Data sharing agreements and protecting personal data – what do you need to know?

Data privacy digest series

The law

Data protection legislation governs the use of personal data. – i.e. data from which a living individual can be identified either by those data alone or by the use of those data and other data that is reasonably readily available.

There are potentially large fines and huge reputational harm that will be incurred by an organisation's failure to satisfy the requirements of data protection law.

Data sharing agreements

Therefore, when entering into agreements relating to the sharing and processing of any data that are personal, organisations should understand the respective roles and responsibilities under such arrangements between the party sharing the personal data and the party receiving them. A data controller determines the purpose and means of processing personal data, whereas a data processor acts on behalf of the controller under their instruction. For example, a business owner uses an online platform to manage their payroll – the owner controls the data and determines the purpose, whereas the online platform is simply processing the data under the controller's instruction.

A data sharing agreement is an agreement between two or more parties which governs the sharing of personal data between them. Such an agreement sets out what data is being shared, what the purpose of that sharing is, how the data is used and sets standards for the parties to adhere to.

Where the party intending to share the data (the "sharing party") with another party (the "receiving party") who wants to use the data for purposes that are different to that of the sharing party (the "other purpose"), the sharing party must ensure (among other things) that:

• it is lawfully entitled to share the data for such other purpose; and
• where the sharing of such data involves the transfer of data from one country to another, that appropriate terms are included in the data sharing agreement to protect and maintain adequately the rights of the individuals to whom the data relate (i.e. the 'data subjects') that such individuals enjoy under the data protection law, notwithstanding the transfer of their personal data to another country that has different personal data laws, otherwise it will be in breach of its duties under the data protection law.

In such cases, the sharing party and the recipient party are referred to as 'independent controllers' or as previously referred to as 'controllers in common' by the law because they are both 'controllers' in the eyes of the law in respect of the same data, but for different purposes. That is different to the situation where two or more parties are sharing and using the same personal data for the same purpose, in which case, depending on the circumstances, there will either be a relationship between those parties of 'controller to processor' or one of being 'joint controllers'. We don't explore those arrangements in this article, but mention only to help to distinguish the 'independent controller' situation from others in the data sharing context.

A data sharing agreement is also useful to reflect any commercial considerations that ought to be reflected in the data sharing agreement to address and protect the commercial and operational interests of the sharing party (as opposed to only its legal compliance requirements). For example, the data sharing agreement can also set out the obligations on the recipient party in the event of a data breach regarding the shared data and to provide payment terms and other responsibilities and obligations of the recipient party regarding the supply of such data.

From a legal compliance perspective, having the appropriate terms agreed between the parties in a data sharing agreement helps to evidence the sharing party's proactive compliance with the UK General Data Protection Regulation (UK GDPR) to its relevant stakeholders and regulators (e.g. the Information Commissioner's Office (ICO)).

From an operational risk management and 'good will' perspective, adopting appropriate data sharing agreements also demonstrates and gives reassurance to employees, customers, and other stakeholders of the organisation that it treats seriously and with due high regard the need to ensure its proper use of personal data.

Whilst it is not mandatory to have a data sharing agreement under the UK GDPR where the data sharing is between independent controllers in the same country, it is widely acknowledged that it is good practice to have one in place, for the reasons above.

NB: the UK GDPR requires that any transfer of data between parties on the basis of their being:

• 'joint controllers' (described briefly above) is governed by a 'transparent arrangement'; and
• in the case where the data sharing is between a controller and a processor, a data processing agreement is required under the GDPR regulations.

Key components of a data sharing agreement

Whilst there is no one size fits all approach and there is room for negotiation, a good data sharing agreement encompasses several key components to ensure clarity, accountability and compliance:

1. Parties: The data sharing agreement should clearly identify all the parties involved in the data sharing arrangement, specifying their roles (e.g., data controller, data processor) and responsibilities. For example, if a company shares customer data with a third-party marketing firm, the agreement should name the company as the data controller and the marketing firm as the data processor, outlining their respective obligations.
2. Purpose and scope: The agreement should explicitly state the purpose for which the data is being shared and the scope of the data involved. For instance, a hospital may share patient medical records with a research institution for a specific study on a particular disease, and the agreement should specify the exact types of data being shared (e.g., diagnosis, treatment history, test results) and the duration of the data sharing.
3. Lawful basis: Under the UK GDPR, data sharing must have a lawful basis, such as consent, legitimate interest, or legal obligation. The agreement should specify the lawful basis relied upon.
4. Special category data: If the data being shared includes sensitive information such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation, the agreement should address the additional safeguards and requirements for processing such special category data.
5. Data security measures: The agreement should outline the technical and organisational measures that both parties will implement to ensure the confidentiality, integrity, and availability of the shared data. This could include encryption, access controls, secure data transfer protocols, and incident response procedures.
6. Data subject rights: The agreement should specify how data subject rights, such as the right to access, rectify, or erase personal data, will be handled. It should clarify which party is responsible for responding to data subject requests and the procedures for facilitating such requests. The agreement could state that the data controller will handle all data subject requests and the data processor must promptly assist with such requests.
7. Liability and indemnification: The agreement should address liability and indemnification clauses to allocate risk and responsibilities in case of data breaches, or other issues that may arise during the data sharing arrangement. This could include provisions for notifying the other party of incidents, cooperating in investigations, and indemnifying each other against certain losses or claims.

In today's digital age, where data flows at an unprecedented rate, ensuring your company's data sharing procedures are managed properly is critical. The ICO has the power to issue fines of up to £17.5 million or 4% of your annual worldwide turnover, whichever is higher, for any serious breaches of data protection principles. Our data protection specialists are able to advise on and assist with drafting data sharing agreements as well as data processing agreements, so if this something you feel we could assist you with, please speak to us.