between the EDPS and ICO we are very open to suggestions. Also, the
Collaboration Plan is not a requirement and we don’t have many of these active,
but they are an additional level of detail we can include in our organisational
relationship if needed.
Also below is a link to our list of MoUs (both national and international):
Working with other bodies | ICO
Our MoUs with the US FTC, Ireland and Malta are below just to give an idea of
flexibility in our final agreement:
MoU US Federal Trade Commission - 2 December 2020 (ico.org.uk)
ico-dpc-ireland-202207.pdf
ico-malta-idpc-signed-mou-23062023.pdf
If you have any questions please feel free to ask as we would be more than
happy to provide any further information. Also if it would be worth us arranging a
further call in the future once you and your colleagues have had a chance to
review the documents, I would be happy to book this in.
Best regards,
Group Manager, International Regulatory
Cooperation Directorate
Information Commissioner’s Office, Wycliffe House,
Water Lane, Wilmslow, Cheshire SK9 5AF
Please consider the environment before printing this
email
For information about what we do with personal
data see our privacy notice
Date:
Memorandum of Understanding
between:
The Information Commissioner
for
The United Kingdom of Great Britain & Northern
Ireland
- and -
XXXXXX
for
XXXXXX
for Cooperation in the Regulation of
Laws Protecting Personal Data
Memorandum of Understanding
1. Introduction
1.1 This Memorandum of Understanding (“
MoU”) establishes a
framework for cooperation between
(I)
The Information Commissioner (the
“
Commissioner”) and
(II)
XXXXXXXXX (“
[SA]”),
together referred to as the “
Participants”.
1.2 The Participants recognise the nature of the modern global economy,
the increase in circulation and exchange of personal data across
borders, the increasing complexity of information technologies, and
the resulting need for increased cross-border enforcement
cooperation with the aim of providing consistency and certainty.
1.3 The Participants acknowledge that they have similar functions and
duties concerning the protection of personal data in their respective
countries.
1.4 The Participants highlight the unique geographical, cultural, and
economic links between their countries, and the importance of
consulting on, and taking account of, their respective regulatory
activity in order to better protect the citizens of the United Kingdom
and XXXXX and support businesses in compliance with laws
protecting personal data.
1.5 This MoU reaffirms the intent of the Participants to deepen their
existing relations and to promote exchanges to assist each other in
the regulation of laws protecting personal data.
1.6 This MoU sets out the broad principles of collaboration between the
Participants and the legal framework governing the sharing of
relevant information and intelligence between them.
1.7 Reducing divergences in the regulatory approach taken by the
Participants, when addressing similar issues, benefits industry,
consumers and other stakeholders in their respective countries.
Whilst having regard to the different laws and regulations of their
respective countries as well as their statutory independence, this
MOU is intended to avoid divergences and promote consistency in the
administration of similar data protection laws.
1
Memorandum of Understanding
1.8 The Participants confirm that nothing in this MoU should be
interpreted as imposing a requirement on the participants to co-
operate with each other. In particular, there is no requirement to co-
operate in circumstances which would place either Participant in
breach of their legal responsibilities, including:
(a) in the case of the Commissioner: the retained EU law version of
the General Data Protection Regulation ((EU) 2016/679 (“UK
GDPR”)); and
(b) in the case of the [SA]: the [
name of relevant law]. .
1.9 The MoU sets out the legal framework for information sharing, but it
is for each Participant to determine for themselves that any proposed
disclosure is compliant with the law applicable to them.
2. The role and function of the Information Commissioner
2.1 The Commissioner is a corporation sole appointed under the Data
Protection Act 2018 (the “
DPA”) to act as the UK’s independent
regulator to uphold information rights in the public interest, promote
openness by public bodies and data privacy for individuals.
2.2 The Commissioner is empowered to take a range of regulatory action
for breaches of the following legislation (as amended from time to
time):
(a) Data Protection Act 2018 (“DPA”);
(b) UK GDPR;
(c) Privacy and Electronic Communications (EC Directive)
Regulations 2003 (“PECR”);
(d) Freedom of Information Act 2000 (“FOIA”);
(e) Environmental Information Regulations 2004 (“EIR”);
(f)
Environmental Protection Public Sector Information Regulations
2009 (“INSPIRE Regulations”);
(g) Investigatory Powers Act 2016;
2
Memorandum of Understanding
(h) Re-use of Public Sector Information Regulations 2015;
(i)
Enterprise Act 2002;
(j)
Security of Network and Information Systems Directive (“NIS
Directive”); and
(k) Electronic Identification, Authentication and Trust Services
Regulation (“eIDAS”).
