Create an information sharing agreement

Foreword from the Government Chief Privacy Officer

Why share information

Information sharing is a critically important activity for government. We cannot simply function in artificial silos created by our organisational structures. Government agencies need to work together to provide better services for people. That means making sure that relevant information is available to the right people at the right time in the right way.

Of course, if we do not get our privacy thinking right, we can cause real harm to people or undermine their ability to trust government. Failing to think things through properly also compromises our ability to get the benefits that we’re aiming for. None of that is acceptable.

That’s why the Privacy Act provides a variety of ways for agencies to share information safely and respectfully. Privacy is not about keeping things secret. It’s about doing the right thing with people’s information.

It’s also common for more specific legislation to permit information sharing. But we still need to think about how to share safely and effectively.

Why this guidance

Information sharing is an activity that can feel daunting, time consuming and legally or technically complicated, particularly for people who have never set up a share before.

However, we firmly believe it does not need to be that way. In our experience, the key is to know the right questions to ask and know who to talk to so you get the right answers.

This is why we have produced this guidance with the help of expert information sharing advisers from a variety of government agencies. It shows you how to think through your proposed information share, from start to finish. It enables you to embed good privacy settings in the design of the share, rather than trying to retrofit them. It helps you to create properly considered information sharing agreements more quickly and efficiently.

Every agency has slightly different ways of producing and writing their documentation. Do not feel boxed into following our format or writing style if that does not work for you. However, we have designed the content of the templates and guidance to meet best practice. So do not be too quick to discard an idea that may be relevant to your situation.

Where to get more help

If you’re new to information sharing, or if you’re unclear about what to do, contact us at gcpo@dia.govt.nz and we can help you work through the process.

Thanks

Our warmest thanks to our All-of-Government Information Sharing expert advisory group for their time and commitment to the development of this guidance.

Katrine Evans, Government Chief Privacy Officer, March 2024

Purpose

The purpose of this guidance is to support and enable government agencies to establish best practice information sharing agreements. The guidance steps you through how to think through the right questions so you can share information in a considered and people-focused way.

The guidance aligns to the structure of the information sharing agreement template. This should help you to work through the development of your information sharing agreement in a systematic and consistent manner.

Information sharing agreement template [XLS 109KB]

Scope

This guidance covers information sharing agreements between government agencies. It also covers information sharing agreements between government agencies and other organisations where the sharing is not intended to be legally binding (such as a service level agreement, master services agreement, or contract for services).

Not in scope

This guidance does not cover:

• information sharing agreements to support legally binding contracts with third-parties, such as service providers
• approved information sharing agreements (AISAs)[Footnote 1]Footnote
  
• disclosure of information to individuals under the Privacy Act 2020 or the Official Information Act 1981.

Aspects of the agreement template may also be relevant to information sharing under contracts with a third-party. However, this will change the legal status of the agreement.

If you want to use the agreement template for this purpose, we strongly recommend that you work with your legal team to identify what clauses are relevant, and ensure the appropriate amendments are made to the agreement template.

Why we need information sharing agreements

Information sharing is a key function for government agencies.

Good information sharing practices, including the development and management of information sharing agreements:

• create transparency and build public trust and confidence in how agencies are sharing personal information
• enable agencies to deliver effective, fit-for-purpose public services that improve outcomes for individuals
• build awareness within an agency of what information is being shared, who the information is shared with and for what purpose.

The purpose of an information sharing agreement is to document authorised sharing of information. An information sharing agreement records:

• what information is being shared
• what legal authority the sharing is permitted under
• who the information will be shared with and for what purpose
• how the information sharing will be operationalised
• the controls and mechanisms that ensure the personal information is shared safely.

Using our best-practice agreement template will enable you to show that your agency has taken a privacy-by-design approach to information sharing practices. It’s important to be able to show people whose information is being shared that you have carefully considered the purpose, use and on-going management of their information.

From a practical perspective, recording how the information sharing works in an agreement also makes sure all the parties to the sharing have the same understanding about what is happening and why.

How to use the information sharing agreement template

The agreement template has been designed to enable agencies to develop information sharing agreements in a privacy-focused and time-efficient way so you do not need to start from scratch each time. The majority of the clauses of an information sharing agreement will remain the same for each instance of sharing.

