Framework documentation
The Accord
The Accord is a common set of principles and standards which support the sharing of personal information to deliver services to the people of Wales. Signing the Accord demonstrates a commitment to apply those principles. This has helped develop a consistent approach and improve confidence that information is shared lawfully, safely and effectively.
The Accord has been updated to version 5 (published in September 2018) to take into account user feedback and changes to legislation; namely the General Data Protection Regulation and the Data Protection Act 2018.
Accepting and signing the Accord is voluntary but all public services providers are encouraged to join. To sign the Accord, please complete and return the Declaration of Acceptance and Participation to the WASPI Team.
Formal adoption of the Accord is the responsibility of an organisation’s Chief Executive or Chief Officer. You will also be asked to nominate a Designated Person – usually your Data Protection Officer or equivalent – who has delegated responsibility for ensuring WASPI is implemented in your organisation. For small organisations the Chief Executive or Chief Officer may also be the Designated Person.
Standard Templates
The principles and standards set out in the Accord are put into practice through the development and implementation of data sharing agreements.
Currently, there are four types of templates under the WASPI framework:
Information Sharing Protocols (ISPs) - these support, regular and reciprocal sharing of personal information between data controllers for a specified purpose.
Data Disclosure Agreements (DDAs) - these support one-way disclosures of information from a data controller to one or more data controllers.
Joint Controller Agreements (JCAs) – These are agreements between multiple data controllers that are jointly determining the means and purpose of personal data processing, and is intended to comply with the requirements of Article 26 of the UK GDPR.
Data Processing Agreements (DPAs) – These support developing a contract between controllers and processors that will handle their data, and is intended to comply with the requirements of Article 28 of the UK GDPR.