Data Sharing Agreements – Process & Implementation

Introduction

Organizations frequently engage in data sharing as part of their business processes. However, improper handling of shared data can pose significant risks—not only to individuals’ privacy but also to the organization’s business objectives.

This post highlights key considerations that organizations should evaluate before formalizing a Data Sharing Agreement (DSA) to ensure compliance, security, and accountability. The post guides you through the steps, providing examples along the way for better understanding.
This guide walks you through the steps to create a GDPR-compliant Data Sharing Agreement.

---

1. Define the Purpose and Scope of Data Sharing

Answer the following questions and compile your responses. Following considerations will help you frame the purpose and scope of the Data Sharing Agreement. Write in clear and precise terms so that everyone involved understands how the data can be shared and used.

1.1 Why the data needs to be shared

Organizations should critically evaluate whether data sharing is truly necessary by asking:

“What if we don’t share the data with another party?”

This question helps assess:

• Necessity – Is sharing the data essential to achieving the intended outcome, or are there alternative ways to achieve it without sharing?
• Risks vs. Benefits – Does the benefit of sharing outweigh the risks (e.g., privacy concerns, compliance issues, data security threats)?
• Legal & Ethical Considerations – Are there any legal or ethical reasons that require or restrict data sharing?

“How to Apply This Question in Decision-Making:”

• If the goal is regulatory compliance, would not sharing the data lead to legal consequences?
• If the purpose is research, could anonymized or synthetic data be used instead of actual personal data?
• If the data is for service improvement, could the organization achieve the same results using internal analytics rather than sharing data externally?

By answering this question, organizations ensure that data is shared only when truly necessary, aligning with principles like Data Minimization and Privacy by Design.

What data will be shared

Break data into types and assess if each is necessary:

• Essential Data: Must be shared (e.g., diagnosis data for a research study).
• Conditional Data: May be shared with safeguards (e.g., pseudonymized employee records for workforce analytics).
• Unnecessary Data: Should not be shared (e.g., personal addresses for a general demographic study).

Example:For a clinical trial, the shared data could be:
✔ Essential: Medical history relevant to the study.
✔ Conditional: Genetic data (with specific approvals).
✖ Unnecessary: Contact details or unrelated diagnoses.

How do I ensure my purpose aligns with the legal requirements

Scenario: Healthcare Data Sharing for Research (GDPR & HIPAA Compliance)

A hospital (Data Controller) plans to share patient data with a research institute for a study on heart disease.

• Legal Requirement Under GDPR (EU)
  • Purpose Justification: The hospital must establish a lawful basis for sharing data (GDPR Article 6).
    • Special Category Data Handling: Health data is sensitive personal data (GDPR Article 9) and requires additional safeguards.Minimization & Consent: If patient consent is required, it must be informed, specific, and explicit.
  • Safeguards: Pseudonymization or anonymization should be applied where possible.
• Legal Requirement Under HIPAA (US)
  • De-identification: If Protected Health Information (PHI) is shared, HIPAA requires either patient consent or data de-identification (removing 18 HIPAA identifiers).
  • Business Associate Agreement (BAA): If the research institute is a third party, a BAA is required to define roles and responsibilities.

✅ Correct Approach (Compliant)

• The hospital ensures legal review, anonymizes data where possible, and obtains explicit patient consent where required.
• A Data Sharing Agreement (DSA) is signed, defining security measures and compliance.

❌ Incorrect Approach (Non-Compliant)

• The hospital assumes the research study falls under “public interest” and shares identifiable patient records without consent or anonymization.
• Risk: Violates GDPR/HIPAA, leading to legal penalties and potential data breach liabilities.

How do I ensure I am not omitting legal requirements inadvertently?

Scenario: HR Data Sharing for Background Checks

A company shares employee background data with a third-party vendor for pre-employment screening.

🔹 Omission:

• The company forgets to verify the vendor’s compliance with GDPR/CCPA.
• Employee consent is not explicitly obtained for sharing their criminal record history (special category data under GDPR).
• Data Retention: The agreement does not specify how long the vendor can keep the data.

⚠ Legal Risk:

• GDPR Violation: Employee consent was required but not obtained.
• CCPA Violation: Employees were not informed of third-party data sharing.
• Outcome: Possible fines, lawsuits, and reputational damage.

✅ How to Fix:

• Explicitly obtain employee consent for background checks.
• Conduct a vendor compliance check (does the vendor follow GDPR/CCPA?).
• Define data retention policies in the agreement.

