Spear Data Protection
JOINT DATA CONTROLLER AGREEMENT
This Joint Data Controller Agreement (‘the Agreement’) is made on Thursday January 27th 2022 (the ‘Effective Date’) between the following parties:
Parties
(1) ResurgoTrust(DataController1)StPaul’sPlace,MacbethStreet,LondonW69JJ (or any other address as registered on Companies House for Co. No. 4670794)
(2) [Preston Minster (Data Controller 2) Church Street, Preston, PR1 3BT Together and hereinafter referred to as ‘the Parties’.
Roles and Responsibilities
Each party shall nominate a single point of contact within their organisation who can be contacted in respect of queries or complaints in relation to this
Agreement or any data protection issues.
- Resurgo Trust’s Data Manager can be contacted at harriet.williams@resurgo.org.uk
- [Preston Minster’s] Information Manager can be contacted at laura.fraser@prestonminster.org
Background
(1) Resurgo Trust and Preston Minster work in partnership to run the Spear Lite pilot in Preston, supporting young people facing barriers to work to enter
sustainable employment. This partnership is governed by a collaboration agreement dated 26.1.22.
(2) In order to run the Spear Lite pilot in partnership effectively, both parties need to share control of certain Data relating to Spear coaches (employed by
Preston Minster) but with the programme managed jointly by Resurgo and the Church) and young people who participate in the Spear programme.
(3) The following Agreement between the Parties reflects the arrangements that they have agreed to put in place to facilitate the sharing of Personal Data between the Parties (who act as joint Data Controllers) and explains the Agreed Purposes for which that Personal Data may be used. Both parties will continue to be responsible for the safety of and consent relating to data they control and process in accordance with their own data protection policy and privacy notice.
1. Agreed terms
Interpretation
The following definitions and rules of interpretation apply in this Agreement. 1.
Definitions:
Data Protection Laws mean the governing data protection laws of the UK from time to time.
The Spear Lite Pilot means the programme of employability-focussed coaching support, created by Resurgo, in its current delivery form during the pilot period as set out in the collaboration agreement between the parties.
Personal Data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special Categories of personal data means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric/genetic data.
Shared Personal Data means the Personal Data to be shared and processed between the Parties. Shared Personal Data shall be confined to the following categories of information relevant to the following categories of data subject:
a) The names, contact details, given barriers to employment, education history, progress on the Spear programme and employment progress within 1 year
after the end of Spear Foundation of young people taking part in the Spear programme.
b) The names, contact details, employment contract details and any details relating to performance of employees of the Spear Trust. In some circumstances, special category personal data of employees may be processed (for example relating to health, to ensure employees are safe at work) and in these cases any processing will be in line with GDPR.
Controller, data controller, processor, data processor, data subject as set out in the relevant Data Protection Laws in force at the time.
Data Discloser means the party transferring the Personal Data to the Data Receiver. Either party may be a Data Discloser.
Data Receiver means the party receiving the Personal Data from the Data Discloser. Either party may be a Data Receiver.
Permitted Recipients means the parties to this Agreement, the directors and employees of each party, and any third parties engaged to perform obligations in connection with this Agreement.
Process/Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Written notice means any notice given to a party under or in connection with this Agreement and shall be:
- Delivered by pre-paid first-class post or other next working day delivery service at the address set out above, or sent by email to the principal contact as agreed between the parties.
Written notice shall be deemed received:
- If sent by pre-paid first-class post or other next working day delivery service, at 9.00 am on the second day after posting; and
- If delivered by email, at the time it is sent as recorded by the sender’s system.
2. Agreed Purposes
2.1 The Parties consider the sharing of Personal Data is necessary to support the following agreed purposes of the Parties:
a) to enable Data Controller 1 to deliver on its obligations to Data Controller 2, namely the provision of tailored support to trainees and the impact measurement of Spear programme outcomes
b) to enable Data Controller 1 to deliver on its obligations to Data Controller 2 with regard to the support and training of Spear coaches employed by Data
Controller 2 but jointly managed by the parties.
c) processing for the purpose of legitimate interests pursued by Data Controller 2, namely
i) to enable Data Controller 2 to maintain up to date records of Spear participant groups, and programme impact and outcomes for the purposes of fundraising and provision of tailored support to trainees;
d) for Data Controller 1 to have clarity as to the Spear centres which it should provide additional support to.
3. Data Protection
3.1 Each party acknowledges that the Data Controller (as the Data Discloser) will, as necessary, disclose to the Data Controller (as the Data Recipient) Shared Personal Data collected by the Data Controller for the Agreed Purposes.
3.2 Each party shall comply with all the obligations imposed on a controller under the Data Protection Laws in the performance of its obligations under this agreement and any other agreement between the parties which pertains to Shared Personal Data (“Relevant Agreements”), and any material breach of the data Protection Laws in respect of a Relevant Agreement by one party shall, if not remedied within 30 days of written notice from the other party, give grounds to the other party to terminate this Agreement with immediate effect.