The agreement template contains best practice model clauses that ensure information sharing activities are privacy-focused, while also providing flexibility for agencies to tailor how they record their information sharing activities.

The best-practice model clauses are in the agreement template. The clauses of the template that require agencies to insert wording specific to the intended sharing of information are marked by an asterisk (*). 

Most of the time associated with developing an information sharing agreement is spent working through legal authority, purpose, use and appropriate controls. Once this thinking has been completed and agreed between the agencies, you generally just need to complete the clauses marked by an asterisk (*) throughout the agreement template. Also make sure that details such as clause numbers are all correctly recorded.

Structuring your information sharing agreements

Agencies will have different approaches to managing information sharing activity, including the use of information sharing agreements.

The agreement template can be integrated into your agency’s information sharing practice in a way that best meets the needs of the agency. For example, an agency may choose to:

• have 1 information sharing agreement between itself and another agency, with individual shares of information contained within the schedules
• develop a new information sharing agreement for each information sharing activity
• have a relationship agreement between itself and another agency and include the information sharing agreement as an appendix to the relationship agreement.

There is no right or wrong way. The most important thing is that the thinking and content of information sharing agreements across the government sector are consistent and represent best-practice information sharing.

Using the agreement template with service providers

Agencies will often have contracts with third-party service providers to deliver services on behalf of the agency. In many cases the agency and the third-party service provider will need to:

• share information with each other to facilitate the delivery of the services
• monitor the performance of the contract
• evaluate the effectiveness of the services.

The agreement template may help you to document the sharing of information between your agency and the third-party service provider. Many of the same questions may be relevant.

However, we strongly advise you to engage with your legal team if you want to create an information sharing agreement with a third-party service provider. An information sharing agreement used in these circumstances will almost certainly become part of a legally binding agreement such as a contract. Not all clauses of the agreement template may be relevant, and some may need to be amended so they are appropriate for the legally binding status of the agreement.

Consider running an information sharing workshop

It can be helpful for the intended parties to workshop how the share will operate — so that the agreement can be developed properly.

When thinking about your initial workshop, remember that agencies are structured differently. Information sharing expertise and responsibilities may be across different business units, such as Privacy, Legal, Data and Analytics, Information and Communications Technology (ICT), Information Security, and Information Management. It’s important to get the right people to ensure all risks associated with the proposed sharing activity are identified early.

It’s helpful to involve agencies’ data teams early in the planning and development stage as they can help identify potential issues with the information to be shared. For example, there may be an issue with:

• whether an agency actually holds the information
• how accurate the information is
• how easy the information is to extract
• what supply methods may already exist or need to be created.

Before setting up a workshop

Before you set up a workshop with other parties, clearly state:

• what you think your information problem is
• the purpose for which you require information
• what information you may need from other agencies (steps 1 to 3 under ‘Purpose of Sharing’).

There is no point taking people’s time in a workshop if you have not already thought about these basic questions. Be flexible and prepared to change your thinking as the discussion progresses, since there may be different viewpoints that you have not thought about. But at least be clear about your starting position.

Before the workshop

Tell the participants what the purpose of the proposed information sharing is and your proposed data requirements. Participants can identify the right people to attend and the workshop will be more productive.

Develop your information sharing agreement

Use this guidance to complete the agreement template. The guidance walks you through each section of the template and asks questions that agencies need to consider.

Add an information sharing activity to an existing agreement 

Your agency may want to add a new information sharing activity to an existing information sharing agreement rather than writing a new agreement from scratch. Work through these sections of the guidance to develop a sharing activity schedule. That schedule can then be appended to the original agreement.

Check there is no conflict between the text of the original agreement and the contents of the schedule. If there is, it would be better and easier to terminate the original agreement and replace it. You can then be confident that the information sharing is set up properly.

Interpretation section

This section of the information sharing agreement defines terms unique to the agreement to ensure agencies interpret key terms correctly, and that acronyms used within the agreement are clearly explained and understood. This is particularly important for terms that have a particular meaning in law, or within the context of an agency’s functions.