---

2. Identifying Organizations Involved in Data Sharing

When drafting a Data Sharing Agreement (DSA), it is crucial to clearly define all the organizations that will participate in data sharing. This ensures transparency, accountability, and compliance with data protection laws.

2.1. Types of Organizations Involved in Data Sharing

Depending on the nature of data sharing, the agreement should specify the roles of various entities:

(a) Data Controllers

• Definition: Organizations that determine the purpose and means of processing personal data.
• Example:
  • A hospital (Controller) shares patient health records with a research institute for a clinical study. The hospital decides which data is shared and under what conditions.

(b) Data Processors

• Definition: Organizations that process data on behalf of a Data Controller.
• Example:
  • A bank (Controller) outsources its customer identity verification to a third-party service provider (Processor), which performs identity checks using shared data.

(c) Data Sub-Processors

• Definition: Entities engaged by a Processor to process data further.
• Example:
  • A cloud storage provider (Processor) hosting financial data might subcontract encryption services to another company (Sub-Processor).

(d) Data Recipients

• Definition: Organizations receiving data without processing obligations but for specific purposes.
• Example:
  • A government regulatory body receives anonymized financial transaction data from banks for fraud detection.

---

2.2 Key Contact Details in the Agreement

The agreement should include:
✅ Data Protection Officer (DPO) or designated compliance officer details.
✅ Key personnel responsible for data handling, security, and breach response.

Example Clause:
“Each participating organization shall designate a Data Protection Officer (DPO) or equivalent representative responsible for ensuring compliance with this agreement. The DPO’s contact information must be provided and updated as needed.”

---

2.3 Procedures for Adding or Removing Organizations

The agreement should outline:

• How new parties can be included in the data-sharing arrangement.
• Conditions under which an organization may be excluded (e.g., non-compliance with security standards, contract violations).
• Approval mechanisms for onboarding new data processors or recipients.

Example:

• If a research institute wants to collaborate with an additional university for a study, it must seek approval from the original Data Controller (e.g., a hospital).
• If a third-party marketing agency mishandles shared customer data, it may be excluded from the agreement.

---

2.4 Practical Example of an Agreement Clause

“If an additional organization wishes to participate in the data sharing arrangement, they must submit a formal request outlining their purpose, compliance measures, and security protocols. Approval will be granted only if they meet the agreed-upon data protection standards. Any organization found to be in violation of these standards may be removed from the agreement immediately.”

By including these details in a Data Sharing Agreement, organizations can ensure clarity, compliance, and accountability in data exchange arrangements.

---

3. What Data Items Are We Going to Share?

The data specification outlines the categories and specific data items being shared, which is necessary to ensure the parties involved understand exactly what data is being transferred and how it will be used. This can include anything from customer information to internal project data.

Example:

A tech startup focused on developing a new AI-based application may need to share data with a third-party service provider for analysis or integration. The startup must identify and list the exact types of data to be shared, such as:

• Customer Information: Name, email, and phone number of users who signed up for their platform.
• Behavioral Data: Information on how users interact with the app, such as page views, clicks, or time spent in the application.
• Transaction Data: Purchase history of customers (if the app includes an in-app purchase function).

The startup must specify if only certain data points are needed and omit others. For example, if the third-party service does not require a customer’s phone number, it should be excluded from the shared data to minimize risk and protect privacy.

3.1. Sensitive Data and Its Protection

In many cases, not all data in a file needs to be shared. Sensitive information (such as financial details, medical records, or passwords) should be handled carefully. The agreement should specify which data is excluded from the sharing agreement, or if it’s shared, what protections need to be in place.

Example:

If the startup collects detailed user profiles, it might not need to share certain sensitive fields like “Social Security Number” or “Payment Information” with an analytics provider. The startup might decide to share only anonymized user behaviors and engagement data, excluding sensitive financial details.

The agreement should also specify what actions should be taken if sensitive data is to be shared, such as encryption or pseudonymization, to protect user privacy.

3.2. Permissions and Role-Based Access

It is vital to set permissions on who can access and handle the shared data. In a tech startup, this typically involves limiting access to certain roles within the company or the partner organization, based on the principle of least privilege.

Example:

Let’s say a startup is collaborating with an external vendor to perform security assessments on its application. The data shared with the vendor might include customer email addresses for testing login mechanisms. The DSA could specify:

• Only security engineers or data privacy officers within the vendor’s team are permitted to access email addresses.
• The emails should not be accessible to vendors’ sales or marketing teams.