4. Data Protection Obligations
4.1 Each party shall:
a) be responsible for the creation and publication of their own privacy notices;
b) ensure that such privacy notices are clear and provide sufficient information to Data Subjects in order for them to understand what of their Personal Data is being shared between the Parties, the circumstances in which it will be shared, the purposes for the Data Sharing and either the identity with whom the data is shared or a description of the type of organisation that will receive the Personal Data, as well as how Data Subjects can make a Data Subject Access request;
c) ensure it has all necessary notices in place to enable lawful transfer of the Shared Personal Data to the Permitted Recipients for the Agreed Purposes;
d) give full information to any data subject whose Personal Data may be processed under this Agreement of the nature of such processing. This includes giving notice that, on the termination of this Agreement, Personal Data relating to them may be retained by or, as the case may be, transferred to one or more of the Permitted Recipients, their successors or assignees. Such information shall be contained within the Privacy Notice of each party;
e) process the Shared Personal Data only for the Agreed Purposes; not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients;
f) ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous that those imposed by this Agreement;
g) ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, personal data;
h) not transfer any Personal Data to any party beyond the parties to this agreement, except with the agreement of the other party, the Data Subject, and any other relevant consents and safeguards.
5. Mutual Assistance
5.1 Each party shall provide reasonable assistance to the other in complying with all applicable requirements of the Data Protection Laws insofar as they pertain to Relevant Agreements. In particular, each party shall:
a) consult with the other party about any notices given to data subjects in relation to the Shared Personal Data;
b) promptly inform the other party about the receipt of any data subject access requests;
c) provide the other party with reasonable assistance in complying with any data subject access request;
d) not disclose or release any Shared Personal Data in response to a data subject access request without first consulting the other party wherever possible;
e) assist the other party, at the cost of the other party, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities and regulators;
f) notify the other party without undue delay on becoming aware of any breach of the Data Protection Laws;
g) use compatible technology for the processing of Shared Personal Data to ensure that there is no lack of accuracy resulting from personal data transfers;
h) maintain complete and accurate records and information to demonstrate its compliance with this agreement; and
i) provide the other party with contact details of at least one employee as point of contact and responsible officer for all issues arising out of the Data Protection Laws, including the joint training of relevant staff, the procedures to be followed in the event of a data security breach, and the regular review of the parties’ compliance with the Data Protection Laws.
6. Data Retention
6.1 The parties shall not retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purposes.
6.2 The parties shall publish details of their respective retention schedules on their websites.
6.3 On termination of this Agreement for whatever reason both parties will return or destroy any shared data unless they are required to keep the data by legislation.
7. Indemnity
7.1 Each party shall indemnify the other against all liabilities, costs, expenses, damages and losses (including any direct or indirect losses and all interest, penalties and reasonable legal costs (calculated on a full indemnity basis and all other reasonable professional costs and expenses), but not including consequential losses, loss of profit or loss of reputation) suffered or incurred by the indemnified party caused by the breach of Data Protection Laws in respect of a Relevant Agreement by the indemnifying party, its employees or agents, provided that the indemnified party gives to the indemnifier prompt notice of such claim, full information about the circumstances giving rise to it and reasonable assistance in dealing with the claim.
8. Publication
8.1 A copy of this Agreement will be published on the websites of the Parties to demonstrate an open and transparent approach to data sharing.
9. Variation and Review
9.1 No variation of this Agreement shall be effective unless it is in writing and signed by the Parties.
9.2 The effectiveness of the Agreement shall be reviewed alongside any contractual renewal between the Parties.
9.3 In the event of a data breach this Agreement shall be reviewed immediately to determine what, if any, amendments are required to ensure that no further breaches take place.
10. Entire Agreement
10.1 This Agreement constitutes the entire agreement between the Parties in relation to the sharing of Personal Data, and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.
10.2 The Parties acknowledge that in entering into this Agreement they do not rely on and shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this Agreement.
10.3 The Parties agree that they shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in this Agreement.
10.4 Nothing in this Agreement shall limit or exclude any liability for fraud.
11. Governing Law and Jurisdiction
11.1 This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the law of England and Wales.
11.2 The Parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this Agreement or its subject mater or formation.
12. Counterparts
12.1 This Agreement may be executed in any number of counterparts, each of which when executed and delivered shall constitute a duplicate original, but all the counterparts shall together constitute the one agreement. No counterpart shall be effective until each Party has executed and delivered at least one counterpart.
This agreement has been entered into on the date stated at the beginning of the agreement.
Signed by Harriet Williams on behalf of Resurgo Trust Signature[.......................................]
Date [............................................]
Signed by Laura Fraser on behalf of Preston Minster Signature Laura Fraser
Date 27.1.22