The agreement template is designed to be flexible and meet the needs of agencies and the circumstances of the sharing. For example, you may prefer to use the terms ‘data’ and ‘supply’ throughout the agreement if these terms better reflect the nature of the agreement, or better align with the legal authority enabling the information to be shared. If alternative terms are used, we recommend that you include these in the interpretation section of the agreement, so everyone is clear what the terms mean within the agreement.

Define te reo Māori

From a te ao Māori perspective, it is also important to agree and define any te reo used. For example, does ‘tamariki’ refer to all children, or only Māori children? Incorrect or inconsistent use of te reo can:

• create confusion or misalignment of expectations
• lead to misleading research and policy outcomes
• cause distress to the individuals whose information is being shared.

Background section

A clear concise background sets the context for the information sharing.

You should describe:

• why information sharing between the parties is required
• what the information gap is
• the initiative or purpose for which the information will be used
• how individuals, society as a whole, and the agencies will benefit from the information sharing.

Where the information sharing is to support enforcement functions you should be clear that individuals may be adversely impacted by the information sharing.

Record in this section whether the information sharing agreement will replace an existing agreement. If it’s replacing an existing agreement, terminate the old agreement and remove it from the active agreements section of your information sharing agreement catalogue (if you have one, which we strongly recommend).

Purpose of sharing

Having a clearly defined purpose (or purposes) for the sharing of information is critical, so you can show that the sharing is justified and carefully considered. It also helps to stop ‘scope creep’ — that is, to stop the sharing changing over time without proper consideration or authorisation.

Each sharing activity must have a clearly defined purpose statement. It does not matter if the information sharing agreement is for:

• a one-off share
• an ongoing information sharing activity
• an overarching agreement containing multiple sharing activities, each of which must have a clearly defined purpose statement.

There are a couple of steps to work through to ensure your purpose statements are fit for purpose. Working through these steps will help inform the:

• legal authority
• information to be shared
• use of the information shared sections of the agreement template.

Step 1: Define your information problem and identify your information requirements

To help ensure purpose statements are well defined and appropriate, first determine the problem the information sharing is intended to fix.

Identifying the true underlying problem is not always obvious. Every information problem is unique. Test your assumptions with a variety of people in different roles so you can be sure the information problem has been identified and framed correctly.

The following checklist can help you work through the process of developing your purpose statements.

Checklist for developing purpose statements

• Do you actually need personal information to solve your problem — or can you use aggregate or de-identified information to get the same result?
• What personal information do you need to solve your problem?
• How will the personal information be used to solve the problem?
• What personal information are you missing?
• Is the missing personal information already collected and held by:
  • Your own agency?
  • Another public sector agency?
  • A private sector organisation?
• If the personal information is already collected:
  • What’s the purpose of that collection?
  • Is the purpose directly related to the purpose for which your agency now needs the information?
  • Are there any restrictions on the use or disclosure of that information?
  • Are there any issues with the definitions of the personal information? — For instance, do both agencies mean the same thing when they talk about that personal information?
• Is the information accurate, reliable and up to date?
• Are there any business improvements required to the collection — such as collection processes, data quality and assurance, or timeliness?
• Is the personal information held in a format:
  • That can be shared easily?
  • That is useable by your agency?
• If the personal information is not already held:
  • How easy will it be to collect the required information?
  • Which agency should collect the information?
  • Does a legal authority exist for the collection of the required information?
• Are there any adverse actions that parties could take because of the personal information being shared?

Step 2: Map your information flows

An information flow is a visual representation of what information is intended to be shared and how it will be shared. It’s often easier to spot issues or gaps when looking at a diagram.

Mapping the flow of information through your project or initiative life cycle can help you identify where your information-sharing privacy risks are and what protections may be required. Sharing your information flow mapping with other agencies can also help make the privacy discussions more interactive and engaging. You can refine your information flow map as you work through the process of developing your information sharing agreement.

When developing your information flow diagram you should consider and identify the:

• source systems that hold the authoritative personal information that is intended to be shared
• dataset to be shared showing which source systems the personal information is being extracted from
• mechanism by which the data set will be transferred to the receiving agency
• location the receiving agency will store the dataset
• sources systems and information that the receiving agency will link to the shared dataset
• people in the receiving agency that will have access to the final dataset that will be used for the specified purpose of the share.