Additionally, the agreement could require that only staff who have undergone specific data privacy and security training are allowed to access sensitive data, ensuring that only qualified personnel handle it.

3.4. Data Mapping for Achieving Secure Sharing

Data mapping is the process of identifying where and how data resides, which helps in ensuring the proper handling and sharing of data in compliance with the agreement. A strong data mapping process will help define the flow of data across different systems and stakeholders.

Example:

The tech startup may use a customer relationship management (CRM) system to store customer data and a data analytics platform for processing behavior data. A data map would visually represent how customer data flows from the CRM to the analytics platform, ensuring that only authorized data is shared and that it is securely handled in transit.

Additionally, data mapping can help identify and control which systems are involved in the sharing process, what specific data points are shared between each system, and whether any sensitive data is accidentally included.

Data mapping becomes crucial when the startup plans to expand its data-sharing network. By mapping the data, the startup can ensure compliance with laws like GDPR or CCPA while minimizing risks. For example, the mapping could reveal that customer data collected in Europe may need to be anonymized before sharing with a vendor outside the European Union to comply with cross-border data transfer regulations.

3.5 Importance of Data Mapping:

Data mapping provides clarity on which data needs to be shared and ensures that it’s being transferred to the right entities securely and in compliance with regulations. For a startup, this helps:

• Mitigate risk: Reduces the chance of sensitive data being unintentionally shared or mishandled.
• Comply with regulations: Helps ensure that data-sharing practices meet legal standards such as GDPR or HIPAA.
• Streamline data sharing: Helps identify the most efficient and secure ways to share data, preventing unnecessary or redundant data transfers.

By creating a data map, a startup ensures that it has a comprehensive understanding of where and how the data will be used and whether additional security measures (such as encryption or anonymization) are required for specific data points.

---

4. Lawful basis of sharing data

Before sharing data, it’s important to have a lawful reason for doing so. This means there must be a legal justification that explains why the data is being shared. The reason might be different for each organization involved in the data-sharing process.

Common Lawful Bases for Sharing Data (with Examples)

1. Consent – The person gives clear permission for their data to be shared.
   • Example: A fitness app asks users if they agree to share their activity data with a third-party health analytics company. The app provides a consent form that explains what data will be shared and allows users to opt-out anytime.
   • Example: A fitness app asks users if they agree to share their activity data with a third-party health analytics company. The app provides a consent form that explains what data will be shared and allows users to opt-out anytime.
   • Example: A fitness app asks users if they agree to share their activity data with a third-party health analytics company. The app provides a consent form that explains what data will be shared and allows users to opt-out anytime.
   • Example: A fitness app asks users if they agree to share their activity data with a third-party health analytics company. The app provides a consent form that explains what data will be shared and allows users to opt-out anytime.
2. Contract – Data is shared because it is necessary to fulfill a contract.
   • Example: A rideshare company shares a driver’s location and phone number with a customer because it is required to complete the ride service.
3. Legal Obligation – Data must be shared because the law requires it.
   • Example: A financial technology startup must share certain customer transaction details with tax authorities to comply with financial regulations.
4. Legitimate Interest – Data sharing is necessary for business operations and does not override individuals’ rights.
   • Example: An e-commerce company shares customer purchase history with a fraud detection service to prevent fraudulent transactions.
5. Public Task – The data is shared for public interest purposes.
   • Example: A government health department shares disease outbreak data with research institutions to help track and prevent the spread of infections.

If Using Consent, What Should Be Included?

If data is shared based on consent, the agreement should include:
✔ A consent form that clearly explains what data is shared, why, and with whom.
✔ A way for people to withdraw their consent at any time.

💡 Example: A meditation app allows users to share their sleep data with a wellness coach. The app provides an easy “Revoke Consent” button in settings, so users can stop sharing their data whenever they want.

Legal Power to Share Data

Your agreement should also mention the legal authority that allows data sharing. This could be based on laws like:

• GDPR (General Data Protection Regulation) in Europe
• CCPA (California Consumer Privacy Act) in the U.S.
• Industry-specific regulations (e.g., HIPAA for healthcare data)

💡 Example: A healthcare startup handling patient records must ensure that its data-sharing practices comply with HIPAA in the U.S. or GDPR in Europe.

