Question

On the Data Holder (DH) dashboard, for the ‘When we’ve shared your data’ section, is it mandatory to have shared data listed at each specific data cluster level, or can this section can be presented as a generic section after all data clusters have been listed?

Answer

See:

• CDR Rules, Subdivision 7.2.3 - Rules relating to dealing with CDR data, 7.9 Rule relating to Privacy Safeguard 10
• Privacy Safeguard 10 (PS10)

It is mandatory to comply with Privacy Safeguard 10. The CX guidelines  demonstrate one acceptable way to do this. It is not mandatory to implement it in this way.

The CX guidelines demonstrate an approach that was agreed upon with other CDR agencies. The approach agreed includes listing these details per data cluster.

This approach was taken as PS10 (Privacy Safeguard 10) requires the notification to state 'what CDR data was disclosed'.

Providing a generic note may be insufficient for the purposes of PS10.

Compliance is on a case by case basis and participants are encouraged to look to the PS10 guidance for more information.