The following diagram provides a basic starting point for creating your information flow diagram.

The information flow map will also help you structure your privacy impact assessment if one is required.

Step 3: Develop and refine your purpose statements

Use the information from steps 1 and 2 to create a clear well-defined information problem statement. This lets you see whether information sharing is the most effective solution, and if so, lets you develop a clear and specific purpose statement.

The purpose statement is the foundation on which the rest of your sharing documentation is built.

It’s usually best to link your purpose statements to a specific initiative or solution the party receiving the information wants to deliver.

Where the information sharing agreement is intended to be an overarching agreement covering all information sharing between the agencies, the purposes noted within the ‘Purpose’ section can be more general in nature.

The specific purpose of the individual shares, and the direction of information flow between the agencies, can then be described in the relevant sharing activity schedule.

Legal authority to share

There must be a legal authority to share information.Footn[Footnote 2][Footnote 2] The information sharing agreement does not itself provide the legal authority to share information.

The information sharing agreement must clearly state the legal authority for each of the purposes for which information is being shared. The agreement template provides 3 options for documenting the legal authority:

1. Where the information sharing agreement is intended to be overarching with multiple individual information sharing activities documented in the sharing activity schedules (there may be different legal authorities that you need to note)
2. Where the information sharing agreement is intended to cover a single purpose share between the parties, and the Information Privacy Principles (IPPs) permit the sharing of information
3. Where the information sharing agreement is intended to cover a single purpose share between the parties, and other legislation provides the legal authority for the sharing of information (such as the Oranga Tamariki Act, Family Violence Act, Immigration Act, Data and Statistics Act).

Choose the appropriate option and delete the remaining 2 legal authority options from the agreement template.

Using the information flows map, the following checklist can help an agency work through the legal authority assessment of the proposed information-sharing business process or initiative.

Checklist — legal authority assessment

• Identify the legal authority for sharing — start with any agency enabling legislation and then consider the Information Privacy Principles (IPPs).
• Determine whether the identified legal authority enables you to share all the information identified in your information requirements.
• Determine whether there are existing information sharing agreements that cover the proposed sharing (full or partial).
• Identify whether there are any statutory restrictions or prohibitions to sharing the information.
• If the IPPs or agency enabling legislation do not enable all the required information to be shared, determine the points of your proposed sharing that require a modification to or a departure from the relevant IPPs (this will tell you whether an AISA is required).

Guidance on determining the appropriate legal authority — Legal authority to share information.

Information to be shared

Through the development of your purpose statements, you should have determined the information that needs to be shared to achieve those purposes. The information sharing agreement must clearly document the information being shared at a level that does not create ambiguity or uncertainty.

Data table

The data table forms part of the sharing activity schedule and is designed to record the information being shared at a data variable level. This is an essential component of the agreement. Without it, anyone reading that agreement (whether the other party, senior leaders, or affected people) will be unable to understand what has been agreed, and whether that share is necessary or appropriate.

You will need to engage with your teams that manage your agency’s data to help complete your data table.

During the creation of the data table, you can identify and resolve any data standard or formatting conflicts and make a final assessment on whether the data variable is necessary for the relevant purpose.

Operationally, a data table enables the teams that manage your agency’s data to extract and supply the correct information, in the correct format at the correct time quickly and efficiently. It also helps you identify any redundant data variables during a review of the information sharing agreement.

The sharing activity schedule in the agreement template includes key data-variable metadata such as field name, description, type/length, format, a Māori data indicator. The data table also includes a notes section for additional information about the data variable to be recorded.

If information is being shared for multiple purposes under the agreement, have a data table that clearly shows what information is being provided for what purpose. This is particularly important where information being shared is authorised under different legislative provisions for different purposes. For example, ‘the sharing of information in dataset A is authorised under [provision of agency’s legislation] and the sharing of information in dataset B is authorised under an [exception in IPP 11]’.

Use of the information

Information shared under an information sharing agreement must only be used for the purposes specified in the ‘Purpose’ section of the agreement or the sharing activity schedules. You’ll need to consider whether it’s appropriate for the collecting agency to re-use any information supplied for secondary uses, and record or update any secondary use conditions and restrictions in the relevant sharing activity schedule.

