The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Data sharing agreements

You arrange and regularly review appropriate data sharing agreements with parties with whom you routinely share personal data.

Ways to meet our expectations:

  • You agree data sharing agreements with all the relevant parties and senior management sign them off.
  • The data sharing agreement includes details about:
    • the parties' roles;
    • the purpose of the data sharing;
    • what is going to happen to the data at each stage; and
    • the standards set (with a high privacy default for children).
  • Where necessary, procedures and guidance covering each organisation’s day-to-day operations support the agreements..
  • If your organisation is acting as a joint controller (within the meaning of Article 26 of the GDPR), you set out responsibilities under an arrangement or a data sharing agreement and you provide appropriate privacy information to individuals.
  • You have a regular review process to make sure that the information remains accurate and up to date, and to examine how the agreement is working.
  • You keep a central log of the current sharing agreements.

Can you answer yes to the following questions?

  • Are staff with sharing responsibilities aware of the process?
  • Is there contingency built into the process if something goes wrong or if people aren’t available to perform their role?
  • Would staff say the decision-making is maintained or appropriately delegated?