The Toolkit is design to record decisions at different levels: strategic to operational; hence a variety of people with different knowledge and decision making power must participate at different points in time.
Someone should take the lead on coordinating the involvement of the relevant people, e.g. if it is part of a new project, it would be advisable the project manager and the data protection officer coordinate the negotiation process.
Senior decision makers representing the parties, along with experts in data protection should be involved in the more strategic decisions, e.g. the desire for wider or narrower purposes, the risk appetite across organisations and the consequent liabilities (joint, in common or independent data controllers). They should also agree how they expect the rest of the teams to work and agree on the more operational aspects of the sharing and how they expect differences will be resolved.
The more operational teams should be able to agree on specific work instructions, assisted by data protections and IT security experts.
Any changes in work instructions related to the handling of information shared between the parties, or the actual Information Sharing Agreement or Overarching Memorandum of Understanding, should be ratified by Information Governance experts in either partner before signed off.
When subcontracting activities thatĀ involve handling information on behalf of the organisation, the contract should be ratified by Information Governance experts before a contractual obligation is created between the parties. This is to ensure the relevant data processor obligations and checks are adequately performed before the commitment to subcontract is made.