An agency may want to use the information for a new secondary purpose after the information sharing agreement has been established. You’ll need to work through the purpose and legal authority assessments for the new proposed secondary uses of the personal information. Create a new sharing activity schedule or amend an existing sharing activity schedule where appropriate.

Transparency of sharing

It’s essential not to lose sight of the people behind the information that you are sharing.

Your information sharing agreement will already do this in a number of ways, for instance, by:

• having a clear and justified purpose
• limiting the information that is shared to what is genuinely necessary
• specifying controls that help to keep the information safe.

However, you should also set out controls that ensure that people know about the information sharing. This is because, to the greatest extent possible, people should know which agency is collecting and using their information, and for what purpose. It’s hard to exercise their other rights without that knowledge. Sometimes, they may also be able to choose whether their information is shared or not.

Putting transparency controls into all new or amended information sharing agreements will also help your agency to meet the proposed new IPP 3A of the Privacy Act once it becomes law.[Footnote 3] This is also a good place to note any controls that ensure that people will have an opportunity to have a say before any adverse actions are taken against them.

If there is a good reason not to tell people, modify the transparency clauses in the agreement template to be clear about what that reason is. Provide the clearest possible information without undermining the interests that you’re protecting. For example, it may still be possible to reflect in a privacy statement that the share happens, even though details are not given because it could undermine the ability to enforce the law.

Security of the information

This section sets out the security controls required to ensure the personal information is protected both during the supply of information and within the agencies’ IT environment. This section contains 2 parts: security classification and security controls.

Security classification

Agencies must ensure that they comply with the New Zealand Government Security Classification Systems and Protective Security Requirements (PSR) when sharing information. The security classification will determine the additional controls required to protect the information and comply with the PSR. You’ll need to identify the appropriate security classification and select from the drop-down box in the agreement template.

Overview of the Protective Security Requirements — PSR Protective Security Requirements

Your ICT or information security team should be able to help you identify the correct security classification for the information being shared.

Security controls

Appropriate security controls are an important part of sharing personal information. A loss or compromise of information in transit or at rest can have serious impacts on people’s privacy and on the agency’s reputation. The agreement template contains the minimum level of security controls that should be in place for all information sharing. Depending on the nature of the information shared, you’ll need to consider what additional security controls may be required and add these into the template.

Your ICT or information security team will be able to help you determine appropriate security controls to ensure the information is protected when it is transferred to the receiving party.

Māori data and tikanga considerations

In many cases Māori data and information is a taonga and may require additional controls and restrictions to ensure the mana of the individuals is respected. Where you are proposing to share Māori data and information you should consider whether tikanga should be applied to the sharing and subsequent use of the data. This consideration is especially important when you are developing an information sharing agreement with a Māori organisation or an iwi or hapū.

Tikanga is a set of values, principles, understandings, practices, norms and mechanisms from which a person or community can determine the correct action in te ao Māori.[Footnote 4] Tikanga is not fixed. What tikanga will be appropriate will depend on the circumstances and should be determined through meaningful engagement with the people who may be impacted by the sharing and use of the information.

Each agency will have its own definition of Māori data, Māori Data Governance strategies[Footnote 5] and Māori engagement practices that will guide considerations and incorporation of tikanga into any sharing agreement. However, it’s not up to the Crown to determine what tikanga applies. So you should engage early with your Māori advisory teams to ensure engagement with Māori is undertaken appropriately and in line with agreed protocols and practices.

Method and frequency of sharing

Method

You’ll need to agree on the method of transfer of the information. The transfer mechanism must be one that appropriately protects the information. If the information has specific handling requirements under the PSR, agencies must ensure that those requirements are met.

Sometimes agencies will have different transfer technologies that are not interoperable. It’s important to identify early in the development of your information sharing agreement where different transfer technologies may create challenges to sharing information.

Frequency

You’ll need to agree the frequency of the sharing — is it a one-off or ongoing share? Where it’s an ongoing share you should be specific about when the information will be supplied, for example, the first Tuesday of every month, or the first week of each quarter. Being specific about when the information will be supplied enables the agency supplying the information to build the supply into their work programme.

