Data sharing agreement

Introduction 

A. OCR delivers a range of assessments, qualifications and tests, for learners of all ages across the full range of subjects.

B. The Centre puts forward candidates for OCR’s assessments, qualifications and tests.

C. In order for the Parties to properly administer the participation of the Centre’s candidates for OCR’s assessments, qualifications and tests, it is necessary for the Parties to share information including the personal data and special category data of candidates.

D. The Parties consider that such data is transferred on a controller-to-controller basis.

E. This Data Sharing Agreement sets out the basis upon which the Parties will share such information and comply with their data protection obligations in relation to the rights of candidates as data subjects.

Agreed terms 

1. Definitions and interpretation 

1.1 In this Agreement, the following words have the following meanings: 

Agreed Purposes: in order for: 

1. Candidates to be entered for OCR assessments
2. OCR to collect and mark, moderate or verify a Candidate’s work, report results and issue certificates
3. OCR to consider and respond to any requests for additional time, assistance or other accommodations in relation to a particular Candidate in light of that Candidate’s personal circumstances (which may include consideration of special category data in response to any request by a Candidate entered for Assessments)
4. OCR to verify a Candidate’s identity (for qualifications where this is necessary)
5. OCR to investigate and take such action as it deems appropriate in relation to malpractice, maladministration and other irregularities in relation to Assessments
6. OCR to run the administrative systems used to support the delivery of Assessments
7. OCR to develop Assessments and improve on their quality and integrity, including the collection of statistics and other information relating to Assessments for OCR’s future use
8. OCR to carry out marketing and market research, and provide training to improve on the delivery of Assessments
9. The Centre to enter any Candidate for Assessments
10. The Centre to report any incident of malpractice or maladministration or any other irregularity in relation to Assessments
11. The Centre to forward any request relating to the delivery of Assessments to a Candidate; and
12. The Parties to comply with their legal and regulatory obligations and to assist each other in relation to any exercise by a Candidate of their rights as a data subject.

Assessments: the assessments, qualifications, tests and other services provided by OCR

Assessment Services: any services provided or made available by OCR in connection with the participation of Candidates in Assessments

Candidate: an individual entered by the Centre for Assessments and any other data subject whose personal data is provided by the Centre to OCR

Candidate Privacy Information: information to be provided to Candidates regarding the processing of their personal data in connection with this Data Sharing Agreement, as further detailed at Schedule 1 (as may be updated by OCR from time to time)

Controller, processor, data subject, personal data, special category data, processing and appropriate technical and organisational measures: shall have the meanings ascribed to them in the Data Protection Legislation (for the avoidance of doubt, the term personal data includes special category data)

Data Protection Legislation: means the UK Data Protection Act 2018 (“DPA”), the UK GDPR as it is defined in the DPA (“UK GDPR”) and any other applicable laws of the United Kingdom (“UK”), or of the European Union (“EU”), or of any member state of the EU to which the Parties are subject that relate to the protection of personal data and privacy of individuals

Data Sharing: the transfer of the Shared Personal Data

Effective date: 31 January 2022

Permitted Recipients: the Parties, the employees of each Party; the individuals and organisations that represent, or provide services on behalf of, each Party; the affiliated businesses or organisations of each Party and those owned by each Party; and, in the case of OCR the following: any examiners engaged to perform obligations in connection with Assessments; the Universities and Colleges Admissions Service, any university, college or other educational establishment, and any other organisation (including other Awarding organisations, Ofqual, businesses and governmental or other public bodies) in order to meet OCR’s obligations in delivery of assessment services

Shared Personal Data: any personal data shared between the Parties in connection with the provision of Assessment Services.

1.2 In this Data Sharing Agreement unless the context otherwise requires: 

1. Clause and schedule headings are included for convenience only and will not affect the construction or interpretation of this Data Sharing Agreement
2. References to clauses and schedules are references to the relevant clauses and schedules of this Data Sharing Agreement
3. A reference to writing includes email
4. All references to the Parties include their permitted successors and assigns; and
5. Any reference to a statute or statutory provision includes references to that statute or statutory provision as the same may from time to time be amended, extended, re-enacted or replaced (whether before or after the date of this Data Sharing Agreement) and including all subordinate legislation made under it from time to time.

2. Status of this Agreement 

2.1 This Data Sharing Agreement governs the Data Sharing and is the only basis upon which OCR will accept personal data from the Centre in relation to Candidates.

