Bristol Data Sharing Agreements & City Bylaw Guide

Bristol, England public bodies and partner organisations must follow clear rules when sharing personal data. This guide explains what an information sharing agreement (ISA) is, where local duties come from, how to draft and sign an ISA, and what happens when data protection standards are breached in Bristol.

What is an information sharing agreement?

An information sharing agreement is a written record between organisations that sets legal bases, purposes, lawful access, retention, roles and security measures for sharing personal data. Local authorities typically publish templates and governance contacts to support partners in preparing ISAs. ^[1]

When to use an ISA

• When personal data will be exchanged between Bristol City Council and external bodies for casework or service delivery.
• For multi-agency safeguarding, homelessness prevention, public health and licensing checks.
• Whenever clarity is needed on lawful basis, retention, access controls and audit trails.

Key clauses to include

• Purpose and lawful basis for processing.
• Roles and responsibilities: data controller, processor, lead contact.
• Security measures, access controls and breach notification steps.
• Retention schedule and criteria for deletion or return of data.
• Governance: review period, signatories and termination conditions.

Penalties & Enforcement

Local council policies set process and complaints routes; financial penalties for personal data breaches are imposed by the Information Commissioner rather than by local bylaw amounts on the council page. For national enforcement limits, the ICO sets maximum fines under the Data Protection Act 2018 and UK GDPR; see the ICO guidance for current monetary penalty levels. ^[3] The Bristol City Council pages explain local reporting, governance contacts and internal review routes. ^[1]

• Fines: Maximum statutory fines for serious data breaches are set by the ICO (for example tiered monetary limits are described on the ICO site); local pages do not list specific fine amounts. Not specified on the cited page. ^[1]
• Escalation: first reports go to the council's information governance team, serious or repeated breaches may be reported to the ICO; escalation details are on official guidance. ^[1]
• Non-monetary sanctions: orders to cease unauthorised processing, enforcement notices, corrective action plans, compulsory audits and court action are possible via ICO or civil courts. ^[3]
• Enforcer: primary regulator is the Information Commissioner's Office; operational complaints and internal enforcement handled by Bristol City Council Information Governance. ^[1]

Appeals, review and time limits

Appeal routes: internal council review processes are the first step; dissatisfied parties may complain to the ICO and then to the First-tier Tribunal for certain data decisions. Specific statutory appeal periods are described on regulator and council pages. ^[3]

Defences and discretion

Common defences include that processing was necessary for public functions, consent was obtained, or a reasonable excuse existed; where permits or formal legal gateways apply these must be recorded in the ISA. Local pages do not list exhaustive defences. ^[1]

Common violations and typical outcomes

• Excessive data sharing without lawful basis — may trigger corrective action, internal disciplinary measures or ICO investigation.
• Poor retention practices — orders to delete and compliance plans are common.
• Insufficient security controls — mandatory remediation, audits and possible fines.

Applications & Forms

Subject access, data correction or general data rights requests use the council's official data protection request process. Fees and submission details are published on the council's data protection pages; where a form exists, submit via the council's online request route or by post as instructed. ^[2]

Drafting and agreement steps

1. Identify partners, data items, lawful basis and retention requirement.
2. Map data flows and security measures; assign controller/processor roles.
3. Agree governance, signatories and review cycle; obtain appropriate approvals from legal or information governance teams.
4. Record the ISA in local registers and publish summary information if required by transparency rules.

FAQ

Who is responsible for enforcing ISAs in Bristol?

The Information Commissioner's Office enforces data protection law; Bristol City Council's Information Governance team handles local compliance and first-stage complaints.

Do partners need an ISA for every data exchange?

Not always; proportionality applies, but an ISA or documented agreement is recommended whenever personal data is shared for ongoing or sensitive processing.

How do I report a data breach involving a partner organisation?

Report to your council contact or data protection officer immediately and follow the council's breach notification steps; the ICO must be notified for serious breaches.

How-To

1. Start: contact your organisation's data protection officer and the Bristol City Council information governance contact to discuss need and scope.
2. Draft: use an ISA template to set purpose, lawful basis, roles, retention and security measures.
3. Review: obtain legal and governance sign-off and ensure signatories from each partner.
4. Record and review: add to registers and schedule regular reviews and audits.

Key Takeaways

• Document lawful basis, roles and retention before sharing personal data.
• Report breaches promptly to local governance and the ICO as required.

Help and Support / Resources

• Bristol City Council - Data protection and freedom of information
• Make a data protection request - Bristol City Council
• Complaints and report a problem - Bristol City Council
• Report to the Information Commissioner's Office