Appendix 2: Joint controllers

Joint controllers (UK GDPR article 26) decide the purposes and means of processing together, they have the same or shared purposes. Controllers will not be joint controllers if they are processing the same data for different purposes.

ShCRs will be joint controllers, as between them, the organisations involved in the ShCR will be processing personal data for medical and related care purposes. Member organisations of a ShCR will decide on the precise purpose and manner for which personal data is processed within the ShCR.

As a ShCR is not a legal entity, joint controllers will need to set up and record their joint controllership arrangement. Such an arrangement must be clear about how individuals can exercise their data protection rights as well as setting out how the UK GDPR transparency requirements (set out under Article 13 and Article 14) will be met. Members of the ShCR also need to decide on how they will handle any organisations contracted as processors. They should also use the joint controllership arrangement to set out how members will share information within the ShCR to support the delivery of health and care.

‘"Enhanced sharing": no new external record, rather just a method which allows individual controllers to get a record from wherever it is held within the ShCR membership.

"Combined record": each member organisation contributing to a (probably new) shared record they all have access to.

Whilst being a relatively basic tool the ICO online checklist does provide some points to consider when determining if you are acting "jointly".

Are we a joint controller? (The more you tick, the more likely you are)

• We have a common objective with others regarding the processing.
• We are working together and processing the personal data for the same purpose or purposes as another controller.
• We are using the same set of personal data, for example, one database, for this processing as another controller.
• We have designed this process with another controller.
• We have common information management rules with another controller.

Enhanced sharing: the "enhanced sharing" type arrangement is a controller to controller arrangement, there is no single overarching shared record. From the ICO checklist this will mean:

• common objective – linked up care, correct information and not having to ask the patient or service user every time
• same set of personal data
• designed this process with another controller – all ShCRs work together to establish system
• although might use different policies organisations still form part of a wider Framework as most organisations will want to assure the compliance of others within the ShCR (DSP toolkit, DP laws, ShCR Framework agreement, common training requirements)

Combined model: this isn’t controller-to-controller as a joint record is created that requires a common way of working between ShCR members, but similar factors are involved:

• common objective – linked up care records, correct information and not having to ask patient or service user every time
• purpose – in creating the record they’re establishing a purpose for the creation of joint record
• same set of personal data
• designed this process with another controller – all ShCRs work together to establish the system?
• although different organisations policies can still be used within a wider Framework as most organisations will want to assure the compliance of others in ShCR (DSP toolkit, DP laws, ShCR Framework)

As joint controllers in a ShCR, it is important that all organisations come together to produce a DPIA covering the ShCR’s processing of personal data and implications for members of the ShCR.

As part of the UK GDPR’s transparency requirements, ShCRs should publish their DPIAs on the websites of member organisations. However, the security and storage arrangements used by the ShCR (as detailed in the DPIA) must not be published because the risk of this information being misused.