Where the information sharing agreement has different datasets being supplied at different times, in the agreement template you can point to the sharing activity schedules for specific supply frequency information.

Retention and disposal of information

Information supplied under an information sharing agreement should only be held by the receiving agency for the period for which the information is required. You should ensure that all agencies understand their respective retention and disposal authorities and how they apply to the information being shared.

Requiring disposal of information once it has been used for the specified purpose can be a privacy enhancing control to mitigate the risk of that information being re-used or disclosed for secondary purposes.

You’ll also need to think about how the receiving agency will provide assurance that the information has been disposed.

Privacy and security breach management

It’s important that the agencies understand and agree to the steps they’ll take in the event of a privacy or security breach, including the obligations relating to notifiable privacy breaches.

Identify the agency responsible for reporting any notifiable privacy breaches, so you do not have to figure this out when a breach happens and everyone is under pressure. This will be particularly important if there are third-party service providers involved in the processing of the information supplied under the information sharing agreement.

The agreement template provides standard clauses that cover the agencies’ obligations in relation to privacy and security breaches. You’ll need to confirm with your privacy team that these standard clauses align with your agency’s privacy breach management policies and practices.

Where an information sharing agreement is being used to document information sharing between an agency and a contracted third-party service provider (often as part of the contract), additional clauses around obligations to report and notify suspected or actual privacy breaches may need to be added to the agreement. You will need to engage with your legal team, and they will work with you to amend the clauses in this section.

Dispute resolution

Agree in advance how you’ll manage any disputes or other problems that may arise from the operation of the information sharing agreement. This saves time down the line if an issue should arise and mitigates the risk of delays in the provision of services to the public.

Third-party contracting

It’s important to identify whether information shared under the agreement will be supplied by the receiving agency to a third-party. For example, this may occur where the receiving agency has contracted a third-party service provider to undertake research on its behalf using information supplied under the agreement. There is little point carefully controlling the share of information between agencies if your controls can then be undermined if a third-party fails to take proper care of that information.

The receiving agency needs to ensure that the third-party service provider has the necessary privacy and security frameworks in place. The agency also needs to ensure the third-party service provider is aware of any obligations set out in the information sharing agreement.

Appropriate privacy and data-management model clauses should also be included in the contract with the third-party service provider. The name of any third-party service provider that information will be supplied to should be documented in the sharing activity schedules.

Sharing activity schedules

A sharing activity schedule should be created for each supply of information for a specific purpose under the information sharing agreement. A sharing activity schedule can be added, amended, and terminated without the need to amend the main body of the agreement. This saves time when you need to make amendments or terminate one of the sharing activities.

For each specific share of information, the sharing activity schedule documents the:

• purpose of the information sharing
• specific information being shared (data table)
• legal authority for the information sharing
• method and frequency of the information sharing
• agreed conditions or restrictions on the secondary use of the information shared
• retention and disposal requirements for the information shared.

If you have an overarching information sharing agreement with another agency or you choose to append the information sharing agreement to an overarching relationship agreement, the agreement may have multiple sharing activity schedules documenting the information sharing activity between the agencies.

Approval of sharing activity schedules

The agreement template is designed so that sharing activity schedules can be added, amended, or terminated without necessarily having to seek approval and a new sign-off from the signatory for the information sharing agreement.

The variation section of the template provides that the relationship managers can make variations to existing sharing activity schedules including:

• amendments to existing schedules
• adding new schedules
• terminating existing schedules.

The relationship manager must be a person who has sufficient seniority to have this delegated authority. They need sufficient data management knowledge and experience to support robust decision-making around additions, amendments and terminations of sharing activity schedules.

While it’s recommended that the relationship manager is responsible for approving additions, amendments and terminations of a sharing activity schedule, your agency may prefer that this responsibility is undertaken by another role. For example, some agencies may want the business owner of the information being shared to approve any additions or amendments to data they are responsible for.

If an agency wants to delegate approval and amendment of sharing activity schedules to another role this should be reflected in the information sharing agreement.

