Partner tools

In section 3 of the ISA, add the legal basis for sharing. A list of the most commonly used ones are available in the document below.

Further information

Tools and guidance for creating information sharing agreements (ISAs)

Sensitive personal data

These are the types of data, which are classified as sensitive:

  • Racial or ethnic origin of the data subject;
  • His/her political opinions;
  • His/her religious beliefs or beliefs of a similar nature;
  • Whether s/he is a member of a trade union;
  • His/her physical or mental health or condition;
  • His/her sexual life;
  • The commission or alleged commission of any offence;
  • Any proceedings for any offence committed/alleged.

Schedule 2 conditions

In section 3 of the ISA, add the conditions which apply from the following list:

  • with the consent of the data subject
  • to establish or perform a contract with the data subject
  • to comply with a legal obligation
  • to protect the vital interests of the data subject
  • for the exercise of certain functions of a public interest nature
  • for the legitimate interests of the data controller unless outweighed by the interests of the data subject

Schedule 3 conditions

In section 3 of the ISA, add the conditions which apply from the following list:

  • with the explicit consent of the data subject
  • to perform any right or obligation under employment law
  • to protect the vital interests of the data subject or another person
  • for the legitimate activities of certain not-for-profit bodies
  • when the data have been made public by the data subject
  • in connection with legal proceedings
  • for the exercise of certain functions of a public interest nature
  • for medical purposes
  • for equal opportunity ethnic monitoring
  • for the prevention of any unlawful act
  • for protecting the public against dishonesty or malpractice
  • for publication in the public interest
  • for providing counselling, advice or any other service
  • for carrying on insurance business
  • for equal opportunity monitoring other than ethnic monitoring
  • by political parties for legitimate political activities
  • for research
  • for any lawful functions of a constable
  • by elected representatives
  • in the form of disclosures to elected representatives

The 8 Data Protection Principles

You must explain in the ISA how each principle will be met. The 8 principles are:

  1. processed fairly and lawfully
  2. processed only for specified, lawful and compatible purposes
  3. adequate, relevant and not excessive
  4. accurate and up to date
  5. kept no longer than necessary
  6. processed in accordance with the rights of data subjects
  7. kept secure
  8. transferred outside of the European Economic Area only if there is adequate provision.

An example of a table explaining how they can be met can be found below.

Human Rights Act Article 8

If the information you share is of a private nature (e.g. family life) you must meet one of the following criteria - and it must be necessary and proportionate to share. Add the relevant ones here to the ISA under section 4:

  • interests of national security
  • public safety
  • economic well-being of the country
  • prevention of disorder or crime
  • protection of health or morals
  • protection of the rights and freedom of others.

Data Controllers

Under section 5 you need to show who is the data controller:

Data controller

means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.

Joint Data Controller

In relation to data controllers, the term jointly is used where two or more persons (usually organisations) act together to decide the purpose and manner of any data processing. e.g. A network of town-centre CCTV cameras is operated by a local council jointly with the police. Both are involved in deciding how the CCTV system is run and what the images it captures are used for. The council and the police are joint data controllers in relation to personal data processed in operating the system.

Data Controller in Common

The term in common applies where two or more persons share a pool of personal data that they process independently of each other. e.g. A government department sets up a database of information about every child in the country. It does this in partnership with local councils. Each council provides personal data about children in its area, and is responsible for the accuracy of the data it provides. It may also access personal data provided by other councils (and must comply with the data protection principles when using that data). The government department and the councils are data controllers in common in relation to the personal data on the database.

Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. e.g. A utilities company engages a company which operates call centres to provide many of its customer services functions on its behalf. The call centre staff have access to the utilities company’s customer records for the purpose of providing those services but may only use the information they contain for specific purposes and in accordance with strict contractual arrangements. The utilities company remains the data controller. The company that operates the call centre is a data processor.

See an example table showing data control below.


If parties are joint controllers or controllers in common, add the following indemnity in section 6:

"This Deed of Indemnity made the    of          2013 between the Parties in consideration of the agreement to make disclosures of Personal Data in accordance with the ISA. Each Party will keep each of the other Parties fully indemnified against any and all costs, expenses, claims and liabilities arising out of any breach of this agreement and in particular, but without limitation, the unauthorised or unlawful access, loss, theft, use, destruction or disclosure by the offending Party or its sub-contractors, employees, agents or any other person within the control of the offending Party of any data obtained in connection with this agreement.

Except where any limitation is proscribed by law such as but not limited to death or personal injury resulting from negligence (for which there shall be no limit), the maximum total aggregate liability of either Party to the other Party for loss and damage under or in connection with this Agreement or its subject matter due to the offending Party’s breach, tort (including negligence), breach of statutory duty or otherwise howsoever arising shall not exceed five million UK pounds £5,000,000.00."


You will also need to include the following for agreements where individuals who are not signed up to the ISP attend multi-agency meetings:

"The parties to this Agreement understand that there may be individuals present at certain meetings who are not employed by an organisation and therefore are not in a position to sign this Agreement due to the liability of the indemnity. In order to ensure that the data controllers who are supplying personal information to the meeting fulfill their duties under the Data Protection Act 1998 and that the principles are complied with, it is recommended that the first time any individual attends a meeting covered by this Agreement is required to sign a confidentiality agreement as set out in Appendix B. The responsibility for ensuring that this takes place and for retaining the signed copies lies with the Chair of the meeting."

Appendix B can be found below entitled 'meetings'.

Subcontractors or agencies

If you work with subcontractors or agencies you may wish to consider adding a contract in place with them in section 4. See the subcontractors voluntary agency document below.


Under section 9 ensure you include the document entitled 'security' as Appendix A.

Privacy Impact Assessment

You will find that carrying out a Privacy Impact Assessment (PIA) will help you assess your needs in the ISA. You can find the PIA template below.