At a glance
It is good practice to have a data sharing agreement.
Data sharing agreements set out the purpose of the data sharing, cover what happens to the data at each stage, set standards and help all the parties involved in sharing to be clear about their roles and responsibilities.
Having a data sharing agreement in place helps you to demonstrate you are meeting your accountability obligations under the UK GDPR.
In more detail
- What are the benefits of a data sharing agreement?
- What should we include in a data sharing agreement?
- When should we review a data sharing arrangement?
A data sharing agreement between the parties sending and receiving data can form a major part of your compliance with the accountability principle, although it is not mandatory. Your organisation might use a different title for a data sharing agreement, for example:
- an information sharing agreement;
- a data or information sharing protocol or contract; or
- a personal information sharing agreement.
Whatever the terminology, it is good practice to have a data sharing agreement in place.
Government departments and certain other public bodies (for example, regulators, law enforcement bodies and executive agencies) may enter into a memorandum of understanding with each other that includes data sharing provisions and fulfils the role of a data sharing agreement.
However on their own, the following do not constitute a data sharing agreement:
- a memorandum of understanding (except between government departments and certain other public bodies);
- a list of standards; or
- an addendum to a purchase agreement or to a purchase order or proposal.
A data sharing agreement:
- helps all the parties be clear about their roles;
- sets out the purpose of the data sharing;
- covers what happens to the data at each stage; and
- sets standards.
It should help you to justify your data sharing and demonstrate that you have been mindful of, and have documented, the relevant compliance issues. A data sharing agreement provides a framework to help you meet the requirements of the data protection principles.
There is no set format for a data sharing agreement; it can take a variety of forms, depending on the scale and complexity of the data sharing. Since a data sharing agreement is a set of common rules that binds all the organisations involved, you should draft it in clear, concise language that is easy to understand.
Drafting and adhering to a data sharing agreement should help you to comply with the law, but it does not provide immunity from breaching the law or from the consequences of doing so. However, the ICO will take into account the existence of any relevant data sharing agreement when assessing any complaint we receive about your data sharing.
You should address a range of questions in a data sharing agreement.
Who are the parties to the agreement?
Your agreement should state who the controllers are at every stage, including after the sharing has taken place.
What is the purpose of the data sharing initiative?
Your agreement should explain:
- the specific aims you have;
- why the data sharing is necessary to achieve those aims; and
- the benefits you hope to bring to individuals or to society more widely.
You should document this in precise terms so that all parties are absolutely clear about the purposes for which they may share or use the data.
Which other organisations will be involved in the data sharing?
Your agreement should clearly identify all the organisations that will be involved in the data sharing and should include contact details for their data protection officer (DPO) or another relevant employee who has responsibility for data sharing, and preferably for other key members of staff. It should also contain procedures for including additional organisations in the data sharing arrangement and for dealing with cases where an organisation needs to be excluded from the sharing.
Are we sharing data along with another controller?
If you are acting with another controller as joint controllers of personal data, there is a legal obligation to set out your responsibilities in a joint control arrangement, under both the UK GDPR/Part 2 of the DPA 2018 and under Part 3 of the DPA 2018. Although the code mainly focuses on data sharing between separate controllers, the provisions of a data sharing agreement could help you to put a joint control arrangement in place.
What data items are we going to share?
Your agreement should set out the types of data you are intending to share. This is sometimes known as a data specification. This may need to be detailed, because in some cases it will be appropriate to share only certain information held in a file about an individual, omitting other, more sensitive, material. In some cases it may be appropriate to attach ‘permissions’ to certain data items, so that only particular members of staff or staff in specific roles are allowed to access them; for example, staff who have received appropriate training.
You need to clearly explain your lawful basis for sharing data. The lawful basis for one organisation in a data sharing arrangement might not be the same as that for the other one.
If you are using consent as a lawful basis for disclosure, then your agreement should provide a model consent form. You should also address issues surrounding the withholding or retraction of consent.
You should also set out the legal power under which you are allowed to share the data.
Is there any special category data, sensitive data or criminal offence data?
You must document the relevant conditions for processing, as appropriate under the UK GDPR or the DPA 2018, if the data you are sharing contains special category data or criminal offence data under the UK GDPR, or there is sensitive processing within the meaning of Part 3 of the DPA 2018.
You should set out procedures for compliance with individual rights. This includes the right of access to information as well as the right to object and requests for rectification and erasure. You must make it clear in the agreement that all controllers remain responsible for compliance, even if you have processes setting out who should carry out particular tasks.
For example, the agreement should explain what to do when an organisation receives a request for access to shared data or other information, whether it is under the data protection legislation, or under freedom of information legislation. In particular, given data subjects can contact any controller involved in the sharing, it should make clear that one staff member (generally a DPO in the case of personal data) or organisation takes overall responsibility for ensuring that the individual can easily gain access to all their personal data that has been shared.