---

5. Individual Rights vs Data Sharing Agreement

When sharing data, organizations must have clear procedures for handling individual rights under data protection laws. These rights include:

• Access to information (knowing what data is held)
• The right to object (disagreeing with data processing)
• Requests for rectification (correcting inaccurate data)
• Requests for erasure (deleting personal data)

It is important that all organizations involved in data sharing remain responsible for complying with these rights, even if one organization handles requests on behalf of others.

---

Handling Requests for Access, Rectification, and Erasure

📌 Example 1: Right of Access (Subject Access Request – SAR)

A fitness tracking app shares user data with a third-party health analytics company. A user wants to know what personal data is being shared.
✅ The agreement should state who handles the request.
✅ If the user contacts the fitness app, but the data is stored by the analytics company, there must be a process to retrieve the data from all relevant parties.
✅ A Data Protection Officer (DPO) or a dedicated staff member should ensure the user gets a full response.

📌 Example 2: Right to Rectification

A customer of an online payment service notices an incorrect address in their records, which is shared with fraud detection partners.
✅ The agreement must explain how corrections are made across all organizations.
✅ If the payment service updates the record, they must inform the fraud detection partner to ensure accuracy across all systems.

📌 Example 3: Right to Erasure (“Right to be Forgotten”)

A former user of a social media platform requests that their data be deleted.
✅ If the platform has shared user data with marketing agencies, the agreement must ensure those agencies delete the data as well.
✅ Some data may need to be kept for legal reasons (e.g., transaction records for financial compliance), which must be explained to the user.

---

Who is Responsible for Responding to Requests?

Since users can contact any organization involved in data sharing, the agreement must specify:

• Which organization handles requests (e.g., the original data controller or a designated point of contact).
• How requests are forwarded and processed when multiple organizations are involved.
• Who ensures full compliance (usually a Data Protection Officer or designated staff member).

🔹 For Joint Controllers

Under Article 26 of UK GDPR, if two or more organizations jointly control the data, the agreement must clearly state which controller is the main contact for users.

💡 Example: A ride-hailing app and its payment processor jointly manage user payment data. The agreement should specify whether the app or the payment processor handles data access requests.

---

Access and Public Authorities

For government agencies or public bodies, the agreement must also cover:

• Freedom of Information (FOI) requests – ensuring transparency about what data is shared.
• Publication schemes – proactively making certain data available to the public.

💡 Example: A local council shares housing data with a government agency. If a citizen requests information under FOI laws, the agreement should clarify which authority responds.

---

6. Information Governance Arrangements in Data Sharing

When sharing data, organizations need clear rules to handle practical issues that may arise. This ensures that shared data is accurate, secure, and properly managed. Below are key governance arrangements, explained with real-world tech startup examples.

---

6.1. Clear Rules on What Data Can Be Shared

Why? Prevents irrelevant or excessive data from being disclosed.
💡 Example: A healthtech startup sharing patient data with a research lab must specify that only anonymized medical history is shared, not personal identifiers like names or addresses.

---

6.2. Ensuring Data Accuracy

Why? Incorrect data can lead to bad decisions and poor user experience.
✅ Use data quality checks, like periodic sampling and validation.

💡 Example: A fintech company shares credit scores with loan providers. A periodic data audit ensures that scores are updated and errors (e.g., incorrect late payments) are corrected.

---

6.3. Standardizing Data Formats

Why? Different formats can cause errors or system incompatibilities.
✅ Organizations should use common data formats or convert data when needed.

💡 Example: A recruitment platform shares candidate profiles with hiring companies. To avoid mismatches, all profiles must use the same date format (DD/MM/YYYY or MM/DD/YYYY) and standardized job title categories.

---

6.4. Retention and Deletion Rules

Why? Different companies may have different legal requirements for how long data should be stored.
✅ The agreement should define how long shared data is kept and when it must be deleted.

💡 Example: A ride-sharing app keeps driver location data for 12 months, while its insurance partner keeps accident data for 5 years. The agreement must define when shared data should be deleted by each party.

---

6.5. Security Measures & Breach Handling

Why? Data must be protected from leaks, hacks, or unauthorized access.
✅ The agreement should outline:

• How data is transmitted (e.g., encryption, VPNs).
• Access controls (e.g., role-based permissions).
• What happens if there is a data breach (e.g., reporting timelines, investigation procedures).

💡 Example: A cloud storage provider shares client files with a third-party AI service. If a security breach occurs, the agreement should state that affected clients must be notified within 24 hours, and the breach should be investigated immediately.

