Disclaimer - This Agreement is provided by IRIS Connect as an example of what an Provider may wish to use to cover the sharing of data between themselves and their partner schools. It does not constitute legal advice and we, therefore, recommend that you seek the appropriate advice prior to any data sharing.
Overview:
IRIS Connect is an online platform that facilitates the secure sharing and analysis of video that will be used as a tool to support the provision of services by <provider name>.
To enable this, the School agrees to:
- The actions outlined in Schedule 1 (School Requirements Schedule) to ensure that the IRIS Connect is appropriately implemented for use.
- The data sharing agreement set out in Schedule 2 (Data Sharing Schedule), relating to the personal data shared in connection with the use of IRIS Connect.
Contents of this article:
Definitions:
1.1 In this Agreement the following words and phrases shall have the following meanings unless the context requires a different meaning: “Provider” <provider name and details> “School” The organisation for which and on behalf of you are signing this agreement “Parties” The provider and the School “Programme” <provider to fill in details of the specific programme or service that they are providing to the school including the duration> “Purpose” <Provider to insert details that cover the purpose of the use of the system for their programme> “Participant” A person that is fulfilling a role to support the Purpose of the outlined Programme for which either the Provider or the School may be responsible “Data Protection Legislation” Means the General Data Protection Regulation as enacted into English law (GDPR) as revised and superseded from time to time; (iii) Directive 2002/58/EC as revised and superseded from time to time; and (iv) any other laws and regulations relating to the processing of personal data and privacy which apply to a party and, if applicable, the guidance and codes of practice issued by the relevant data protection or supervisory authority “Data Discloser” Means the party disclosing Personal Information or on whose behalf Personal Data is disclosed “Data Receiver” Means the party to whom Personal Data is disclosed by or on behalf of the Data Discloser “Personal Data Breach” A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Shared Personal Data “Shared Personal Data” Means the personal data to be shared between the School and the Provider as described in this agreement “Term” Means the term of this Agreement which is related to the duration of the defined Programme |
1.2 Controller, Processor, Data Subject and Personal Data, Special Categories of Personal Data, Processing and “appropriate technical and organisational measures” shall have the meanings given to them in the Data Protection Legislation. |
1.3 In this Agreement, where the context so requires, the singular includes the plural and vice-versa; and references to statutory provisions include any provisions that amend, replace or supplement them. |
1.4 In this Agreement, clause, schedule and paragraph headings shall not affect the interpretation of this Agreement. |
1.5 In this Agreement, a reference to a statue or statutory provision shall include all subordinate legislation made from time to time under that statute or statutory provision |
Schedule 1
School Requirements:
The School shall ensure that all Participants in the Programme that are School staff, or based at the School, will be able to engage with and use the IRIS Connect video observation tool so that they can fulfill their role in the Programme in line with the Purpose. By agreeing to the use of IRIS Connect, the School undertakes:
- To create an account with IRIS Connect, when invited to do so
- To agree to accept the role of Data Controller in relation to the systems use, and to enter into a data sharing agreement with the Provider (Schedule 2)
- To enable Participants to create video recordings in the classroom that may capture the image of the Participant, other School staff and pupils
- To allow the use of the IRIS Connect mobile applications as a means to make the video recording. The applications may be installed on the Participants their own mobile device, a device supplied by the Provider or another device approved for use or supplied by the School
- To allow other Participants to provide feedback on the videos recorded by way of commentary or use of other data collection tools on the IRIS Connect platform
- To ensure that every School staff member that is a Participant who needs an account signs an End User Agreement with IRIS Connect and to require those users to comply with those terms
- The supply the name and email address of a senior member of staff that will assume the role of IRIS Connect system administrator. This member of staff must have the authority to sign up to the IRIS Connect terms of service and to manage any ongoing administrative tasks associated with the use of the system.