For joint controllers, Article 26 of the UK GDPR and section 58 of the DPA 2018 for Part 3 processing require you to state in the agreement which controller is the contact point for data subjects.
You will have to take decisions about access on a case-by-case basis.
For public authorities, the agreement should also cover the need to include certain types of information in your freedom of information publication scheme.
There are more details on individual rights under the UK GDPR/Part 2 of the DPA 2018 and under Part 3 of the DPA 2018 in the section of this code on the rights of individuals. There is also more information on Part 3 in the section in this code on law enforcement processing.
Your agreement should also deal with the main practical problems that may arise when sharing personal data. This should ensure that all organisations involved in the sharing:
- have detailed advice about which datasets they can share, to prevent irrelevant or excessive information being disclosed;
- make sure that the data they are sharing is accurate, for example by requiring a periodic sampling exercise and data quality analysis;
- record data in the same format, abiding by open standards when applicable. The agreement could include examples showing how to record or convert particular data items, for example dates of birth;
- have common rules for the retention and deletion of shared data items, as appropriate to their nature and content, and procedures for dealing with cases where different organisations may have different statutory or professional retention or deletion rules;
- have common technical and organisational security arrangements, including the transmission of the data and procedures for dealing with any breach of the agreement in a timely manner;
- ensure their staff are properly trained and are aware of their responsibilities for any shared data they have access to;
- have procedures for dealing with access requests, complaints or queries from members of the public;
- have a timescale for assessing the ongoing effectiveness of the data sharing initiative and the agreement that governs it; and
- have procedures for dealing with the termination of the data sharing initiative, including the deletion of shared data or its return to the organisation that supplied it originally.
What further details should we include?
It is likely to be helpful for your agreement to have an appendix or annex, including:
- a summary of the key legislative and other legal provisions, for example relevant sections of the DPA 2018, any law which provides your legal power for data sharing and links to any authoritative professional guidance;
- a model form for seeking individuals’ consent for data sharing, where that is the lawful basis; and
- a diagram to show how to decide whether to share data.
You may also want to consider including:
- a data sharing request form; and
- a data sharing decision form.
You can find examples of these in the Annex to this code.
You should review your data sharing arrangements on a regular basis; and particularly when a change in circumstances or in the rationale for the data sharing arises. You should update your data sharing agreement to reflect any changes. If there is a significant complaint, or a security breach, this should be a trigger for you to review the arrangement.
Your agreement should clearly identify all the organisations that will be involved in the data sharing and should include contact details for their data protection officer (DPO) or another relevant employee who has responsibility for data sharing, and preferably for other key members of staff.What is the objective of data sharing agreement? ›
The Purpose of Data Sharing Agreements
Data sharing agreements protect against data misuse and promote early communication among agencies about questions of data handling and use.
Reviewing your data sharing or data processing agreements should be done regularly, especially if there is a change throughout the agreement. Also, if there is a complaint or a potential security breach, you should immediately review the arrangement and update the agreement to reflect any changes.What are the three types of data sharing? ›
There are three main types of data sharing arrangements: a) sharing data between a data controller and data processor; b) sharing data between a data controller and data processor; and c) sharing data between a data processor and a sub-processor.What are the 7 golden rules of data sharing? ›
Necessary, proportionate, relevant, adequate, accurate, timely and secure: Ensure that information you share is necessary for the purpose for which you Page 2 are sharing it, is shared only with those individuals who need to have it, is accurate and up-to-date, is shared in a timely fashion, and is shared securely (see ...What are the 3 principles of data information sharing? ›
Lawfulness, fairness, and transparency: Any processing of personal data should be lawful and fair. It should be transparent to individuals that personal data concerning them are collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed.What is the difference between a data use agreement and a data sharing agreement? ›
Data use agreements (DUA)—also referred to as data sharing agreements or data use licenses—are documents that describe what data are being shared, for what purpose, for how long, and any access restrictions or security protocols that must be followed by the recipient of the data.What is data sharing policy? ›
A data sharing policy should consider the different models of making data available to secondary users, including (1) online open access, e.g. as supplementary files to a journal article (with this method of sharing there is no oversight or control of secondary uses of the data); (2) external repository without case-by ...What are the key features and purpose of confidentiality agreement form? ›
A confidentiality agreement is a standard written agreement that is used to protect the owner of an invention or idea for a new business. It is also an important document between two companies that are contemplating a merger or a commercial transaction that must be withheld from public knowledge.What are the three things you should consider when handling and sharing data? ›
Ensure: there is a good reason for the sharing to take place (e.g. to meet a contractual obligation or pursue a research project). the individuals have been made aware their data is being shared. the minimum amount of personal data is shared.
