English Cymraeg
Memorandum of Understanding between the Food Standards Agency and Food Standards Scotland

Memorandum of Understanding: Annex B- data sharing protocol 

This Memorandum of Understanding (MoU) sets out the working relationship between the Food Standards Agency (FSA) and Food Standards Scotland (FSS) and the principles that FSA and FSS will follow in the course of day-to-day working relationships.   

View as PDF
View as PDF

7. Purpose and scope

  • Food Standards Agency (FSA) and Food Standards Scotland (FSS) acknowledge that in order for both bodies to operate effectively, each should provide the other with as full and open as possible access to food and feed safety and standards intelligence, data, knowledge and information.
  • This protocol will provide guidance as to how the FSA and FSS will share information and data and sets out the roles and responsibilities of each body.
  • Although initially most information shared will be from the FSA to FSS, the principles outlined apply to transfers of information in both directions.
  • This protocol contains agreement on how historical information on FSA activities in Scotland will be handled.
  • This protocol reflects the ethos of the Information Commissioner's Code of Practice on Data Sharing.

8. General principles

In all data sharing activities, both bodies will have due regard to relevant provisions on data governance and ethics, data protection, confidentiality, intellectual property and information security.

Both the FSA and FSS agree to provide any information reasonably requested by the other body; provided that it:

  • is lawful;
  • is accurate;
  • is practicable;
  • would not involve disproportionate cost; and
  • is available in a reasonably accessible format.

Where any of the above provisos is not met, resolution will be sought on a case-by-case basis.

9. Sharing personal and/or special category data

Where the data contains personal data, it will only be shared where there is a lawful basis under Article 6 of the UK General Data Protection Regulation (UK GDPR) for doing so.

Each party agree that all sharing under this MoU must be compliant with the UK GDPR, the Data Protection Act 2018 (DPA) and the Human Rights Act 1998 (HRA). In particular, both parties acknowledge the need to comply with the seven key principles set out in Article 5(1) of the UK GDPR. These key principles are listed:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

If the FSA or FSS becomes aware of any actual or potential Data Security Breach, it should inform the other body immediately (no later than 12 hours from the time of discovery) by emailing the FSA Data Protection team at: informationmanagement@food.gov.uk and for FSS Data Protection Team at: dataprotection@fss.scot.  

Where there is a joint controllership, the single point of contact will notify data subjects and the Information Commissioner’s Office of the security breach depending on the severity of the data that is lost or compromised. Where personal data is being processed for the prevention or detection of a crime, Schedule 2 Part 1 of DPA 2018 provides exemption for the communication of the data breach to affected individuals.

The FSA and FSS agree to treat any data shared with appropriate discretion.

In particular, both bodies accept that:

  • it is for the body providing the information to state what, if any, restrictions there should be upon its usage;
  • unless legally prohibited from doing so, each body will treat information which it receives in accordance with the restrictions which are specified as to its usage;
  • the body that is in receipt of the information may be subject to a legal obligation to disclose the information in certain circumstances, for example, where it receives a request under access to information legislation (primarily the Freedom of Information Act 2000 / Freedom of Information (Scotland) Act 2002, Environmental Information Regulations 2004 / Environmental Information (Scotland) Regulations 2004 and the UK GDPR/Data Protection Act 2018).  In cases where it is proposed to release information, the originator must be consulted, as soon as practicable, allowing sufficient time to respond, about the appropriateness of disclosing information. Where the originator of the information is a Minister of the Crown or a department of the Government of the United Kingdom, and the information is held in confidence, the final decision as to whether there is a lawful bases/ legal obligation to disclose the information will rest with the originator but, in any other case, the final decision will rest with the body to whom the request has been made;
  • some information will be subject to statutory or other restrictions which may mean restrictions on the category of persons who may have access to the material (for example, to ensure the Official Secrets Act 1989 and the UK GDPR/Data Protection Act 2018 are not breached);
  • where personal data is shared, a data sharing agreement will be drawn up setting out the respective responsibilities for compliance with UK GDPR regulations in relation to the sharing in question. A list of data sharing agreements in development and operation at the time this MoU was finalised is included in this Annex.

Each body will ensure that the information it supplies to the other is subject to appropriate safeguards. In particular, both parties agree to ensure they have measures in place that meet the minimum UK Government security standards and that disposal of information at the end of retention periods will follow the latest advice from CPNI (Centre for Protection of National Infrastructure) and NCSC (National Cyber Security Centre).

