The ultimate guide to creating a data sharing agreement

What is a data sharing agreement (DSA)?

A data sharing agreement is a legal document that outlines how personal data can be shared between parties as independent controllers, specifying the terms, conditions and obligations related to the data sharing. It serves as a blueprint that protects both the data provider and the recipient by clarifying expectations, responsibilities and limitations on data usage. Whether you're entering into a collaboration with a partner organisation or outsourcing services to a third-party vendor, a DSA ensures that both parties understand their roles in handling the data, reducing the risk of breaches and misunderstandings.

So what exactly is an independent controller? Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data. If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes (and will be independent controllers).

Why is a data sharing agreement important?

Implementing a data sharing agreement offers several key advantages for your business:

1. Clearly defined terms: A well-structured data sharing agreement establishes precise terms and conditions for data exchange between organisations. This minimises the likelihood of misunderstandings or future disputes, ensuring all parties are on the same page.

2. Ensure legal compliance: By formalising a data sharing agreement, your business can help ensure adherence to data protection laws, reducing the risk of legal claims, investigations by regulatory bodies like the ICO, and potential damage to your reputation. It can help with compliance with the ICO’s data sharing code of practice - find out more about that code of practice here.

3. Safeguard personal data: A data sharing agreement outlines specific measures for protecting shared data, including provisions on confidentiality, data protection and security protocols. These safeguards help prevent unauthorised access or misuse, ensuring data remains secure.

4. Promote collaboration: Such agreements foster smoother collaboration between parties, enabling more efficient and effective partnerships. By streamlining data sharing processes, organisations can work together with greater confidence and clarity.

This proactive approach not only mitigates risks but also enhances trust and productivity between partners. Find out more by reading these FAQs.

Key components of a data sharing agreement

Now that we understand the importance of a DSA, let's dive into the essential components that should be included in any well-crafted data sharing agreement:

1. Data sharing particulars - the ICO data sharing code of practice states that details of the data sharing initiative should be included in a data sharing agreement. This should include:

   • the purpose of the data sharing, including the specific aims you have, why the data sharing is necessary to achieve those aims and the benefits you hope to bring to individuals or to society more widely;

   • the types of data you are intending to share;

   • your lawful basis for sharing data - the lawful basis for one organisation in a data sharing arrangement might not be the same as that for the other one; and

   • if the data you are sharing contains special category data or criminal offence data under the UK GDPR, or there is sensitive processing within the meaning of Part 3 of the DPA 2018, you must document the relevant conditions for processing as well (i.e. the additional lawful bases for processing these types of data).

2. Single point of contact - a contact at each organisation who is responsible for the data sharing initiative. This is recommended by the ICO code;

3. Security measures - jointly agreed security standards and measures to protect the shared personal data;

4. Agreed ways of working - such as implementing staff training and regularly reviewing the data sharing initiative;

5. Breach reporting - agreed timeframes for reporting breaches relating to the shared personal data;

6. Data subject requests - a clear process for dealing with data subject requests that relate to the shared personal data;

7. Liability - optional clauses to cap liability for breach of the data sharing agreement; and

8. Indemnity - an optional contractual promise to pay where there are losses arising from a breach of the agreement by the other party.

Best practices for drafting a data sharing agreement

1. Customise your agreement

   It's important to tailor your data sharing agreement to fit the specific needs of the parties involved, and so that it reflects the actual data sharing taking place. Consider factors like the nature of the data and the long-term goals of the collaboration.

2. Regularly review and update the agreement

   Data sharing needs can evolve over time, so it’s important to review and update your agreement periodically. Regular reviews ensure that your DSA remains relevant and reflects changing business practices.

When should a data processing agreement be used instead or a data sharing agreement?

A data sharing agreement should be used where personal data is being shared between independent controllers. An independent controller is a person or organisation that determines the purposes and means of processing personal data.

A processor, on the other hand, is a person or organisation that processes personal data on behalf of a controller. If you are sharing data between a controller and a processor, you must use a data processing agreement instead in order to comply with the requirements of the UK GDPR. Find out more about data processing agreements here.

Conclusion

A well-crafted data sharing agreement is more than just a legal formality - it’s a vital tool for safeguarding your data and ensuring that it is used appropriately by all parties involved. By including clear terms and conditions, setting security protocols, and maintaining compliance with regulations, you can protect your business from potential data breaches and legal liabilities.

Docue’s data sharing agreement has been drafted by, and is maintained by, expert privacy lawyers. Our lawyer-crafted guidelines provide you with the support you need to be guided through every stage of the drafting process.