---

6.6. Staff Training & Awareness

Why? Employees handling shared data must understand their responsibilities.
✅ Organizations should provide regular training on:

• How to handle shared data securely
• What to do in case of data breaches
• Privacy laws and compliance (e.g., GDPR, CCPA)

💡 Example: A customer support team at a SaaS company accesses shared user data from a CRM platform. Training ensures they only view necessary details and do not download or share sensitive information.

---

6.7. Handling User Requests & Complaints

Why? Users have the right to request, correct, or delete their data.
✅ The agreement must define who handles user requests and how complaints are managed.

💡 Example: A fitness app shares user workout data with a coaching platform. If a user wants to delete their data, the agreement should state:

• The fitness app receives the request.
• The coaching platform must delete the data within 30 days.

---

6.8. Reviewing the Effectiveness of the Data-Sharing Agreement

Why? Ensures the agreement remains useful and compliant over time.
✅ Set review timelines (e.g., every 6 or 12 months) to assess:

• Is data being shared correctly and securely?
• Are updates needed for legal compliance or efficiency?

💡 Example: A healthtech startup reviews its data-sharing agreement with hospitals every 6 months to ensure compliance with new health data regulations.

---

6.9. Handling Termination of Data Sharing

Why? When a partnership ends, data must be properly deleted or returned.
✅ The agreement should specify:

• How shared data is erased (e.g., secure deletion methods).
• If data should be returned to the original provider.

💡 Example: A marketing agency stops working with an e-commerce company. The agreement should ensure that all customer data held by the agency is deleted within 30 days of contract termination.

---

7. Additional Details worth including in the Data Sharing Agreement

Following are the additonal documents taht could make the data-sharing more effective and easy to follow:

1. Key Legislative and Legal Provisions

This section should summarize the laws and regulations that govern data sharing. It should include:
✅ Relevant sections of the Data Protection Act 2018 (DPA 2018) and UK GDPR (or other applicable laws).
✅ Any specific industry regulations (e.g., HIPAA for health data, PSD2 for financial data).
✅ Links to authoritative professional guidance (e.g., ICO’s guidelines on data sharing).

💡 Example:

A healthtech startup sharing patient data with hospitals should reference:

• DPA 2018 & UK GDPR – Legal basis for processing health data.
• NHS Information Governance guidelines – How patient records should be managed securely.
• Medical Research Council guidance – If data is shared for research purposes.

---

2. Model Consent Form for Data Sharing

If consent is the legal basis for data sharing, a model consent form should be included. This ensures that individuals:
✅ Clearly understand what data is being shared and why.
✅ Know who will access the data and for how long.
✅ Have the option to withdraw consent at any time.

💡 Example:

A mental health app collecting user mood-tracking data for research purposes may include:

• A checkbox for users to consent to data sharing.
• A clear explanation that their data will be anonymized.
• A “Withdraw Consent” button in the app’s settings.

---

3. Decision Diagram for Data Sharing

A flowchart or decision tree helps staff quickly determine whether data should be shared. This should include:

• Legal basis check (Do we have consent or another lawful reason?)
• Data necessity check (Is sharing essential for the intended purpose?)
• Security check (Are appropriate protections in place?)

💡 Example:

A fintech company sharing customer financial data with fraud detection services could use a flowchart with steps like:
🔹 Is the data necessary for fraud prevention? → If yes, continue.
🔹 Is there a legal obligation to share the data? → If yes, share securely.
🔹 Does the customer have the right to object? → If yes, respect their rights.

---

4. Data Sharing Request Form

This form ensures that all data-sharing requests are documented and reviewed before approval. It should include:
✅ Who is requesting the data?
✅ What data is needed and why?
✅ The lawful basis for sharing.
✅ Security measures for transmission and storage.

💡 Example:

A smart home device company receives a request from a research university to access anonymized energy usage data. The university must submit a Data Sharing Request Form, detailing:

• The specific data needed (e.g., hourly energy consumption).
• The research purpose (e.g., studying household energy efficiency).
• Security measures (e.g., encrypting stored data).

---

5. Data Sharing Decision Form

This form records decisions on whether to approve or reject a data-sharing request. It ensures transparency and compliance. The form should include:
✅ The name of the person or organization requesting the data.
✅ The reason for sharing or refusing to share the data.
✅ Who approved the decision and when.
✅ Any conditions attached to the data sharing.

💡 Example:

An online education platform shares student performance data with a government education body. Before sharing, the Data Protection Officer reviews a Data Sharing Decision Form, ensuring:

• Data is anonymized.
• Sharing complies with education data protection laws.
• Access is limited to authorized officials only.