Elements of a DPA
Generally speaking, a DPA should include the scope and purpose of data processing, what data will be processed, how it will be protected, and the controller-processor relationship.
A data sharing agreement is likely to form a binding contract between the organisations that are parties to it.What are the disadvantages of data sharing? ›
Sharing data and valuable information raises a multitude of risk factors for individuals and organizations. Some of the most common risks that occur are accidental sharing, employee data theft, ransomware, too much data access and more.What is an example of data sharing? ›
Here are some examples of data sharing: Companies in the same field often share data for deeper market insights and to identify fraud patterns and potential threats in the market. Enterprises also share data with their customers to establish trust and provide the required information about their products.What is another term for data sharing? ›
Data collaboration is another term that's often used when people refer to data sharing.Which are the 4 basic principles of data privacy? ›
Accuracy. Storage limitation. Integrity and confidentiality (security) Accountability.What are the 5 rules of working with data? ›
- Know the purpose.
- Be painstakingly meticulous with what data is going to be collected.
- Designate data entry, review and action points when designing the curriculum.
- Ask ourselves, “Are we collecting data in the most effective and efficient way?
This pdf document, created by Marc Rettig, details the five rules as: Eliminate Repeating Groups, Eliminate Redundant Data, Eliminate Columns Not Dependent on Key, Isolate Independent Multiple Relationships, and Isolate Semantically Related Multiple Relationships.What are the six data protection principles? ›
The data protection principles that would be impacted include 1 – lawful, fair and transparent; 2 – limited for its purpose and 6 – integrity and confidentiality. Data that is collected for deceptive or misleading purposes is not fair and may not be lawful.What is FAIR data standards? ›
FAIR data are data which meet principles of findability, accessibility, interoperability, and reusability (FAIR). The acronym and principles were defined in a March 2016 paper in the journal Scientific Data by a consortium of scientists and organizations.
Each plays a role that is significant in ensuring sensitive information is protected, accurate, and accessible for users. To measure the effectiveness of any basic cybersecurity initiative, check that each of the information security components (confidentiality, integrity, availability) will be protected by it.Do you need consent for data sharing? ›
Therefore, informed consent is a crucial component of data sharing, as it ensures that patients are aware of the risks and benefits of participating in data sharing, and that they have the right to withdraw or limit their consent at any time.Who signs a data sharing agreement? ›
The Information Commissioner and the Government recommend that, where two or more organisations need to share personal data about their clients, an agreement should be drawn up and signed by all the organisations concerned.Is data contract an agreement between two parties? ›
A data contract is a formal agreement between a service and a client that abstractly describes the data to be exchanged. That is, to communicate, the client and the service do not have to share the same types, only the same data contracts.Why is data sharing a problem? ›
Barriers to data sharing
These may include the fear of their own data being misrepresented or misused, policies that may limit their access to broader data streams, and an approval process that is overly long or not well defined.
Data sharing is the practice of providing partners with access to information (in this case, administrative data) they can't access in their own data systems. Data sharing allows stakeholders to learn from each other and collaborate on shared priorities.What is data sharing problem? ›
The shared data problem occurs when several functions (or ISRs or tasks) share a variable. Shared data problem can arise in a system when another higher priority task finishes an operation and modifies the data or a variable before the completion of previous task operations.What are the most important parts of a confidentiality agreement? ›
- 1) What information is considered confidential? ...
- 2) Exceptions to confidentiality. ...
- 3) Obligations/Requirements of signees. ...
- 4) Consequences of breaking the confidentiality agreement. ...
- 5) Length of the agreement.
The NDA should define the obligations and requirements of each party, specifically the party receiving the information. The party receiving the information should be required to protect the confidentiality of the information and refrain from using the information for personal gain.What happens if you break a confidentiality agreement? ›
Since NDAs are civil contracts, breaking one isn't technically a crime. However, it could come with severe financial penalties. Violating an NDA leaves you open to lawsuits from your employer, and you could be required to pay financial damages and possibly associated legal costs.
Results. Credit and recognition, the potential misuse of data, loss of control, lack of resources, socio-cultural factors and ethical and legal barriers are elements that influence decisions on data sharing.What precautions should be taken while sharing data? ›
- Back up early, back up often.
- Choose a cloud storage platform with remote wipe capabilities.
- Stay on top of file and folder access control.
- Passwords are still an important part of data security.
- Leave no device unattended.
There are three main data processing methods - manual, mechanical and electronic.What to look for when reviewing a DPA? ›
- Scope (Jurisdiction). ...
- Direction of Obligations. ...
- Processing. ...
- Security Incidents. ...
- Notice. ...
- Remediation. ...