Administrative clauses

This section sets out the term of the information sharing agreement, the review process and termination dates and process of the agreement. Generally, the relationship managers are responsible for the administration of the information sharing agreement.

Review

You’ll need to consider what an appropriate review cycle for each share will look like. Scheduling a review date is important to make sure that the purpose and nature of the share has not changed (that is, to prevent uncontrolled scope creep), and that the controls are operating as they should.

For information sharing that supports significant service delivery initiatives, yearly reviews are a good governance control. Where the sharing of information is to support ongoing research and analysis, the time between reviews could be longer. For a single one-off share, there is no need to review the information sharing agreement so those clauses can be deleted.

Where a new information sharing activity requires a high frequency supply of information, it can be useful to have a 6-month initial review. Often with high-frequency sharing activities, issues with information requirements, data variable interpretation and business processes can arise early on in the operation of the agreement.

Variation

It’s inevitable that you’ll need to make variations to your information sharing agreement from time to time. Variations do not need to be complex and time consuming. The agreement template has been designed to make variations a simple and easy process.

There can be a variation to either:

• the clauses of the substantive sections of the information sharing agreement
• a schedule.

Variations to the information sharing agreement

Variations to the clauses of the substantive sections of the information sharing agreement should be approved and signed off by the signatory of the agreement or their delegate. These clauses set out the agreed purposes and controls to ensure personal information is being shared appropriately. A higher level of approval should be in place for any variations to the substantive sections of the agreement.

Variations to the schedules

By default, the information sharing agreement provides that the schedules (the sharing activity schedules and relationship manager and technical contact schedule) can be amended by the relationship manager. You want to be able to make variations to these schedules in a time-efficient manner to ensure information continues to be shared without unnecessary delay.

As mentioned earlier, you’ll need to think about what role in your agency is appropriate for approving new sharing activity schedules. Some variations may carry more risk than others — such as when an agreement itself is an overarching agreement and all core details are contained in the schedules. If you want this function to be undertaken by someone other than the relationship manager, you need to ensure that the person understands the purpose, the information, and the controls necessary to ensure the information is kept safe.

Termination

This clause relates to the termination of the information sharing agreement in its entirety — not the termination of a sharing activity schedule. Agencies often overlook the termination of an information sharing agreement especially when the agreement is for a one-off share of information.

Make sure you have processes in place to ensure:

• the information sharing stops
• information shared under the agreement is disposed of correctly (where required)
• the agreement is terminated and removed from the active agreements list in your information sharing agreement catalogue.

Approval of information sharing agreements

Agencies will have different approaches to who should sign an agency-to-agency agreement. However, an information sharing agreement should be vetted by a person in a senior role related to information and data, whether or not they are the person to sign the agreement itself.

It’s important that the person approving the agreement has sufficient personal knowledge to be confident that it’s appropriate to approve the agreement, or that they have received specialist advice enabling them to have that confidence. This provides a level of integrity to the agreement and provides other agencies and the public with confidence that government agencies are sharing information appropriately.

Where the information sharing agreement is developed as an overarching agreement, it will generally be appropriate for the agencies’ chief executives or deputy chief executives to approve and sign the agreement. Where the agreement covers a one-off share or a single ongoing share of information, for instance for research purposes, it may be more appropriate for the chief data steward or the business owner of the data to approve the agreement.

Ultimately, each agency will need to determine the appropriate level of approval and sign-off for individual information sharing agreements.

Managing your information sharing agreements

Review contents and processes

Reviewing your information sharing agreements ensures that your information sharing remains fit for purpose and that you’re only sharing the information necessary to achieve the purpose of the sharing.

The agreement template includes a section for stating the appropriate review period for each of your information shares, and which agency is responsible for initiating the review. In most cases the disclosing agency should be the agency initiating the review as it carries the most privacy risk in relation to the information sharing.

When there is more than 1 receiving agency, it’s recommended that 1 agency is designated as the lead agency for the purposes of initiating the review of the agreement. You can add a clause into the ‘Review’ section of the agreement or the relevant sharing activity schedule stating who the lead agency is.

While the relationship manager should initiate and lead the review, this will depend on how the information sharing function is structured within your agency. Where the review of the agreement is to be undertaken by a different role, this should be stated in the agreement or in the sharing activity schedule.