2.2 This Data Sharing Agreement is intended to be legally binding and shall prevail over all other agreements, arrangements and understandings between the Parties relating to the Data Sharing, whether made before or after the date of this Data Sharing Agreement and notwithstanding any wording to the contrary in such agreements, arrangements and understandings between the Parties.

2.3 Any agreements, arrangements and understandings between the Parties which are unrelated to the Data Sharing, or which are related to the Data Sharing but do not conflict with the provisions of this Data Sharing Agreement, shall continue in full force and effect notwithstanding this Data Sharing Agreement.

2.4 This Data Sharing Agreement shall commence on the Effective Date and shall continue in full force and effect until it is terminated by mutual agreement between the Parties.

3. Provision of information to Candidates

3.1 Prior to transferring the personal data of any Candidate to OCR (and in any event no later than one month from such transfer), the Centre shall provide the Candidate Privacy Information to such Candidate.

4. Data Protection Compliance

4.1 Each Party shall comply with all the obligations imposed on a controller under the Data Protection Legislation. Any material breach of the Data Protection Legislation by a Party in connection with the Data Sharing shall constitute a material breach of this Data Sharing Agreement.

4.2 The Centre shall:

1. Ensure that it has all necessary notices and consents in place to enable lawful transfer of the Shared Personal Data to the Permitted Recipients for the Agreed Purposes; and
2. Give full information to any Candidate whose personal data may be processed under this Data Sharing Agreement of the nature such processing.

4.3 The Parties shall:

1. Process the Shared Personal Data only for the Agreed Purposes
2. Not disclose or allow access to the Shared Personal Data to anyone other than the Permitted Recipients
3. Ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this Agreement
4. Ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
5. Not transfer any personal data outside the EEA otherwise than in compliance with the Data Protection Legislation.

5. Cooperation between the Parties 

5.1 Each Party shall assist the other in complying with all applicable requirements of the Data Protection Legislation. In particular in connection with the Shared Personal Data, each Party shall:

1. Consult with the other Party and cooperate in good faith in relation to any notices given to data subjects in relation to the Shared Personal Data
2. Inform the other Party if any personal data has been transferred to the other Party in error or otherwise in breach of the Data Protection Legislation, requesting the immediate return or deletion of such inappropriately transferred personal data
3. If legally required inform the other Party about the receipt of a complaint or subject access request from any data subject regarding the transfer of any Shared Personal Data between the Parties
4. Provide the other Party with reasonable assistance in complying with any data subject access request. For the avoidance of doubt, a subject access request made to one Party in its capacity as data controller shall not oblige the other Party to disclose any personal data it holds independently in its capacity as a data controller
5. If legally required inform the other Party without delay if a data subject requests the erasure of any Shared Personal Data. For the avoidance of doubt, where one Party is obliged to erase any Shared Personal Data, the other Party shall not be obliged to erase the same Shared Personal Data if that other Party may lawfully continue to hold and process such Shared Personal Data
6. Assist the other Party, at the cost of the other Party, in responding to any other request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators relating to the Shared Personal Data
7. Notify the other Party without undue delay on becoming aware of any breach of the Data Protection Legislation in connection with the Shared Personal Data
8. Maintain complete and accurate records and information to demonstrate its compliance with this clause 5; and
9. Provide the other Party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of the Data Protection Legislation, including the procedures to be followed in the event of a data security breach.

6. General

6.1 Any notice given in connection with this Agreement shall be in writing and delivered by hand, pre-paid first-class post or courier (using an internationally recognised courier company) to the registered office of the other Party or to such other address subsequently notified in writing by the other Party for such purpose.

6.2 No Party may assign, novate, sub-contract, charge or otherwise transfer any or all of its rights obligations under this Agreement without the prior written consent of the other Party.

6.3 If any provision of this Agreement is held to be void, illegal or otherwise unenforceable by a court of competent jurisdiction then the relevant provision will be deemed deleted and the remaining provisions of this Agreement will remain in full force and effect.

6.4 No variation or amendment of this Agreement will be effective unless it is made in writing and signed on behalf of each Party.

6.5 No person other than a Party has any rights under the Contracts (Rights of Third Parties) Act 1999 or any similar legislation to enforce any terms of this Agreement.

6.6 If there is a conflict between this agreement and any other agreements between the Parties relating to data sharing this Data Sharing Agreement will take precedence.

6.7 The validity, construction and performance of this Agreement shall be governed by English law.

6.8 The Parties irrevocably submit to the exclusive jurisdiction of the English courts to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this Agreement or its subject matter or formation.