Skip to content
Platform|Embed
ContactAboutNewsReviewsBook a demo
Support
Custom templatesCreate templates in DocueReady-made legal templates150+ lawyer-made UK templatesElectronic signatureEffortless signing in secondsDocue DriveSecure, intelligent contract managementEmbedded Legal EngineEmbed templates into your own softwareEmbedded Sign EngineEmbed signing into your own software
Legal Templates
HubSpotSalesforcePipedriveOther systems
Pricing
SearchLog inBook a demo
PlatformEmbed
HomeLegal TemplatesPricingContactAboutNewsReviews
Book a demo

Already have an account? Sign in

  1. Legal Hub
  2. The ultimate guide to creating a data sharing agreement
0 % read

The ultimate guide to creating a data sharing agreement

Article•Last updated 15 Oct 2024
In today’s data-driven world, organisations are constantly sharing data with external partners, vendors or collaborators. Having a solid data sharing agreement (DSA) is crucial to ensure legal compliance, maintain trust and protect your business interests. This guide will walk you through everything you need to know about crafting an effective data sharing agreement, from understanding its importance to the essential components you should include.

What is a data sharing agreement (DSA)?

A data sharing agreement is a legal document that outlines how personal data can be shared between parties as independent controllers, specifying the terms, conditions and obligations related to the data sharing. It serves as a blueprint that protects both the data provider and the recipient by clarifying expectations, responsibilities and limitations on data usage. Whether you're entering into a collaboration with a partner organisation or outsourcing services to a third-party vendor, a DSA ensures that both parties understand their roles in handling the data, reducing the risk of breaches and misunderstandings.

So what exactly is an independent controller? Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data. If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes (and will be independent controllers).

Why is a data sharing agreement important?

Implementing a data sharing agreement offers several key advantages for your business:

  1. Clearly defined terms: A well-structured data sharing agreement establishes precise terms and conditions for data exchange between organisations. This minimises the likelihood of misunderstandings or future disputes, ensuring all parties are on the same page.

  2. Ensure legal compliance: By formalising a data sharing agreement, your business can help ensure adherence to data protection laws, reducing the risk of legal claims, investigations by regulatory bodies like the ICO, and potential damage to your reputation. It can help with compliance with the ICO’s data sharing code of practice - find out more about that code of practice here.

  3. Safeguard personal data: A data sharing agreement outlines specific measures for protecting shared data, including provisions on confidentiality, data protection and security protocols. These safeguards help prevent unauthorised access or misuse, ensuring data remains secure.

  4. Promote collaboration: Such agreements foster smoother collaboration between parties, enabling more efficient and effective partnerships. By streamlining data sharing processes, organisations can work together with greater confidence and clarity.

This proactive approach not only mitigates risks but also enhances trust and productivity between partners. Find out more by reading these FAQs.

Key components of a data sharing agreement

Now that we understand the importance of a DSA, let's dive into the essential components that should be included in any well-crafted data sharing agreement:

  1. Data sharing particulars - the ICO data sharing code of practice states that details of the data sharing initiative should be included in a data sharing agreement. This should include:

    • the purpose of the data sharing, including the specific aims you have, why the data sharing is necessary to achieve those aims and the benefits you hope to bring to individuals or to society more widely;

    • the types of data you are intending to share;

    • your lawful basis for sharing data - the lawful basis for one organisation in a data sharing arrangement might not be the same as that for the other one; and

    • if the data you are sharing contains special category data or criminal offence data under the UK GDPR, or there is sensitive processing within the meaning of Part 3 of the DPA 2018, you must document the relevant conditions for processing as well (i.e. the additional lawful bases for processing these types of data).

  2. Single point of contact - a contact at each organisation who is responsible for the data sharing initiative. This is recommended by the ICO code;

  3. Security measures - jointly agreed security standards and measures to protect the shared personal data;

  4. Agreed ways of working - such as implementing staff training and regularly reviewing the data sharing initiative;

  5. Breach reporting - agreed timeframes for reporting breaches relating to the shared personal data;

  6. Data subject requests - a clear process for dealing with data subject requests that relate to the shared personal data;

  7. Liability - optional clauses to cap liability for breach of the data sharing agreement; and

  8. Indemnity - an optional contractual promise to pay where there are losses arising from a breach of the agreement by the other party.

Best practices for drafting a data sharing agreement

  1. Customise your agreement

    It's important to tailor your data sharing agreement to fit the specific needs of the parties involved, and so that it reflects the actual data sharing taking place. Consider factors like the nature of the data and the long-term goals of the collaboration.

  2. Regularly review and update the agreement

    Data sharing needs can evolve over time, so it’s important to review and update your agreement periodically. Regular reviews ensure that your DSA remains relevant and reflects changing business practices.

When should a data processing agreement be used instead or a data sharing agreement?

A data sharing agreement should be used where personal data is being shared between independent controllers. An independent controller is a person or organisation that determines the purposes and means of processing personal data.

A processor, on the other hand, is a person or organisation that processes personal data on behalf of a controller. If you are sharing data between a controller and a processor, you must use a data processing agreement instead in order to comply with the requirements of the UK GDPR. Find out more about data processing agreements here.

Conclusion

A well-crafted data sharing agreement is more than just a legal formality - it’s a vital tool for safeguarding your data and ensuring that it is used appropriately by all parties involved. By including clear terms and conditions, setting security protocols, and maintaining compliance with regulations, you can protect your business from potential data breaches and legal liabilities.

Docue’s data sharing agreement has been drafted by, and is maintained by, expert privacy lawyers. Our lawyer-crafted guidelines provide you with the support you need to be guided through every stage of the drafting process.

Sign up now to use Docue’s data sharing agreement.

Author
Docue's Legal Team

Tags: data sharing agreement, data sharing agreement ico, data sharing code of practice, ico data sharing code


Related articles

FAQ•Updated 15 Oct 2024
Top 5 FAQs about controller-to-controller agreements
FAQ•Updated 15 Oct 2024
Top 5 FAQs for data processors about controller-processor agreements
Checklist•Updated 15 Oct 2024
Checklist for ensuring your data processing addendum complies with the UK GDPR
Guide•Updated 15 Oct 2024
A comprehensive guide to data breaches (including a lawyer-drafted data breach policy template)
Checklist•Updated 15 Oct 2024
Checklist: managing a personal data breach

Related legal templates

Data Sharing AgreementData Processing AgreementPrivacy Notice (Website)

About Docue

Docue gives you access to 150+ automated legal templates for all important business situations. Templates are maintained by experienced UK lawyers to stay up-to-date with English and Welsh legislation.

Features

  • Custom templates
  • Ready-made legal templates
  • Electronic signature
  • Contract management

Service

  • Pricing
  • Reviews
  • Integrations
  • Legal Hub
  • Support

Company

  • About
  • Contact
  • News
  • Solutions
  • Reviews

Other

  • Log in
  • Data Security
  • Privacy Policy
  • Terms of Use
  • Data Processing Agreement

Support site

Instructions for using the service and answers to frequently asked questions: help.docue.com/en

Customer Service

For business customers: support@docue.com

4.5
(142)
Google LogoReviews on Google
ISO logo

ISO/IEC 27001 certified

© 2026 Docue

•
  • Facebook
  • Instagram
  • Twitter
  • LinkedIn
  • Youtube
Choose country