Templates and guidance
WASPI templates have been agreed by the WASPI Management Board. They are pre-populated with set headings and standard text with clear indications where text needs to be added. As the aim of the templates is to promote consistency and ensure the relevant considerations have been taken into account, you should not make any alterations to the templates. Any suggested amendments to the template should be discussed with your information governance team and passed onto the WASPI team (where appropriate).
Guidance has been produced for each of the templates helping you understand how to populate the relevant template. This flow diagram has been designed to help determine whether an ISP or a DDA would be the appropriate template.
Information Sharing Protocol (ISP)
ISPs help organisations to set out, in a consistent and clear manner, the detail of personal information shared for specified purposes to deliver public services. They require the identification of a lawful basis for sharing and assume a Data Protection Impact Assessment / Privacy Impact Assessment has been carried out in advance of personal information being shared.
ISPs underpin the regular, reciprocal sharing of personal information between Data Controllers.
ISP Template – Version 5.3
Information Reference Table – Version 5 (excel version)
Guide on the Development of an ISP - This document will provide you the considerations to undertake before developing an ISP and a step-by-step guide to completing the ISP template.
Quality Assurance Guidance for ISPs - This document describes the process of quality assuring an ISP once a final draft has been agreed.
Please ensure you consult your information governance team and refer to the guidance before developing any ISPs.
Data Disclosure Agreement (DDA)
DDAs are intended for use when personal data is to be disclosed (i.e. passed one way) from one Data Controller to another for a specific purpose. DDAs are not intended for use in instances where the disclosure is from a Data Controller to a Data Processor and do not replace the requirement for appropriate contracts.
Please ensure you consult your information governance team and refer to the guidance before developing any DDAs.
Joint Controller Arrangement
Under data protection legislation, Joint Controllers should set out their respective responsibilities for compliance to the legislation within an agreement. This checklist provides some considerations to take into account when developing a Joint Controller arrangement.
Before using this checklist, you should ensure whether the processing is between Joint Controllers and whether an alternative arrangement / contract is more appropriate.