Steps for reviewing an information sharing agreement

A review of an information sharing agreement should involve the following steps.

1. A thorough read through of the agreement.
2. Contact with the other party or parties to confirm whether:
   • the information sharing is still required
   • there have been any material changes to the purposes for which the information is being shared
   • there have been any material changes to the use of the information by the collecting agency
   • any issues have arisen with the data variables supplied by the disclosing agency such as formatting issues, interpretation issues, redundancy, accuracy.
3. Working with the other party to make any amendments to the agreement or the sharing activity schedules.
4. Sign off the amendments and update the agreement.
5. Record in your information sharing catalogue that the review has been completed, with the reference pointing to the new version of the document, and the date of the next review.

It can be helpful to arrange a workshop to undertake the review process.

Adding new sharing activity to your information sharing agreement

If you have an overarching information sharing agreement with another agency, you do not need to create a new agreement for every new information sharing activity. You can add new information shares to your existing agreement by creating a new sharing activity schedule or by amending an existing sharing activity schedule.

New sharing activity schedules or amendments to existing sharing activity schedules can be approved by the relationship manager or a person delegated this function in the agreement. This will depend on your agency’s approval and sign-off processes and the level of risk involved in the share. Setting your information sharing agreements up this way can save you time in developing and implementing new information sharing activities.

This approach also helps you to manage the information you are sharing with another agency as all information shares, and the purposes for each share, is documented in 1 agreement.

Information sharing agreement catalogue

It’s important to have awareness and oversight of all your information sharing agreements. You may need to:

• report to senior leadership on your information sharing activity
• respond to an Official Information Act (OIA) request
• know when to schedule resourcing for information sharing reviews
• know whether there is already a share in place — so you do not need to create another or so you can make quick changes to your existing sharing.

Having all your information sharing agreement information in one place creates efficiencies and supports good governance of your information sharing practices. An easy way to achieve this is creating an information sharing agreement catalogue. Your catalogue can be as simple or detailed as you want it to be. An Excel spreadsheet is a good place to start.

When creating your catalogue think about the pertinent information you want to be able to access in a single view. Your catalogue should include, as a minimum, the following information about each of your information sharing agreements: 

• name of or number assigned to the agreement
• parties (collecting or disclosing)
• overarching or single data share indicator
• purposes
• business groups using the information
• legal authorities
• summary of data shared
• review date
• last amended date
• termination date (if applicable to the information sharing agreement)
• relationship manager
• date of last amendment
• purpose of amendment
• link to the information sharing agreement
• link to the PIA (where a PIA has been undertaken).

Every time a new information sharing agreement is approved, information about the agreement should be added to your catalogue. This keeps your records up to date and enables you to find the relevant versions of the agreements (and risk assessment documentation) easily.

Where possible, digital copies of your signed information sharing agreements should be located in one place, with clear and consistent naming rules. The catalogue and the agreements should be accessible (in a read-only format) to staff, so that they can see what information sharing is already in place and for what purpose. This helps to raise awareness of information sharing across the agency and the requirement to have an information sharing agreement in place for all information sharing activity.

You can make your catalogue and information sharing agreements available to the public to help raise public awareness and build trust and confidence in your agency’s ability to appropriately share personal information. If it’s not appropriate to share all the details publicly, provide a summary.

Glossary

Agency

Includes government agencies and departments, departmental agencies, and non-government organisations.

Information

Includes data, personal information, aggregate information, and de-identified information.

Information sharing agreement

A non-legally binding agreement between 2 or more agencies, or between 1 or more agencies and organisations that sets out the purpose for the sharing, what information will be shared, how and when the information will be shared, and the agreed privacy enhancing controls that will be implemented to protect the information.

Māori Data

Digital or digitisable data, information, or knowledge (including matauranga Māori) that is about, from or connected to Māori. It includes data and information about population, place, culture, and environment.[Footnote 6]Footnote

Organisations

Non-government entities, or groups.

Relationship Manager

The person responsible for the management and operation of the Information Sharing Agreement.

Technical Contact

The person with specialist knowledge and understanding of the data and information being shared under the Information Sharing Agreement.