- And acknowledges that the Provider will provide the email address and other data required of each relevant Participant based at the school and your nominated IRIS Connect system administrator to IRIS Connect in order to facilitate the creation of user accounts.
Schedule 2
Data Sharing Schedule:
|
1.1 This Agreement sets out the framework for the sharing of Personal Data between the Parties as <delete as appropriate> Jointly Controller (both the School and the Provider) / Controlled by the School, Processed by the Provider |
|||
|
1.2 The Parties will share Personal Data in order to perform the activities and responsibilities set out in this Agreement in connection the Purpose |
|||
|
1.3 The Parties agree to process Shared Personal Data only in connection with the Purpose. |
|||
|
1.4 The following types of Personal Data may be shared between the Parties during the Term: <review and amend as needed>School shared to the Provider:
|
|||
|
1.5 The following types of special categories of Personal Data may be shared between the Parties during the Term:
|
|||
|
1.6 Each Party represents and warrants as of the date of the relevant data sharing that it is entitled to provide the Shared Personal Data to the Data Receiver for use in accordance with this Agreement. |
|||
|
1.7 Obligations under this Agreement in relation to Shared Personal Data apply to the Data Receiver in relation to such Shared Personal Data received by it from the other party and do not apply to (i) the Data Discloser in relation to such Shared Personal Data disclosed by it (other than this Clause), or (ii) to the Data Receiver in relation to the same personal data if it receives it from another source not in connection with this Agreement and/or the Purpose |
|||
2. Compliance with Laws |
||||
|
2.1 Each Party shall comply with Data Protection Legislation at all times during the Term. |
|||
3. Lawful, fair and transparent processing |
||||
|
3.1 Each Party shall ensure that it processes the Shared Personal Data (i) in compliance with all Data Protection Legislation; and (ii) fairly and lawfully in accordance with Clause 3.2 during the Term. |
|||
|
3.2 Each Party shall ensure that it has legitimate grounds under the Data Protection Legislation for the processing of Shared Personal Data. |
|||
|
3.3 Each Party shall, in respect of Shared Personal Data, ensure that it provides clear and sufficient information to the Data Subjects, in accordance with the Data Protection Legislation, of the purposes for which it will process their personal data, the legal basis for such purposes and such other information as is required by Article 13 of the GDPR including: |
|||
|
3.3.1 if Shared Personal Data will be transferred to a third party, that fact and sufficient information about such transfer and the purpose of such transfer to enable the data subject to understand the purpose and risks of such transfer; and; |
|||
|
3.3.2 if Shared Personal Data will be transferred outside the EEA pursuant to this Agreement, that fact and sufficient information about such transfer, the purpose of such transfer and the safeguards put in place by the controller to enable the data subject to understand the purpose and risks of such transfer. |
|||
4. Data subject rights |
||||
|
4.1 The Data Receiver shall promptly inform the Data Discloser if it receives any request for access to Shared Personal Data from the relevant data subject, with such details of the request as it can lawfully provide or any communication from any data subject or data protection (or other similar) authority alleging (or expressing an intention to investigate an allegation of) breach of Data Protection Legislation by the party in respect of such Personal Data. |
|||
|
4.2 The Data Receiver shall respond to exercises by Data Subjects of his or her rights under Article 15 of the GDPR (subject access requests) in relation to Shared Personal Data in accordance with the Data Protection Legislation. |
|||
|
4.3 The Parties each agree at no additional cost to provide such assistance as is reasonably required to enable the other Party to comply with requests from Data Subjects to exercise their rights under the Data Protection Legislation in relation to Shared Personal Data within the time limits imposed by the Data Protection Legislation and to comply with information or assessment notices served by any data protection authority. |
|||
|
4.4 Each Party shall maintain a record of individual requests for information, the decisions made and any information that was exchanged in relation to Shared Personal Data. Records must include copies of the request for information, details of the data accessed and shared and where relevant, notes of any meeting, correspondence or phone calls relating to the request. |
