Data Sharing Agreements

If you share ‘personal data’ with any other organisation it is good practice to have a data sharing agreement. 

 

A data sharing agreement between the organisations sending and receiving personal data can form a major part of your compliance with the accountability principle enshrined in the Data Protection legislation, although it is not mandatory.  

 

The benefits of a data sharing agreement are as follows: 

 

  • Helps all organisations know what their role is. 
  • Lays out the purposes of the data sharing. 
  • Provides information on what processing is done to the data at each stage. 
  • Sets the standard of how the personal data should be handled. 

 

There is no set standard for what a data sharing agreement should look like. Generally, it will depend on the scale and complexity of the data being shared. Since the document is a set of common rules that links the organisatons involved it should be drafted in a clear and concise manner that is easy to understand. 

 

Drafting a data sharing agreement will help you to comply with the Data Protection legislation, but it will not provide immunity from breaking the law. 

 

What should you include in a Data Sharing Agreement? 

 

The following list is a good starting point: 

 

  • Controller of the data at all stages. 
  • The specific aims of the sharing. 
  • Why the data sharing is required. 
  • The benefits it will provide. 
  • List all organisations involved. 
  • Is another controller involved. 
  • What data is being shared e.g. name, address etc. 
  • The lawful basis for sharing the data. 
  • Is any special category data involved includes sensitive data or criminal offence data. 
  • Who controls individual rights e.g. Subject Access requests. 
  • Any information governance required. 

 

As can be seen from the above a Data Sharing Agreement is a comprehensive document which will help your organisation to share data safely. 

 

If the data is being shared internationally other steps may be required to ensure the safety of the personal data.