*Note: We use the words 'share' and 'transfer' interchangeably in this blog.
Data sharing has become a fundamental part of business practice. Sharing data enables organisations to make full use of it as a core resource and draw new insights from existing datasets. But it also introduces legal and governance risks.
The sharing of data, other than personal data (e.g. financial performance data, sales projections, etc.) is typically covered by tight non-disclosure agreements, containing many of the commercial provisions covered below (see Other terms to be included).
However, when it comes to sharing 'personal data' (which is "any information relating to an identified or identifiable natural person") with another organisation or another arm of your own organisation, then you should be thinking about the legal implications of doing so. And there are pretty strict rules to take into account when drafting.
The accountability principle under the General Data Protection Regulation (GDPR) specifies that "the controller shall be responsible for, and be able to demonstrate compliance with" data protection law. You should, therefore, conduct appropriate due diligence before undertaking any data sharing in order to comply with this principle and also as part of a prudent risk management approach.
You should decide at the conclusion of that assessment whether a data sharing agreement should be entered into between the recipient and the discloser. In some circumstances, you may be required by law to enter into a data sharing agreement – we cover this in more detail below. However, in general, the more risk that attaches to a data sharing arrangement, the more reason there is to have a contract.
Why have a data sharing agreement?
Organisations have a variety of reasons for entering into data sharing agreements, including a need to demonstrate compliance, a desire to ensure procedural clarity (e.g. which party will respond to data subjects exercising their data protection rights) and in order to apportion liability for any financial loss relating to data.
You should first establish the role of the party making the transfer: is that party a data ‘controller’ or the data ‘processor’? The ‘controller’ is the organisation that "determines the purposes and means of the processing of personal data". In contrast, a ‘processor’ is an organisation that processes personal data "on behalf of" (i.e. in accordance with the instructions of) a controller.
Controller-to-Processor: Data protection laws specify that the sharing of data by a controller with a processor must be under a contract and that specific clauses must be included in that contract. We explain this further below.
Controller-to-Controller: The view of the Information Commissioner's Office (the UK's data protection regulator) is that it is good practice to have a data sharing agreement, particularly from the perspective of ensuring that individuals' data protection rights are respected. Entering into a data sharing agreement where appropriate, demonstrates accountability and a controller's acknowledgement of responsibility under the GDPR. Additionally, organisations often want to manage the legal risks of data sharing. Factors that may be relevant to those risks include:
- the type of data being shared (is it 'special category personal data' such as health data?);
- the regularity and volume of the data being shared (a low volume, one-off transfer or ongoing sharing?);
- the relationship between the parties (are discloser and recipient in the same corporate group?); and
- whether the transfer is from inside to outside the European Economic Area ('EEA').
What should a data sharing agreement include?
Controller-to-Processor: GDPR Article 28 specifies that the sharing of data by a controller with a processor can only take place under a binding legal document that sets out:
- the subject-matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data being processed and the categories of data subjects;
- that the processor:
- processes the data only on the controller's documented instructions;
- ensures that only people who are under confidentiality obligations access the data;
- ensures that appropriate security measures are taken to protect the data;
- only appoints processors or transfers data outside the EEA with the controller's permission and via an agreement meeting the GDPR's requirements;
- assists the controller with meeting their obligations such as responding to data subjects exercising their rights and undertaking Data Protection Impact Assessments ('DPIAs');
- deletes or returns the data to the controller at the relationship's end; and
- shares information about, and allows the controller to audit, the processor's compliance.
Controller-to-Controller: Unlike under controller-to-processor arrangements, the contents of a data sharing agreement between controllers is not prescribed by law. Controllers are therefore free to decide what to include (and in fact whether to have one at all).
That said, the ICO considers it good practice for controllers to have a data sharing agreement in place. And of course it makes good commercial sense to regulate in writing the legal intention of the parties, to avoid any misinterpretation. Typical provisions of controller-to-controller agreements set out:
- the purpose of the data sharing;
- whether the organisations are acting as Joint Controllers (where they are "jointly determining the purposes and means of processing" (if so, then Article 26 GDPR specifies mandatory provisions));
- what data is being shared;
- the lawful basis for the sharing (including for any Special Category Personal Data);
- procedures for compliance with individual rights; and
- information governance arrangements (e.g. agreed rules for data retention and deletion).
You may also need to include additional protections, such as the European Commission's Standard Contractual Clauses, if the data recipient (controller or processor) is outside the European Economic Area. We examine the data protection implications of the UK leaving the EU here.
Many organisations also include provisions dealing with their respective liability for data-related financial loss and warranties as to the quality and reliability of the data. It is worth bearing in mind the GDPR's 'statutory indemnity' at Article 82(5) for individuals' claims for compensation when negotiating terms of this kind.
The ICO has issued a draft Data Sharing Code of Practice (see pdf document here) for controller-to-controller sharing arrangements. The types of situations it covers are:
- a reciprocal or one-way exchange of data between organisations;
- an organisation providing another organisation with access to personal data on its IT system for a specific research purpose;
- one or more organisations providing data to a third party or parties;
- several organisations pooling information and making it available to each other;
- several organisations pooling information and making it available to a third party or parties;
- data sharing on a routine, systematic basis for an established purpose;
- one-off, exceptional or ad hoc data sharing; and
- one-off data sharing in an urgent or emergency situation.
The draft Code states that the data sharing agreement should explain why the data sharing initiative is necessary, the specific aims you have, and the benefits you hope to bring to individuals or to society more widely. The ICO expects parties to address each of the issues above, as having an appendix to deal with the following items:
- a summary of the key legislative provisions, for example relevant sections of the DPA, any legislation which provides your legal power for data sharing and links to any authoritative professional guidance;
- a model form for seeking individuals’ consent for data sharing; and
- a diagram to show how to decide whether to share data.
Other terms to include
The parties to a data sharing agreement (irrespective of the controller processor distinction) should also consider the commercial factors around the data sharing arrangements, and cater for each of the following items:
- the start date and duration of the agreement;
- in what circumstances the agreement comes to an end, including expiry and early termination;
- what happens to the data on termination – the recipient should give assurances around non-retention / destruction of copies held;
- what assurances does the supplier give as to the accuracy of the data;
- who is responsible for updating / making error corrections to data;
- confidentiality and security provisions – if data can be shared with third parties / resold, what provisions govern the onward transfer;
- charging provisions, if any;
- how disputes are dealt with; and
- governing law and jurisdiction.
Changing legislation and individual expectations are meaning that organisations are continually striving to strike the right balance between respecting individual rights and utilising data to its fullest potential.
The risk profile of using data has changed since the GDPR's implementation, and data sharing agreements are a way of managing an organisation's exposure to those risks. As a result, organisations of all kinds are increasingly formalising their internal and external data sharing arrangements.
The best way of addressing this change is to integrate an assessment of data sharing into your procurement function (however formal or informal that function may be), ensuring that any need for a data sharing agreement can be identified early so that, if needed, legal advice can be obtained in good time.