Documents‎ > ‎

Information Sharing Agreement (ISA)


This agreement establishes a framework for the sharing of patient-entered data between two Data Controllers, where PKB is a Data Controller for patient-entered data (the Data Discloser) and the health care provider is a Data Controller for patient-entered data they use (the Data Receiver). PKB's legal basis to undertake this role as Data Controller (and Data Discloser) for patient-entered data is GDPR Art, 9.2(a) Explicit Consent. This consent is established directly between the patient and PKB via acceptance (by the patient) of PKB's User Agreement and Privacy Policy. 

This ISA is similar to most health care providers' local ISA. The PKB ISA references specific requirements and obligations placed upon each party as signatories to the agreement, principally, to ensure The Rights of Data Subjects are adequately met (Clause 6) the processing is Fair and Lawful (Clause 4) and that the appropriate technical and organisational measures are in place (Clause 9). 

As part of this sharing agreement, the obligations placed upon each party (Clause 3, 6, 7, 9, 10, 12)  are clearly defined and carefully mapped to the appropriate Data Protection legislation (Clause 3). It is important to note PKB's approach to deletion and data retention (Clause 7) and the criticality of this approach for patient-controlled systems, this approach may differ to a health care providers local approach. This is because:

  1. PKB receives data from multiple parties about the patient, including data added by the patient.
  2. Multiple parties see the patient’s data, including the patient, because the patient can give anyone access at any time.
  3. The patient needs to have their data retained for their own usage beyond any contractual agreement between PKB and any institution.
  4. Professionals need medicolegal protection of having preserved the full PKB record on which they had made a medical decision.

PKB’s retention policy is defined in Clause 7. The PKB retention policy is derived directly and in accordance with, the Records Management Code of Practice Health and Social Care 2016 (Appendix 3, Retention Schedule) and applies to all data within the PKB System. 

Introduction Definitions: