ICAEW.com works better with JavaScript enabled.

Data Sharing Schedule (Independent Controllers)

Internal ICAEW policy

Published: 12 Jan 2018 Updated: 05 Mar 2021 Update History

This Schedule forms part of the Agreement entered into between **** and ICAEW, effective from the Commencement Date (the “Agreement”).

Pursuant to the terms of the Agreement each Party wishes to share certain Personal Data (as hereafter defined). Each Party wishes to ensure that the other party complies with its legal obligations in connection with such Personal Data and otherwise agrees the responsibilities set out in this Schedule. Accordingly, in consideration of the benefits of the parties of the sharing of Personal Data, the Parties agree to comply with the following terms.

1. Definitions and interpretations

1.1. Any words defined in the Agreement and used in this Schedule shall have the meaning given in the Agreement. Otherwise, in this Schedule, unless the context otherwise requires, the following words and expressions shall have the following meanings:

Agreed Purposes has the meaning given to that term in clauses 2.5.1

"Applicable Laws"

means the laws of England and Wales, the laws of the European Union so long as these apply in England and Wales, and any other laws or regulations, regulatory policies, guidelines or industry codes which apply to data processing carried out in connection with this Agreement.

"Controller"

means the natural or legal person which, alone or jointly with others, determines the purposes and means of processing of Personal Data.

Criminal Offence Data

means Personal Data relating to criminal convictions and offences or related security measures to be read in accordance with section 11(2) of the DPA 2018 (or other applicable Data Protection Legislation).

"Data Protection Legislation"

means any Applicable Law relating to the processing, privacy, and use of Personal Data, as applicable to ICAEW, the Supplier and/or the Services, including without limitations:

  1. in the United Kingdom:
    1. the Data Protection Act 2018 (DPA 2018), the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426 (as amended);
    2. the UK General Data Protection Regulation (as defined in section 3(10) (as supplemented by section 205(4)) of the DPA 2018); and
    3. any corresponding or equivalent national laws or regulations implemented in the UK;
  2. in member states of the European Union: the General Data Protection Regulation (EU) 2016/679 and the ePrivacy Directive (2002/58/EC), and all relevant member state laws or regulations giving effect to or corresponding with any of them; and
  3. any judicial or administrative interpretation of any of the above, any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Regulator.
''Data Subject''
means an identified or identifiable living individual (or natural person) to whom Personal Data relates.

“Disclosing Party”

means a Party to this Agreement which discloses or makes available directly or indirectly Personal Data.

“Party”

means a Party to the Agreement and “Parties” shall be construed accordingly.

“Personal Data”

means any information relating to an identified or identifiable individual (or natural person).

“Personnel”

means any employee, officer or director, or an individual working as a consultant, independent contractor or agent, and/or temporary worker of a Party.

“Processing”

means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, including (without limitation) collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, combining, restricting, erasing or destroying (and related terms such as process have corresponding meanings).

''Recipient''
means a Party to this Agreement which directly or indirectly receives Personal Data.

“Regulator”

means the UK Information Commissioner’s Office and the European Data Protection Board or any successor body to either regulator from time to time and any other supervisory authority with jurisdiction over either Party.

"Security"

means a Party’s technological, physical, administrative, organizational and procedural safeguards, including, without limitation, policies, procedures, guidelines, practices, standards, controls, hardware, software, firmware and physical security measures, the function or purpose of which is, in whole or part, to: (a) protect the confidentiality, integrity or availability of Shared Data; (b) prevent the unauthorized use of or unauthorized access to Shared Data; (c) prevent the loss, theft or damage of Shared Data; or (d) comply with Data Protection Legislation.

"Security Breach"

means any actual, threatened, or reasonably suspected: (a) unauthorized use of, or unauthorized access to Shared Data, damage to, or inability to access, Shared Data due to a malicious use, attack or exploit of such Shared Data; (b) unauthorized access to, theft of or loss of Shared Data; (c) unauthorized use of Shared Data for purposes of actual, reasonably suspected or attempted theft, fraud, identity theft or other misuse; (d) unauthorized disclosure of Shared Data.

“Shared Data”

means Personal Data held by one Party as a Controller, which is provided to the other Party as a Controller under this Agreement.

Special Categories of Personal Data
the special categories of Personal Data set out in the Data Protection Legislation.

1.2. Clause headings shall not affect the interpretation of this Schedule.

1.3. A person includes a natural person, corporate or unincorporated body (whether or not having separate legal personality).

1.4. Unless the context otherwise requires, words in the singular shall include the plural and in the plural include the singular.

1.5. A reference to a statute or statutory provision is a reference to it as it is in force for the time being, taking account of any amendment, extension, or re-enactment, and includes any subordinate legislation for the time being in force made under it.

1.6. Any words following the terms including, include, in particular, for example or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.

1.7. Any obligation in this Schedule on a person not to do something includes an obligation not to agree or allow that thing to be done.

2. Data sharing

2.1. The parties shall each comply with their respective obligations under the Data Protection Legislation when Processing Shared Data pursuant to the terms of this Schedule.

2.2. The Work Statement sets out a description of Shared Data for illustrative purposes and is set out without limitation to the generality of Shared Data that may be Processed pursuant to the terms of this Schedule.

2.3. For the purposes of this Clause 2, the parties acknowledge that in respect of Shared Data Processed pursuant to the terms of this Schedule and the Agreement the parties are separate and independent data Controllers. Depending on circumstances of a specific transfer of Personal Data, one Party will be the Recipient and the other the Disclosing Party.

2.4. Both Parties shall at all times remain responsible for the acts and omissions pursuant to this Schedule of their respective Personnel and suppliers.

2.5. The Parties shall only Process Shared Data for the purpose or purposes set out in their respective privacy notices, copies of which shall be provided to the other party upon request.
2.5.1. for the purposes as set out in Annex 1 and/or the purpose or purposes set out in their respective privacy notices, copies of which shall be provided to the other Party upon request (Agreed Purposes);
2.5.2. for so long as is necessary to carry out the Agreed Purposes, save to the extent that they are required to retain such Shared Data in accordance with any statutory or professional retention periods and/or Applicable Law. 

2.6. Each party shall comply with its own obligations under this Clause at its own cost.

2.7. Each Party shall comply with its own obligations under this Clause at its own cost.

2.8. Each Party shall appoint a single point of contact for Data Subjects who will work together to reach an agreement with regards to any issues arising from the data sharing and to improve actively the effectiveness of the data sharing initiative.  Each Party’s point of contact is named in Annex 1.

3. Warranties

3.1. The Disclosing Party represents, warrants and covenants during the term of the Agreement that, in relation to the Shared Data:

3.1.1. the Shared Data has been obtained by the Disclosing Party in accordance with the Data Protection Legislation;

3.1.2. privacy notices provided to Data Subjects are compliant with, and have been provided to the Data Subject in a manner which is compliant with, the Data Protection Legislation;

3.1.3. there are no circumstances of which the Disclosing Party is aware which are likely to give rise to breach of the Data Protection Legislation in the future (including any unauthorised disclosure) or any notice, complaint, claim or notification from a Data Subject or Regulator; and

3.1.4. the Shared Data will, at the time of sharing with the Recipient, be accurate and it has appropriate internal procedures in place for the Recipient to sample Shared Data prior to sharing and it will update the same if required prior to transferring the Shared Data; and

3.1.5. transferring the Shared Data to the Recipient in accordance with this Schedule will not constitute a breach of the Data Protection Legislation.

3.2. The Recipient represents, warrants and covenants during the term of the Agreement that, in relation to the Shared Data:

3.2.1. its privacy notices provided to Data Subjects are compliant with, and have been provided to the Data Subject in a manner which is compliant with, the Data Protection Legislation;

3.2.2. it shall return any Shared Data to the Disclosing Party or destroyed in accordance with any agreed deletion procedures as may be agreed between the Parties in the following circumstances:

(a) on termination of its involvement in this Agreement;

(b) on expiry of this Agreement; or

(c) once processing of the Shared Data is no longer necessary for the purposes it was originally shared for.

3.2.3. it will not disclose or transfer the Shared Personal Data to a third party Controller located outside the United Kingdom or European Economic Area unless it complies with the obligations set out in clause 5.

3.3. Each Party warrants and undertakes that it:

3.3.1. has such valid registrations as are required by the Regulator which covers the intended data sharing pursuant to this Agreement, unless an exemption applies;

3.3.2. will Process the Shared Data fairly and lawfully in accordance with this Schedule and the Agreement and all Applicable Laws;

3.3.3. will ensure that it has legitimate grounds under the Data Protection Legislation for the Processing of the Shared Data;

3.3.4. [will use compatible datasets  and to record all Shared Data].

4. Security

4.1. Both Parties shall implement appropriate technical and organisational measures to ensure a level of Security appropriate to the risk involved under this Schedule to:

4.1.1. protect all Shared Data from unauthorized use, alteration, access or disclosure, and loss, theft, and damage, and to protect and ensure the confidentiality, integrity and availability of Shared Data; and

4.1.2. prevent a Security Breach.

4.2. Both Parties shall keep accurate records of the Security measures which they have in place and shall make such records available to the other Party upon request.

4.3. Security measures shall be regularly tested by each Party to assess the effectiveness of the measures in ensuring the security, confidentiality, integrity, availability and resilience of Shared Data, and the party's compliance with this Schedule and the Party's obligations under the Data Protection Legislation. Both Parties shall maintain records of the testing.

4.4. Each Party is responsible for ensuring that its Personnel are appropriately trained to handle and process the Shared Data in accordance with the above mentioned technical and organisational security measures together with any other applicable Data Protection Legislation and guidance and have entered into confidentiality agreements relating to the Processing of Personal Data.

4.5. In the event of a Security Breach, the Recipient shall notify the Disclosing Party without undue delay and in any event within twenty four (24) hours after the Recipient or its suppliers, contractors and or agents discovered such Security Breach.

4.6. Following the notification referred to in Clause 4.5 of this Schedule above, each Party shall provide assistance and co-operation to the other Party to mitigate the Security Breach, including to:

4.6.1. immediately conduct a reasonable investigation of the reasons for and circumstances of such Security Breach;

4.6.2. take all necessary actions to prevent, contain, and mitigate the impact of, such Security Breach, and remediate such Security Breach, without delay;

4.6.3. remediate the effects of a Security Breach;

4.6.4. promptly produce a written report setting out all relevant details concerning such Security Breach, including without limitation any security, risk or compliance assessment and security control audit reports; and

4.6.5. provide regular updates to the other party following a Security Breach.

5. Transfers

5.1. For the purposes of this clause, transfers of Shared Data shall mean any sharing of Personal Data by the Recipient with a third party, and shall include subcontracting the Processing of Shared Data or granting a third party Controller access to the Shared Data.

5.2. If the Recipient appoints a third party Processor to Process the Shared Data it shall comply with the relevant provisions of the Data Protection Legislation and shall remain liable to the Disclosing Party for the acts and/or omissions of the Processor.

5.3. The Recipient shall not transfer Shared Data to a third party located outside of the United Kingdom or European Economic Area unless it ensures that:

5.3.1. the transfer is to a country approved under the applicable Data Protection Legislation as providing adequate protection;

5.3.2. there are appropriate safeguards or binding corporate rules in place pursuant to the applicable Data Protection Legislation;

5.3.3. the transferee otherwise complies with the Recipient’s obligations under the applicable Data Protection Legislation by providing an adequate level of protection to any Shared Data that is transferred; or

5.3.4. one of the derogations for specific situations in the applicable Data Protection Legislation applies to the transfer.

5.4. Where the Recipient is located in a country that is not recognised by the UK Government as offering adequate protection for Personal Data, the provisions set out in Annex 2 shall apply.

6. Records, notification and assistance

5.1. Both parties shall at their own cost:

5.1.1. keep a record of any Processing of Shared Data it carries out;

5.1.2. notify the other party promptly (but in any event within 24 hours) should it receive any Data Subject access request or complaint or any information notice, enforcement notice or other correspondence from a Regulator, individual or third party in respect of Shared Data; or become aware of any circumstance which may cause either party to breach this Schedule or which may cause either party to breach the Data Protection Legislation; and

5.1.3. reasonably cooperate and coordinate with the other party concerning the other party's compliance with Data Protection Legislation.

7. Reservation of rights and acknowledgement

7.1. All Shared Data shall remain the property of the relevant Disclosing Party where such proprietary rights arise at law. Each party reserves all rights in its Shared Data. No rights, including intellectual property rights, in respect of a party's Shared Data are granted to the other Party and no obligations are imposed on the Disclosing Party other than those expressly stated in this Schedule.

7.2. Except as expressly stated in this Schedule, no Party makes any express or implied warranty or representations concerning its Shared Data, or the accuracy or completeness of the Shared Data.

8. Review

8.1. The Parties shall review the effectiveness of the data sharing initiative annually, having consideration to the aims and purposes set out in Annex 1.   The Parties shall continue, amend or terminate this Agreement depending on the outcome of this review.

8.2. If during the term of this Agreement the Data Protection Legislation change in a way that the Agreement is no longer adequate for the purpose of governing lawful data sharing exercises, the Parties agree to negotiate in good faith to review this Schedule in the light of the changes.

9. Disputes with data subjects

9.1. In the event of a dispute, complaint or claim brought by a Data Subject or the Regulator concerning the processing of Shared Data against either or both Parties, the Parties will inform each other about any such disputes, complaints or claims, and will cooperate with a view to settling them amicably in a timely fashion.

9.2. The Parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the Regulator. If they do participate in the proceedings, the Parties may elect to do so remotely (such as by telephone or other electronic means). The Parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.

9.3. Each Party shall abide by a decision of a competent court of the Disclosing Party’s country of establishment or of the Regulator.

Annex 1

The details of the data sharing taking place under this Agreement is set out below.

[The  Parties consider the sharing of the Shared Personal Data to be necessary and proportionate for [DESCRIBE REASON(S)]. 

The aim of sharing the Shared Personal Data is [DESCRIBE AIM(S)].

It is fair as it will benefit [individuals, the parties OR society] by [DESCRIBE BENEFITS] and will not unduly infringe the Data Subjects' fundamental rights and freedoms and interests.]

Data Subjects

[Insert the categories of persons whose personal data will be shared under the agreement]

Categories of Shared Data

[Insert the categories of personal data that will be shared under the agreement]

Categories of Special Categories of Personal Data (if any)

[Insert the categories of special category personal data that will be shared under the agreement]

Categories of Criminal Offence Data (if any).

[Insert the categories of criminal offence data that will be shared under the agreement]

Agreed Purposes

[insert the purposes for which data will be shared under the agreement]

Nature of processing

[insert the type of processing that will occur under the agreement]

Duration of the processing

[insert the duration for which personal data will be processed under the agreement]

Single Point of Contact (including in respect of breach notifications)
Report any data breach to the ICAEW Data Protection Office on;
dataprotection@icaew.com 
+44 (0)1908 248 250

Report any data breach to, [for supplier]
Email: 
Telephone number:


Annex 2

In this Annex the following terms have the following meaning:

Standard Contractual Clauses
means contractual clauses that have been approved by the UK Government and/or the European Commission (as applicable) as providing adequate safeguards for the transfer of Personal Data to overseas jurisdictions, copies of which can be accessed on ICAEW’s website (or at such other links as may be provided by ICAEW from time to time).

1.1 Prior to any Personal Data being transferred by the Disclosing Party to the Recipient, the Parties shall ensure that the Parties have executed the relevant Standard Contractual Clauses. If, during the term of this Agreement, the form of the Standard Contractual Clauses executed by the Parties is superseded by a new set of Standard Contractual Clauses, the Parties shall, promptly execute the new set of Standard Contractual Clauses. 

1.2 The Recipient warrants and undertakes that:

1.2.1 it is able to and shall comply with all requirements of the Standard Contractual Clauses; 

1.2.2 the information set out in Annex A is true, accurate and complete and the Recipient shall notify the Disclosing Party promptly if there is any change to the information set out in Annex A;

1.2.3 it shall not voluntarily co-operate with any public authorities to provide Personal Data to such authorities unless it is legally compelled to do so pursuant to a court order;

1.2.4 if the Recipient receives any requests for access to Personal Data from public authorities, the Recipient shall:

(a) review the legality of any order to disclose Personal Data, including whether the order is within the remit of the powers granted to the requesting authority; 

(b) challenge the order if, after assessment, the Recipient concludes that there are grounds under applicable laws to do so;

(c) when challenging an order, seek interim measures to suspend the effect of the order until a decision is made by relevant courts on the challenge to the order;

(d) not disclose any Personal Data requested until required to do so under applicable procedural rules;

(e) inform the requesting public authority that the order is incompatible with the safeguards contained in the Standard Contractual Clauses and there is therefore a conflict of obligations for the Recipient;

(f) where it is legally permitted to do so, the Recipient shall notify the Disclosing Party that the order has been received as soon as possible;

(g) where necessary to disclose Personal Data, having followed the steps set out in this clause 1.2.4, only provide the minimum amount of Personal Data permissible when responding to the order, based on a reasonable interpretation of the order;

1.2.5 it has not created, and will not create, any back doors or similar programming that could be used by public authorities to access the Recipient’s systems and/or Personal Data held in the Recipient’s systems; 

1.2.6 it has not created or changed, and will not create or change, its business processes in a manner that facilitate access to Personal Data or the Recipient’s systems by public authorities; 

1.2.7 neither national law nor government policy to which the Recipient is subject require the Recipient to create or maintain back doors or to facilitate access to Personal Data or the Recipient’s systems or for the Recipient to be in possession or to hand over any encryption keys to public authorities;

1.2.8 it shall comply with the supplementary measures set out in Annex B (if applicable);

1.2.9 it shall not engage in any onward transfer of the Personal Data, whether within the same jurisdiction or to another jurisdiction, without the prior written consent of the Disclosing Party;

1.2.10 where the Recipient is legally obliged to provide access to Personal Data to a public authority and a Data Subject wishes to seek access, rectification, erasure or restriction of processing of such Personal Data by the public authority, or otherwise seeks redress against the public authority, the Recipient shall provide all necessary assistance and legal support to the data subject (at the Supplier’s cost) to enable the data subject to exercise their rights and/or seek redress against the public authority.

1.2.11 it shall notify the Disclosing Party promptly if it is not able to comply with any of the warranties and undertakings given in this clause 1.2 or if any of the warranties or undertakings are breached.

1.3 If:

1.3.1 the Standard Contractual Clauses become invalid; or

1.3.2 the Recipient is not able to comply with the requirements of the Standard Contractual Clauses due to local laws or for any other reason; or 

1.3.3 the Recipient is in breach of any of the warranties and undertakings given in clause 1.2,
the Recipient shall at the request of the Disclosing Party, put in place additional supplementary measures to protect Personal Data to the reasonable satisfaction of the Disclosing Party or immediately return all Personal Data to the Disclosing Party. If it is not possible to put in place additional supplementary measures to the satisfaction of the Disclosing Party or return all Personal Data to the Disclosing Party while continuing to fulfil the obligations under this Agreement, the Disclosing Party shall be entitled to terminate this Agreement immediately.

1.4 The Recipient shall keep access and audit logs for all systems in which Personal Data is held and shall ensure that such access and audit logs distinguish between access to Personal Data carried out in connection with usual operating procedures and access to Personal Data due to orders or access requests from public authorities. The Recipient shall permit the Disclosing Party or its appointed auditor to carry out audits and inspection of the Recipient’s data processing facilities (including access to any audit logs) at any time to verify whether Personal Data has been disclosed to public authorities.

1.5 The Recipient shall indemnify on demand the Disclosing Party from and against all damages, liability, demands, costs and expenses (including legal and other professional fees, costs and expenses), claims, actions and proceedings suffered or incurred by the Disclosing Party arising out of or in connection with any breach of this clause 1 by the Recipient.

Annex A

Information regarding access to data by public authorities

Location(s) in which Personal Data will be stored by the Recipient or from which it will be accessed by the Recipient (the “Data Location(s)”)  
Laws and regulations in the Data Locations that would permit access by public authorities to the Personal Data, in particular in the areas of intelligence, law enforcement, administrative and regulatory supervision  
Based on the Recipient’s experience, national case law and publicly reported cases, please provide an overview of the circumstances in which public authorities in the Data Location(s) access Personal Data of the type that will be transferred under this Agreement  
Measures taken by the Recipient to prevent access to Personal Data by public authorities  
Details of all requests to access Personal Data which the Recipient has received from public authorities in the last three years. Please provide details of the nature of the requests, data requested, requesting body and legal basis for disclosure and the extent to which Personal Data was disclosed in response to the request(s)  
Please specify whether the Recipient is legally prohibited from providing any of the information above.
 

 

Annex B

Supplementary measures to safeguard Protected Data

  1. [Insert details of any encryption requirements. Include details of encryption during transmission requirements.]
  2.  [Insert details of specific retention and data deletion requirements]
  3. [Insert details of any anonymisation or pseudonymisation requirements]
  4. [Consider any other measures that could protect the data from unauthorised access by public authorities]