requirements of the Data Protection Legislation or any relevant legislation.

15. Commencement

This agreement shall take effect from the date that the Parties sign the agreement and shall continue in force until this agreement is terminated under one of the conditions stated in clause 12 above.

16. Dissemination of the Agreement

All Parties will disseminate copies of this Agreement to all relevant staff and, on request, to the data subjects of the Agreement process and will ensure that appropriate training is provided to all relevant staff.

Signatories

These will be senior management of each Controller committing to comply with the terms of this agreement.

Management Approval

As above.

Distribution

• Controllers to the Agreement
• Coventry City Council
• Academies/schools/trusts

Appendix A

Appendix B

Appendix C