- Indemnity. ...
- No Liability Caps.
The guidelines for data protection and privacy apply across the board and include the following: safeguarding data; getting consent from the person whose data is being collected; identifying the regulations that apply to the organization and the data it collects; and.What are the four primary elements of data processing? ›
- Data collection.
- Data input.
- Data processing.
- Data output.
It is good practice for you to have written data sharing agreements when controllers share personal data. This helps everyone to understand the purpose for the sharing, what will happen at each stage and what responsibilities they have. It also helps you to demonstrate compliance in a clear and formal way.Can personal data be shared between group companies? ›
Yes, if you have a valid reason, you can share personal data with another organisation. But to do this and comply with data protection law, it's important that you know what this valid reason is. The data protection term for this reason is the 'lawful basis'.What is an agreement not to share information? ›
Non-disclosure agreements, or NDAs as they are sometimes called, are legally enforceable agreements between parties that are used to ensure that certain information will remain confidential.What are at least two reasons why data sharing is important? ›
Data sharing encourages more connection and collaboration between researchers, which can result in important new findings within the field. In a time of reduced monetary investment for science and research, data sharing is more efficient because it allows researchers to share resources.
A shared data layer can simplify data management, improve performance, and enable cross-layer data sharing. However, it also comes with some drawbacks, such as increased coupling, security risks, and scalability challenges.What is the safest way to share data? ›
Encryption is the best method for securely sharing files. This means the file becomes unreadable until it's decrypted. Only those with the encryption key can access it. Therefore, File encryption is a great way to ensure that your data is safe, even if it falls into the wrong hands.What is data sharing rules? ›
This feature helps you to create rules to provide access or restrict users from viewing your data in various modules. Availability. Permission Required. Users with the Manage Data Sharing permission can access this feature. To create data sharing rules.How many types of data sharing are there? ›
Data collaboratives: Private data which benefits society and the environment is shared for social good. Data marketplaces: Intermediary platforms or online stores through which data can be bought or sold. Data trusts: There is no one definition of what a data trust is (yet).What is a data sharing statement? ›
Data sharing statements must indicate the following: whether individual deidentified participant data (including data dictionaries) will be shared; what data in particular will be shared; whether additional, related documents will be available (e.g., study protocol, statistical analysis plan, etc.); when the data will ...Is data sharing part of data management? ›
It is important to understand that data sharing is an expected part of every data management plan requirement as well as a common journal article publishing requirement. The vast majority of research data can be publicly shared with very low, or no, risk.What are the requirements for data sharing under GDPR? ›
- Be clear about your intentions. People have a right to know how their personal data will be used. ...
- You must have a lawful basis. GDPR Article 6 and Article 7 deal with the lawful bases for processing personal data. ...
- International data transfers.
A deferred sentencing agreement (DSA) is similar to a DPA. The difference is that, unlike with a DPA, the defendant waives his or her right to a trial and pleads guilty to the charges as part of his/her agreement with the government. The court, however, does not enter the guilty plea into the record.What is included in a collaboration agreement? ›
A collaboration agreement is a legally binding agreement between different parties that want to co-operate together or work collaboratively on a commercial project. In most cases a collaboration agreement will record: What the collaboration is about. How the parties will work together.What are the four principles of the DPA? ›
Accuracy. Storage limitation. Integrity and confidentiality (security) Accountability.
Validation: Review of the data to ensure it is in the correct format. Sorting: Separating similar data streams into appropriate buckets. Aggregation: Combining data streams. Analysis: The actual processing of the data using formulas and other transformative techniques.Do you need consent to share data? ›
No. Organisations don't always need your consent to use your personal data. They can use it without consent if they have a valid reason.What are the key differences between DPA and GDPR? ›
GDPR places a much greater focus on accountability than the Data Protection Act, requiring organizations to prove they comply with the regulation. Under GDPR, companies must commit to mandatory activities like data audits, staff training and keeping detailed documentation of how they collect, store and process data.What is a DPA template? ›
A Data Processing Agreement (DPA) - also known as a data processing addendum - is a contract between data controllers and data processors or data processors and subprocessors.What is a DSA data protection? ›
How does the Digital Services Act protect personal data? The DSA has been designed in full compliance with existing rules on data protection, including the General Data Protection Regulation (GDPR) and the ePrivacy Directive, and does not modify the rules and safeguards set out in these laws.What are the 3 C's of collaboration? ›
Communication, collaboration, coordination: The 3 Cs guiding successful cross-functional teams.What are the 5 conditions of collaboration? ›
The Five Principles of Collaboration: Applying Trust, Respect, Willingness, Empowerment, and Effective Communication to Human Relationships.What are the 7 main components of collaboration? ›
- Mutual Trust and Respect.