What to Include in a Data Sharing Agreement

Your agreement should also address the main practical issues that may arise when sharing personal data. This should ensure that all organizations involved in sharing: Your organization can refer to it by a different name – B for example, an information sharing agreement, a data sharing agreement or a data sharing protocol – but the principle is the same and you need to take certain steps. What is the purpose of the data exchange initiative? 10. Indemnification – This clause provides that in the event of legal claims against one of the parties to the agreement, the normal legal rules and principles apply, and states that if one party becomes aware of a claim against the other party, it must notify the other party in a timely manner. Whether you`re drafting a data exchange agreement or other documents, such as privacy notices and policies, HR documentation, business contracts, or international data transfers, you don`t have to risk doing it alone. In this context, it defines the purpose of the data exchange and covers what happens to the information at each stage. 3. Data Description – This gives you a more detailed description of the data to share with the exact fields listed in an attachment. For consistency, the list of fields should match the description of the data to be shared in the written consent agreement. Creating and updating data processing contracts is a complex and time-consuming task that involves many risks.

An error or omission could mean the difference between GDPR compliance and a hefty fine. You must also indicate the legal authority under which you may disclose the data. A data-sharing agreement ensures that companies and their suppliers are clear about their roles and sets standards for what they can expect from the agreement and what is expected of them. You must document the relevant processing conditions to the extent appropriate under the UK GDPR or the 2018 DPA, where the data you share contains a special category of data or criminal offences under the UK GDPR, or if there is sensitive processing within the meaning of Part 3 of the 2018 DPA. Organizations that act as joint data controllers with another organization must define their responsibilities in writing. The general elements of a data exchange agreement are listed below, adapted from the list published in Urban Institute`s Measuring Performance: A Guidance Document for Promise Neighborhoods on Collecting Data and Reporting Results. If you are acting with another controller as a joint controller of personal data, there is a legal obligation to define your responsibilities in a joint control agreement, both under the UK GDPR/Part 2 of the 2018 DPA and Part 3 of the 2018 DPA. While the Code primarily focuses on sharing data between different controllers, the provisions of a data-sharing agreement could help you enter into a joint control agreement. This does not mean that it immunizes you against non-compliance or regulatory measures if you conflict with the law. To avoid compliance gaps, you must ensure that you and the people with whom you share personal data comply with the terms of your agreement.

In addition, the agreement helps you justify your data sharing and provide documented evidence that you have addressed compliance issues. 6. Roles and Responsibilities – This section identifies individuals in data-driven organizations. If other organizations are involved in the exchange of data Regardless of the terminology, it is recommended to conclude an agreement on data sharing. Data sharing also promotes accountability and transparency, allowing researchers to validate each other`s results. Finally, data from multiple sources can often be combined to allow for comparisons that transcend national and departmental boundaries. However, for organisations in the UK, the ICO (Information Commissioner`s Office) has confirmed that it will consider all relevant agreements when considering a complaint about that organisation`s data sharing. A data exchange agreement is a formal contract that clearly documents what data is shared and how the data can be used.

Such an agreement has two objectives. First, it protects the authority that provides the data and ensures that the data is not misused. The GDPR establishes stricter controls for the processing of special categories of personal data. This includes information about a person`s race, religion, political opinions, trade union membership, sexual orientation, health information, biometric data and genetic information. Your agreement must clearly state all the organisations that will be involved in the data sharing and provide the contact details of their Data Protection Officer (DPO) or any other relevant employee responsible for data sharing, and preferably for other key employees. It should also include procedures for the inclusion of additional organisations in the data sharing agreement and for addressing cases where an organisation needs to be excluded from sharing. Your consent must specify the types of data you want to share. This is sometimes referred to as a data specification. This may need to be detailed, as in some cases it is appropriate to share only certain information in a file about a person and omit other more sensitive documents. In some cases, it may be appropriate to add “permissions” to certain data elements so that only certain employees or employees of certain roles are allowed to access them.

for example, employees who have been trained accordingly. They must explain the purpose of data sharing, why information must be shared to achieve those goals, and the benefits of doing so. 4. Timing and frequency of updates – Since data must be provided on an ongoing basis, it is important to determine when new data should be published. If you use consent as the legal basis for disclosure, your agreement must include a model declaration of consent. You must also deal with issues related to the refusal or withdrawal of consent. 2. Contract Term – Specifies the duration for which the data sharing agreement is valid. Individual parties to the data sharing agreement should have the right to terminate their participation within a reasonable period of time. They should establish procedures for the respect of individual rights. This includes the right to information as well as the right to object and requests for correction and deletion.

You must make it clear in the agreement that all managers remain responsible for compliance, even if you have processes that determine who should perform certain tasks. Here is a list of the elements that are typically included in a data sharing agreement. While this list may cover the basics, additional concerns may be relevant to a particular dataset or vendor agency. Data exchange agreements define the purpose of data sharing, cover what happens to the data at each stage, set standards, and help all parties involved in data exchange to be clear about their roles and responsibilities. 5. Deposit Account Responsibility and Data Responsibility – This section defines responsibility for maintaining data security. This should include the secure process of transferring the file and a specific file format. If there are special circumstances regarding access to the data, these can be specified here. It is probably useful for your agreement to include an annex or annex, including: 8. Resources and costs for data sharing and management – If necessary, the agreement may specify which organisations are responsible for certain data sharing costs. 9. No guarantee of data quality or links – This section provides protection to the recipient organization, which undertakes to make reasonable efforts to promote data quality, but does not guarantee a specific standard.

However, in itself, it does not constitute a data sharing agreement: for public authorities, the agreement should also cover the need to include certain types of information in your freedom of publication system. 7. Permitted Use, Linking and Sharing of Data under this Agreement – The exact rules for the use of the data by the receiving organisation, including access rights and sharing of the data with other organisations. .