|||
5. Data retention |
||||
|
5.1 The Data Receiver shall not retain or process Shared Personal Data for longer than is necessary to carry out the Purposes. |
|||
|
5.2 Notwithstanding clause 5.1, the parties shall continue to retain Shared Personal Data in accordance with any statutory or professional retention periods applicable in their respective countries and / or industry. |
|||
6. Transfers |
||||
|
6.1 For the purposes of this clause, transfers of personal data shall mean any sharing of personal data by the Data Receiver with a third party, and shall include, but is not limited to, the following: |
|||
|
6.1.1 using a third party as a processor of Shared Personal Data; and 6.1.2 granting a third party controller access to the Shared Personal Data. |
|||
|
6.2 If the Data Receiver appoints a third party processor to process the Shared Personal Data it shall comply with Article 28 and Article 30 of the GDPR and shall remain liable to the Data Discloser for the acts and/or omissions of the processor. |
|||
|
6.3 The Data Receiver may not transfer Shared Personal Data to a third party located outside the UK or the EEA unless it: |
|||
|
6.3.1 complies with the provisions of Article 26 of the GDPR (in the event the third party is a joint controller); and; 6.3.2 complies with the provisions of Article 26 of the GDPR |
|||
7. Security and training |
||||
|
7.1 The Data Receiver undertakes to have in place throughout the Term (and thereafter for as long any Shared Personal Data is held) appropriate technical and organisational security measures to: |
|||
|
7.1.1 prevent unauthorised or unlawful processing of the Shared Personal Data and the accidental loss or destruction of, or damage to, the Shared Personal Data; and 7.1.2 ensure a level of security appropriate to the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the Shared Personal Data to be protected; |
|||
|
7.2 The level of technical and organizational measures shall include, but are not limited to, the deployment of appropriate encryption solutions to protect Personal Data and the implementation of adequate security programmes and procedures to ensure that unauthorised persons do not have access to the Personal Data or to any equipment used to process the Personal Data. |
|||
|
7.3 It is the responsibility of the Data Receiver to ensure that its staff members are appropriately trained to handle and process the Shared Personal Data in accordance with the technical and organisational security measures set out above together with any other applicable national data protection laws and guidance and have entered into confidentiality agreements relating to the processing of Personal Data. |
|||
|
7.4 The level, content and regularity of training referred to above shall be proportionate to the staff members’ role, responsibility and frequency with respect to their handling and processing of the Shared Personal Data. |
|||
8. Personal data breaches and reporting procedures |
||||
|
8.1 The Parties shall each comply with its obligation to report a Personal Data Breach in relation to Shared Personal Data to the appropriate Supervisory Authority and (where applicable) Data Subjects under Article 33 of the GDPR. |
|||
|
8.2 Data Receiver shall each inform the Data Discloser of any Personal Data Breach in relation to Shared Personal Data as soon as it becomes aware, irrespective of whether there is a requirement to notify any Supervisory Authority or data subject(s). |
|||
|
8.3 In the case of a Personal Data Breach in relation to Shared Personal Data, Data Receiver shall promptly investigate the incident, provide Data Discloser with detailed information and take reasonable and prompt steps to mitigate the effects and to minimize any damage resulting from it. The parties agree to provide reasonable assistance as is necessary to each other to facilitate the handling of any Personal Data Breach in relation to Shared Personal Data in an expeditious and compliant manner. |
Information and signature
Nominated school administrator:
A senior member of staff that will assume the role of IRIS Connect system administrator. This member of staff must have the authority to sign up to the IRIS Connect terms of service and to manage any ongoing administrative tasks associated with the use of the system.
First Name |
|
Last Name |
|
Job Title |
|
Email address |
Signature:
Sign to confirm that the School agrees to the setup, use and data sharing set out in the Schedules of this agreement for the duration of the Programme.
School name |
|
Name |
|
Job Title |
|
Date |
|
Signature |