The data sharing code recommends that organisations sharing and receiving data enter into a data sharing agreement. Although not mandatory under the UK GDPR, we think it is good practice. A data sharing agreement provides a number of benefits, including:
- certainty for the organisations about their roles;
- clarity about the data they are sharing; and
- clear processes and standards.
A data sharing agreement is likely to form a binding contract between the organisations that are parties to it. We are aware of some concerns about the implications in contract law of terms in commercial data sharing agreements. The concerns are around the implications for an organisation if a term in the contract, such as the lawful basis, changes during the course of the agreement, possibly leading to a breach of contract. We have heard of concerns that this might give rise to a claim against that organisation, even if the data sharing remains compliant with the data protection legislation. These issues might also apply if the organisations agreed to incorporate the data sharing agreement into a wider commercial contract.
Requirement to record lawful basis
It’s important to note again that it is not mandatory in data protection law to have a data sharing agreement. However, you must record your decision on the lawful basis you’re using, in order to demonstrate compliance and accountability. A data sharing agreement is the ideal location for that.
If you change your lawful basis, our guidance explains what you need to do. This includes informing the individual data subjects and documenting the change.
Review the data sharing agreement regularly, amending as needed
If the lawful basis changes, you should reflect this as an amendment to the terms of the data sharing agreement. This falls under the usual procedure for variation of contract.
A change of lawful basis is just one example that would require an update to the agreement; any other changes would also need an update. A data sharing agreement is a ‘living document’ that should reflect the current position.
It is good practice for the organisations covered by a data sharing agreement to:
- keep it under regular review; and
- amend it as needed.
The data sharing code emphasises this point:
“You should review your data sharing arrangements on a regular basis; and particularly when a change in circumstances or in the rationale for the data sharing arises. You should update your data sharing agreement to reflect any changes.”
We consider that regularly reviewing the data sharing agreement and updating it to reflect any changes is appropriate and practical. You should do this to handle a change to the terms of the agreement, such as changing your lawful basis.
However, we set out more options below if you are still concerned about contractual liability. Organisations should seek their own legal advice for their particular circumstances.
As long as organisations ensure they comply with the UK GDPR, they could:
- consider including more than one appropriate lawful basis in the agreement from the outset and set out this decision; or
- consider using an appropriately tailored contractual liability limitation clause.
We take a proportionate approach to regulation. The data sharing code states:
“Drafting and adhering to a data sharing agreement should help you to comply with the law, but it does not provide immunity from breaching the law or from the consequences of doing so. However, the ICO will take into account the existence of any relevant data sharing agreement when assessing any complaint we receive about your data sharing.”
Some organisations may worry about the risk of regulatory action if they do not follow our recommendations about data sharing agreements. This concern is unfounded, as long as organisations can demonstrate their compliance with data protection law in some other way.