What is a data sharing agreement?
The basics: A data sharing agreement is a contract between two parties that governs the sharing of personal data between those two parties. The agreement will cover what personal data will be shared, how it will be used and for what purpose, who will have access to it, and how it will be protected.
Controller to controller: A data sharing agreement covers the sharing of personal data between two parties when they are both acting as independent controllers. An independent controller is a person or organisation that determines the purposes and means of processing personal data (a processor, on the other hand, is a person or organisation that processes personal data on behalf of an independent controller). If you are sharing data between a controller and a processor, please use our data processing agreement instead.
How can I benefit from using a data sharing agreement?
Protect your business and relationships: Putting in place a data sharing agreement can bring a number of clear benefits to your business:
- Clear terms: A data sharing agreement can help clarify the terms and conditions that relate to data sharing between organisations, reducing the risk of misunderstandings or disputes in the future.
- Be compliant: A data sharing agreement can help ensure compliance with data protection laws, reducing the risk of legal claims, ICO investigations or reputational damage.
- Protect the personal data: A data sharing agreement can help protect the data being shared by including clear provisions relating to data protection, confidentiality, and security measures to prevent unauthorised access or use of the data.
- Enhance collaboration: A data sharing agreement can facilitate collaboration between parties, enabling them to work together more effectively and efficiently.
What do I need to know about the ICO data sharing code of practice?
Statutory code: The ICO (Information Commissioner's Office) data sharing code of practice is a statutory code of practice (made under section 121 of the Data Protection Act 2018) that provides guidance to organisations on when and how to share personal data between them. It aims to ensure that data sharing is only taking place when necessary, and where it is carried out that it is done so in compliance with data protection laws.
Key aspects: The code sets out principles that should be adhered to when sharing personal data with another organisation, as well as details about what a data sharing agreement should include. Some of the areas covered by the code are:
- How to consider the benefits and risks of sharing and not sharing personal data - any sharing of personal data must be reasonable and proportionate and individuals must know what is happening to their data and why;
- How the data protection principles can be applied to data sharing - the code states that the “importance of accountability cannot be overstated”, so each organisation has consideration to its own compliance with data protection principles when sharing personal data;
- How to ensure the data sharing is done in a fair and transparent manner - ethical factors should be taken into consideration when deciding whether to share personal data including considering “whether it is right to share it”; and
- What to include in a data sharing agreement - it is best practice (and mandatory in some cases) to have a data sharing agreement in place. The ICO will take into account the existence of any relevant data sharing agreement when assessing any complaint received by data subjects.
What does a data sharing agreement need to include?
Data sharing particulars: The ICO data sharing code of practice states that details of the data sharing initiative should be included in a data sharing agreement. This should include:
- the purpose of the data sharing, including the specific aims you have, why the data sharing is necessary to achieve those aims and the benefits you hope to bring to individuals or to society more widely;
- the types of data you are intending to share;
- your lawful basis for sharing data - the lawful basis for one organisation in a data sharing arrangement might not be the same as that for the other one; and
- if the data you are sharing contains special category data or criminal offence data under the UK GDPR, or there is sensitive processing within the meaning of Part 3 of the DPA 2018, you must document the relevant conditions for processing as well (i.e. the additional lawful bases for processing these types of data).
Other key content: Docue’s dynamic data sharing agreement template also includes the option to include information about the following topics:
- Single point of contact - a contact at each organisation who is responsible for the data sharing initiative. This is recommended by the ICO code;
- Security measures - jointly agreed security standards and measures to protect the shared personal data;
- Agreed ways of working - such as implementing staff training and regularly reviewing the data sharing initiative;
- Breach reporting - agreed timeframes for reporting breaches relating to the shared personal data;
- Data subject requests - a clear process for dealing with data subject requests that relate to the shared personal data;
- Liability - optional clauses to cap liability for breach of the data sharing agreement; and
- Indemnity - an optional contractual promise to pay where there are losses arising from a breach of the agreement by the other party.
Created by lawyers: The data sharing agreement template is drafted and maintained by expert privacy lawyers. Our lawyer-crafted guidelines provide you with the support you need to be correctly guided through every stage of the drafting process.
Manage your contracts: Our cutting-edge technology combined with our lawyer-made document content allows you to create, customise, e-sign, store and manage your contracts all in one place with just a few clicks.
Tags: data sharing agreement, data sharing agreement template, ICO data sharing code, independent controllers, controller to controller, UK GDPR. data protection compliance