At a glance
It is good practice to have a data sharing agreement.
Data sharing agreements set out the purpose of the data sharing, cover what happens to the data at each stage, set standards and help all the parties involved in sharing to be clear about their roles and responsibilities.
Having a data sharing agreement in place helps you to demonstrate you are meeting your accountability obligations under the UK GDPR.
In more detail
- Introduction
- What are the benefits of a data sharing agreement?
- What should we include in a data sharing agreement?
- When should we review a data sharing arrangement?
Introduction
A data sharing agreement between the parties sending and receiving data can form a major part of your compliance with the accountability principle, although it is not mandatory. Your organisation might use a different title for a data sharing agreement, for example:
- an information sharing agreement;
- a data or information sharing protocol or contract; or
- a personal information sharing agreement.
Whatever the terminology, it is good practice to have a data sharing agreement in place.
Government departments and certain other public bodies (for example, regulators, law enforcement bodies and executive agencies) may enter into a memorandum of understanding with each other that includes data sharing provisions and fulfils the role of a data sharing agreement.
However on their own, the following do not constitute a data sharing agreement:
- a memorandum of understanding (except between government departments and certain other public bodies);
- a list of standards; or
- an addendum to a purchase agreement or to a purchase order or proposal.
What are the benefits of a data sharing agreement?
A data sharing agreement:
- helps all the parties be clear about their roles;
- sets out the purpose of the data sharing;
- covers what happens to the data at each stage; and
- sets standards.
It should help you to justify your data sharing and demonstrate that you have been mindful of, and have documented, the relevant compliance issues. A data sharing agreement provides a framework to help you meet the requirements of the data protection principles.
There is no set format for a data sharing agreement; it can take a variety of forms, depending on the scale and complexity of the data sharing. Since a data sharing agreement is a set of common rules that binds all the organisations involved, you should draft it in clear, concise language that is easy to understand.
Drafting and adhering to a data sharing agreement should help you to comply with the law, but it does not provide immunity from breaching the law or from the consequences of doing so. However, the ICO will take into account the existence of any relevant data sharing agreement when assessing any complaint we receive about your data sharing.
What should we include in a data sharing agreement?
You should address a range of questions in a data sharing agreement.
Who are the parties to the agreement?
Your agreement should state who the controllers are at every stage, including after the sharing has taken place.
What is the purpose of the data sharing initiative?
Your agreement should explain:
- the specific aims you have;
- why the data sharing is necessary to achieve those aims; and
- the benefits you hope to bring to individuals or to society more widely.
You should document this in precise terms so that all parties are absolutely clear about the purposes for which they may share or use the data.
Which other organisations will be involved in the data sharing?
Your agreement should clearly identify all the organisations that will be involved in the data sharing and should include contact details for their data protection officer (DPO) or another relevant employee who has responsibility for data sharing, and preferably for other key members of staff. It should also contain procedures for including additional organisations in the data sharing arrangement and for dealing with cases where an organisation needs to be excluded from the sharing.
Are we sharing data along with another controller?
If you are acting with another controller as joint controllers of personal data, there is a legal obligation to set out your responsibilities in a joint control arrangement, under both the UK GDPR/Part 2 of the DPA 2018 and under Part 3 of the DPA 2018. Although the code mainly focuses on data sharing between separate controllers, the provisions of a data sharing agreement could help you to put a joint control arrangement in place.
What data items are we going to share?
Your agreement should set out the types of data you are intending to share. This is sometimes known as a data specification. This may need to be detailed, because in some cases it will be appropriate to share only certain information held in a file about an individual, omitting other, more sensitive, material. In some cases it may be appropriate to attach ‘permissions’ to certain data items, so that only particular members of staff or staff in specific roles are allowed to access them; for example, staff who have received appropriate training.
What is our lawful basis for sharing?
You need to clearly explain your lawful basis for sharing data. The lawful basis for one organisation in a data sharing arrangement might not be the same as that for the other one.
If you are using consent as a lawful basis for disclosure, then your agreement should provide a model consent form. You should also address issues surrounding the withholding or retraction of consent.
You should also set out the legal power under which you are allowed to share the data.
Is there any special category data, sensitive data or criminal offence data?
You must document the relevant conditions for processing, as appropriate under the UK GDPR or the DPA 2018, if the data you are sharing contains special category data or criminal offence data under the UK GDPR, or there is sensitive processing within the meaning of Part 3 of the DPA 2018.
What about access and individual rights?
You should set out procedures for compliance with individual rights. This includes the right of access to information as well as the right to object and requests for rectification and erasure. You must make it clear in the agreement that all controllers remain responsible for compliance, even if you have processes setting out who should carry out particular tasks.
For example, the agreement should explain what to do when an organisation receives a request for access to shared data or other information, whether it is under the data protection legislation, or under freedom of information legislation. In particular, given data subjects can contact any controller involved in the sharing, it should make clear that one staff member (generally a DPO in the case of personal data) or organisation takes overall responsibility for ensuring that the individual can easily gain access to all their personal data that has been shared.
For joint controllers, Article 26 of the UK GDPR and section 58 of the DPA 2018 for Part 3 processing require you to state in the agreement which controller is the contact point for data subjects.
You will have to take decisions about access on a case-by-case basis.
For public authorities, the agreement should also cover the need to include certain types of information in your freedom of information publication scheme.
There are more details on individual rights under the UK GDPR/Part 2 of the DPA 2018 and under Part 3 of the DPA 2018 in the section of this code on the rights of individuals. There is also more information on Part 3 in the section in this code on law enforcement processing.
What information governance arrangements should we have?
Your agreement should also deal with the main practical problems that may arise when sharing personal data. This should ensure that all organisations involved in the sharing:
- have detailed advice about which datasets they can share, to prevent irrelevant or excessive information being disclosed;
- make sure that the data they are sharing is accurate, for example by requiring a periodic sampling exercise and data quality analysis;
- record data in the same format, abiding by open standards when applicable. The agreement could include examples showing how to record or convert particular data items, for example dates of birth;
- have common rules for the retention and deletion of shared data items, as appropriate to their nature and content, and procedures for dealing with cases where different organisations may have different statutory or professional retention or deletion rules;
- have common technical and organisational security arrangements, including the transmission of the data and procedures for dealing with any breach of the agreement in a timely manner;
- ensure their staff are properly trained and are aware of their responsibilities for any shared data they have access to;
- have procedures for dealing with access requests, complaints or queries from members of the public;
- have a timescale for assessing the ongoing effectiveness of the data sharing initiative and the agreement that governs it; and
- have procedures for dealing with the termination of the data sharing initiative, including the deletion of shared data or its return to the organisation that supplied it originally.
What further details should we include?
It is likely to be helpful for your agreement to have an appendix or annex, including:
- a summary of the key legislative and other legal provisions, for example relevant sections of the DPA 2018, any law which provides your legal power for data sharing and links to any authoritative professional guidance;
- a model form for seeking individuals’ consent for data sharing, where that is the lawful basis; and
- a diagram to show how to decide whether to share data.
You may also want to consider including:
- a data sharing request form; and
- a data sharing decision form.
You can find examples of these in the Annex to this code.
When should we review a data sharing arrangement?
You should review your data sharing arrangements on a regular basis; and particularly when a change in circumstances or in the rationale for the data sharing arises. You should update your data sharing agreement to reflect any changes. If there is a significant complaint, or a security breach, this should be a trigger for you to review the arrangement.