10. Specific provisions

Business and historically significant information

FSA will make business and historically significant information available to FSS (subject to the general principle set out in section 5.2 above). In the first instance any request for information should be channelled through the Information & Knowledge Management Team via their mailbox Informationmanagement@food.gov.uk who will cascade the request to the relevant information asset owner for action.

Data and reports from historic FSA funded science and evidence gathering activities are open access and published on the FSA website.

Where an FSA-funded science and evidence gathering project is underway or complete, but no data or outputs have been published, a request from FSS should be made to the FSA Director of Science, Evidence and Research to access the data. The FSA Director will take into account the provisions referred to in 5.2 when making available the information.

Local authority data

Local Authorities will continue to have access to the following web-based systems, until otherwise agreed by the FSA and FSS:

  • Scottish Food Sampling Database (SFSD).
  • Scottish National Database (SND).
  • Food Hygiene Rating Scheme / Food Hygiene Information Scheme (FHRS/FHIS).
  • Guidance and Regulatory Advice on Import Legislation (GRAIL).

Any subsequent changes to the system that benefit only the FSA or FSS will be funded by the body requesting the change. Where the benefit is shared, the FSA and FSS will agree how costs are distributed.

The FSA will grant web access rights to FSS to use the FSA’s FHRS platform to publish FSS’s FHIS results. The full cost of granting and amending access and providing IT support will be met by FSS (subject to agreed terms to be set out in a separate Service Level Agreement). The FSA may require a proportionate financial contribution to the maintenance of the FHRS system.

FSS will provide anonymised data from FSS’s SND and SFSD systems to FSA where appropriate and as requested, in line with FSS data sharing agreement with Scottish Local Authorities.

Operational data

On request, the FSA will provide relevant Operational and HR data in an agreed format to FSS, the cost of which will be borne by the Scottish Government.

On request, FSS will provide reports and analysis on Scottish operations data to FSA, and FSA will provide reports and analysis on non-Scottish operations data to FSS. The full cost of providing these reports and analysis will be met by the requesting body, subject to agreement in advance.

Data standards and systems development

The FSA and FSS will keep each other informed of potential development of information systems and data standards with a view to avoiding unnecessary incompatibilities between data sets retained by either body.

A process has been put in place to ensure that FSS is consulted on proposed amendments to the FSA Manual of Official Controls and notified when new versions are published.

The FSA and FSS will each adopt the FAIR Data Principles to promote the maximum use of research data either published jointly or separately, to make the data Findable, Accessible, Interoperable and Reusable.

Reporting requirements on official controls

 Where co-ordination in relation to the production of a UK plan is required for third country audit purposes by Defra, the FSA and FSS will liaise as appropriate. Following the end of the transition period, Defra are now responsible for the production of such plans. FSS will ensure that its statutory obligations on behalf of Scottish Ministers to facilitate and maintain the areas of the Multi-Annual National Control Plan for which it is responsible will be properly discharged to allow Defra to discharge its responsibilities on behalf of UK Ministers.

Freedom of Information (FOI) / Communication of historical information on FSA activities in Scotland

The FSA will respond to information requests and queries relating to the activities of the FSA in Scotland. This includes queries from food business operators on charges and invoices issued by FSA in Scotland.

Dispute resolution

Where either the FSA or FSS decide that it is not possible to provide data to the other body because:

  • it is impracticable;
  • it is not lawful;
  • it would involve a disproportionate cost; and/or
  • the information is not available in an accessible format.
  • the providing body will explain to the requesting body as to why the data cannot be provided.

Disputes concerning the provision of data will be resolved through the dispute resolution process outlined in the body of this MoU.

Data sharing agreements

S/No Agreement title Description Agreement date
1 Information Sharing Protocol for the transfer of Food Crime and Incidents  Information relating to criminal convictions or offences July 2017; revised Sept 2020
2 Data Sharing Agreement for Regulated Products Service Information related to risk assessment of new products  16 December 2020
3 Data Sharing Agreement for risk tracker To collate and store evidence packages containing risk assessments and reports on ‘other legitimate factors’ such as economic impact and consumer perception. 15 January 2021

 

Back to top
View entire guide
Print guide