2.3 The Commissioner has a broad range of statutory duties, including
monitoring and enforcement of data protection laws, and promotion
of good practice and adherence to the data protection obligations by
those who process personal data. These duties sit alongside those
relating to the other enforcement regimes.
2.4 The Commissioner’s regulatory and enforcement powers include:
(a) conducting assessments of compliance with the DPA, UK GDPR,
PECR, eIDAS, the NIS Directive, FOIA and EIR;
(b) issuing information notices requiring individuals, controllers or
processors to provide information in relation to an investigation;
(c) issuing enforcement notices, warnings, reprimands, practice
recommendations and other orders requiring specific actions by
an individual or organisation to resolve breaches (including
potential breaches) of data protection legislation and other
information rights obligations;
(d) administering fines by way of penalty notices in the
circumstances set out in section 152 of the DPA;
(e) administering fixed penalties for failing to meet specific
obligations (such as failing to pay the relevant fee to the
Commissioner);
(f)
issuing decision notices detailing the outcome of an investigation
under FOIA or EIR;
(g) certifying contempt of court should an authority fail to comply
with an information notice, decision notice or enforcement notice
under FOIA or EIR; and
(h) prosecuting criminal offences before Courts.
3
Memorandum of Understanding
2.5 Regulation 31 of PECR, as amended by the Privacy and Electronic
Communications (EC Directive) (Amendment) Regulations 2011, also
provides the Commissioner with the power to serve enforcement
notices and issue monetary penalty notices as above to organisations
who breach PECR. This includes, but is not limited to, breaches in the
form of unsolicited marketing which fall within the ambit of PECR,
including automated telephone calls made without consent, live
telephone calls which have not been screened against the Telephone
Preference Service, and unsolicited electronic messages (Regulations
19, 21 and 22 of PECR respectively).
3. ROLE AND FUNCTIONS OF [SA]
3.1 [THIS SECTION WILL NEED TO BE POPULATED WITH THE OTHER
PARTIES STATUTORY FUNCTIONS AND POWERS, AS RELEVANT TO
WHICH INFORMATION CAN BE APPROPRIATELY SHARED UNDER THE
AGREEMENT]
4. SCOPE OF CO-OPERATION
4.1 The Participants acknowledge that it is in their common interest to
collaborate in accordance with this MoU, in order to:
(a) Ensure that the Participants are able to deliver the regulatory
cooperation necessary to underpin their data-based economies
and protect the fundamental rights of citizens of the United
Kingdom and [JURISDICTION OF SA] respectively, in accordance
with the applicable laws of the Participants’ respective
jurisdictions;
(b) Cooperate with respect to the enforcement of their respective
applicable data protection and privacy laws;
(c) Keep each other informed of developments in their respective
countries having a bearing on this MoU; and
(d) Recognise parallel or joint investigations or enforcement actions
by the Participants as priority issues for co-operation.
4.2 For this purpose, the Participants may jointly identify one or more
areas or initiatives for cooperation. Such cooperation may include:
4
Memorandum of Understanding
(a) sharing of experiences and exchange of best practices on data
protection policies, education and training programmes;
(b) implementation of joint research projects;
(c) co-operation in [
set out details of any specific projects of
interest, such as sandbox or AI];
(d) exchange of information (excluding personal data) involving
potential or on-going investigations of organisations in the
respective jurisdictions in relation to a contravention of personal
data protection legislation;
(e) secondment of staff;
(f)
joint investigations into cross border personal data incidents
involving organisations in both jurisdictions (excluding sharing of
personal data);
(g) convening bilateral meetings at least quarterly or as mutually
decided between the Participants; and
(h) any other areas of cooperation as mutually decided by the
Participants.
4.3 For clarity, it is acknowledged that this MoU does not impose any
obligation on the Participants to share information with each other or
to engage in any other form of cooperation. It is further
acknowledged that a Participant may require that any cooperation is
subject to certain limitations or conditions being agreed between the
Participants. For example, in order to avoid breaching applicable legal
requirements. Any such limitations or conditions will be agreed
between the Participants on a case-by-case basis.
5. NO SHARING OF PERSONAL DATA
5.1 The Participants do not intend that this MoU will cover any sharing of
personal data by the Participants.
5.2 If the Participants wish to share personal data, for example in relation
to any cross border personal data incidents involving organisations in
both jurisdictions, each Participant will consider compliance with its
own applicable data protection laws, which may require the
5
Memorandum of Understanding
Participants to enter into a written agreement or further
arrangements governing the sharing of such personal data.
6. INFORMATION SHARED BY THE UK INFORMATION COMMISSIONER
6.1 Section 132(1) of the DPA 2018 states that the Commissioner can
only share certain information if he has lawful authority to do so,
where that information has been obtained, or provided to, the
Commissioner in the course of, or for the purposes of, discharging the
Commissioner’s functions, relates to an identifiable individual or
business, and is not otherwise available to the public from other
sources.
6.2 Section 132(2) of the DPA 2018 sets out the circumstances in which
the Commissioner will have the lawful authority to share that
information. Of particular relevance when the Commissioner is
sharing information with the [SA] are the following circumstances,
where:
(a) The sharing is necessary for the purpose of discharging the
Commissioner’s functions (section 132(2)(c));and
(b) The sharing is necessary in the public interest, taking into
account the rights, freedoms and legitimate interests of any
person (section 132(2)(f)).
6.3 Before the Commissioner shares any such information with the [SA],
it may be necessary for the Commissioner to identify the function of
the [SA] with which that information is intended to assist, and assess
whether that function of the [SA] could reasonably be achieved
without access to the particular information in question. Where the
Commissioner considers that any such function could reasonably be
achieved without access to the information, it will not share the
information unless it determines that there are overriding factors
which render such sharing to be lawful and appropriate in all the
circumstances.
6
Memorandum of Understanding
7. INFORMATION SHARED BY THE [SA]
7.1 [THIS SECTION WILL NEED TO BE POPULATED WITH ANY LAWS
RELEVANT TO THE SA SHARING INFORMATION WITH THE ICO]
8. SECURITY AND DATA BREACH REPORTING
8.1 Appropriate security measures will be agreed to protect information
that is shared between the Participants. Such measures will, amongst
other things, require the Participant receiving information (the
“Recipient”) to take into account the sensitivity of the information;
any classification that is applied by the Participant who is sending the
information to the other Participant (the
“Sender”); and any other
factors relevant to protecting the security of the information.
8.2 Where confidential material is shared between the Participants it will
be marked with the appropriate security classification by the Sender.
8.3 Where a Recipient receives information from a Sender, the Recipient
will consult with the Sender and obtain their consent before passing
that information to a third party or using the information in an
enforcement proceeding or court case, save where the Recipient is
prevented from consulting with the Sender or seeking its consent, by
applicable laws or regulations.
8.4 Where confidential material obtained from, or shared by, a Sender is
wrongfully disclosed or used by a Recipient, the Recipient will bring
this to the attention of the Sender without delay.
9. REVIEW OF THE MoU
9.1 The UK Information Commissioner and the [SA] will monitor the
operation of this MoU and review it if either Participant so requests.
9.2 Any issues arising in relation to this MoU will be notified to the
designated point of contact for each Participant.
9.3 Any amendments to this MoU must be made in writing and signed by
each Participant.
7
Memorandum of Understanding
10.
NON-BINDING EFFECT OF THIS MoU AND DISPUTE SETTLEMENT
10.1 This MoU is a statement of intent that does not give rise to legally
binding obligations on the part of either the Commissioner or the
[SA].
10.2 The Participants will settle any disputes or disagreement relating to
or arising from this MoU amicably through consultations and
negotiations in good faith without reference to any international
court, tribunal or other forum.
11.
DESIGNATED CONTACT POINTS
11.1 The following persons will be the designated contact points for the
Participants for matters under this MoU:
Information Commissioner’s
XXXXXX
Office
Name:
Name:
Designation:
Designation:
11.2 The above individuals will maintain an open dialogue between each other in
order to ensure that the MoU remains effective and fit for purpose. They
will also seek to identify any difficulties in the working relationship, and
proactively seek to minimise the same.
11.3 Each Participant may change its designated contact point for the purposes
of this MoU upon notice in writing to the other Participant.
12.
ENTRY INTO EFFECT AND TERMINATION
This MoU will come into effect upon its signature by the Participants and
remain in effect unless terminated by either Participant upon three
months’ written notice to the other Participant.
8
Memorandum of Understanding
Signatories:
For the Information Commissioner For XXXXXXX
for the United Kingdom of Great
Britain and Northern Ireland
Name:
Name:
Title:
Title:
Place:
Place:
Date:
Date:
9
Memorandum of Understanding
Contents
• Introduction
• Contact points by topic (day-to-day)
• Senior Leadership level relationships
• Summary per topic area:
• Topic 1
• Topic 2
• Topic 3
• Topic 4
• Meeting terms of reference
