In today’s data-heavy business world, it is common for organisations to share large volumes of personal information. Data sharing has become a universal business practice, particularly between group companies. Personal information about staff, customers and suppliers are common examples of data shared between commercial companies for several important reasons.
Whenever personal data is shared by an organisation, various rules apply under the UK General Data Protection (UK GDPR) law. Data protection law rules are in place to ensure that personal data is properly safeguarded when it is shared.
Where parties sharing personal data act as data controllers (i.e. have control over the personal data), organisations should consider entering into ‘data sharing agreements’ (also known as ‘controller to controller agreements’). A data sharing agreement can help to demonstrate compliance with the UK GDPR and protect organisations by reducing risk. It does this by providing good data stewardship, and can also help prevent breaches of the UK GDPR.
This guide will explore the concept of data sharing under the UK GDPR, the purpose of data sharing agreements and when they are required, and some of the key considerations when negotiating them.
If you would like advice on whether your business needs a data sharing agreement or support with drafting or negotiating one, please contact our data protection law team who will be happy to help you.
- What is a data controller?
- Am I a data controller or a data processor?
- Why is this important?
- What are some examples of data sharing scenarios?
- When is a data sharing agreement needed?
- What is the difference between a data sharing agreement and a data processing agreement?
- Which key clauses should I consider in a data sharing agreement?
- What are some key issues to consider when drafting and negotiating data sharing agreements?
What is a data controller?
From the outset, it is vital to understand what role an organisation plays under the UK GDPR. This will determine what type of agreement the organisation should put in place to help demonstrate UK GDPR compliance.
Under the UK GDPR rules, an organisation processing personal data will act as either a:
- Data Controller – This means a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A controller decides how and why to use personal data and controls how personal data is used.
- A Data Processor – This means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. A processor is a separate person or organisation that processes personal data on behalf of the controller and on their instructions.
Am I a data controller or a data processor?
It is important to determine whether you act as a data controller or processor, as this will determine what you will need to do in order to comply with the UK GDPR rules.
In practice, it is not always easy to determine whether an organisation is acting as a data controller or a data processor. This is a common argument during contractual negotiations for projects involving the use of personal data. However, this is a critical question which needs to be considered and determined carefully.
In our modern business world, parties often use personal data for several different reasons, and this is further complicated by the use of new technologies. If a party has any element of decision-making, autonomy, or power about what to do with personal data, this could mean they act as a data controller when processing it.
Whilst companies frequently use service providers to process personal data (for example, external IT or HR services), service providers could also be deemed to be data controllers if they have power over the use of personal data. For example, a service provider who gets to decide how to use personal email addresses, or how long they are stored before deletion, could be deemed to be a data controller. If a service provider uses personal data for analytics purposes (i.e. to analyse its own performance and better its services) it may also be deemed to be a data controller.
Why is this important?
It is important to ensure that your organisation understands whether you share personal data as a data controller or a data processor.
This requires a careful analysis, each time you share personal data. For example, for each project involving the sharing of personal data, you should consider:
- what types of personal data are shared and by which organisation;
- who decides how the personal data can be used; and
- who decides how long personal data is kept and when it should be deleted.
In practice, this can be a difficult exercise, particularly where personal data is used for various purposes.
Determining whether you are a controller or processor will help you determine what obligations you need to comply with under the UK GDPR rules. It will also help you to determine which types of contractual agreements you should have in place.
Failing to correctly determine whether you are a controller or processor could lead to you falling short of your UK GDPR compliance obligations. This could lead to a range of severe consequences, including regulatory action and fines. If you are unsure about whether your organisation is a controller or processor, you should take legal advice from an experienced data protection solicitor.
Despite what is written in your contracts, in the event of an investigation the UK ICO (the data protection regulator) will look at the factual data processing which is taking place to determine if you are a controller or a processor. That means even if your contract states you are a processor, you could still be deemed to be a data controller, and this could have significant ramifications and consequences if you get it wrong.
What are some examples of data sharing scenarios?
It is possible to share personal data in many ways, for example:
- Controller to controller personal data sharing – where two controllers share personal data.
- Controller to processor personal data sharing – where a controller shares personal data with a processor to use data only on their strict instructions.
- Processor to processor data sharing – for example, where one processor engages another service provider to process personal data on the strict instructions of the data controller.
For more information, see our separate guide on agreements between a controller and processor.
Where personal data is shared between parties acting as data controllers, there are two key ways in which personal data can be shared:
- Personal data sharing between joint controllers. This is where two data controllers share personal data for a unified purpose (for example, a joint marketing campaign with a unanimous end goal). In this scenario, two organisations jointly determine the means and purpose of personal data. Accordingly, there is an obligation to consider responsibilities for UK GDPR compliance matters as a joint controller. For example, considering how data subjects will be made aware of the data sharing.
- Personal data sharing between independent data controllers. This is where two separate data controllers share personal data but use it for different purposes. For example, where each party uses the same personal data set for its own objectives and does not decide upon the same with the other party.
You will need to carefully analyse the practicalities of the data sharing scenario, to determine if you are acting as joint or independent controllers. You should also document your determination and reasoning for it.
Some practical examples of data sharing scenarios include the following:
- A charity and an independent researcher collaborate to create a new research article. Both parties use shared personal data to prepare the article and jointly decide how to use the personal data. As such, both parties act as joint controllers.
- A business provides certain staff data to a law firm, to review a legal case. In this case, the business is a data controller as it uses the data to deliver its employer obligations. In contrast, the law firm uses the staff data to carry out analysis of the legal case and deliver its services. In this scenario, the parties would likely act as independent controllers.
- A university sends data about its staff to HMRC. As HMRC will use the data for its purposes, it will act as an independent data controller.
- In a franchise set-up, a franchisor asks a franchisee to share various client details with it, so the franchisor can see details of the sales and record them on its internal systems. If the franchisor uses that data for its own purposes and determines why it is used, it will use that data as an independent controller.
Whether parties are joint or independent data controllers will need to be considered on a case by case basis.
When is a data sharing agreement needed?
As explored above, an organisation can either share personal data where both entities are joint controllers or so that each organisation is an independent controller.
The UK GDPR and UK Data Protection Act 2018 do not expressly require a written agreement to be signed between data controllers. However, it is highly advisable to enter into a well-drafted agreement nonetheless – particularly where high-risk or high volumes of personal data are shared.
If you are sharing personal data with a joint controller (i.e. where both parties use the personal data concerned for a joint, common purpose), the UK GDPR states that there must be an arrangement between the data controllers. Joint controllers are required to determine their respective obligations for compliance, in particular regarding data subject rights and providing privacy information. Although the law requires an arrangement between joint controllers, it technically does not require a written agreement between joint controllers. However, having a written agreement is always best practice and to helps demonstrate accountability for data controllers.
Further if you, as a data controller, are sharing personal data with an independent data controller (i.e. not a joint controller but rather a party who will use the personal data for its own, independent purposes), it is still good practice to have an agreement in place even though the UK GDPR does not specifically require it. An agreement will help warrant the data sharing and demonstrate that UK GDPR compliance issues have been contemplated and taken into account.
In short, a data sharing agreement is highly sensible for both commercial and regulatory compliance reasons when personal data is shared between controllers. By having well-defined terms, the controllers will be able to better manage compliance and avoid breaching their obligations.
The type of data sharing agreement required will be different, depending on whether the parties are joint or independent data controllers. If you require support with understanding which type of agreement you need and what it should contain, you should seek legal advice from a data protection solicitor.
What is the difference between a data sharing agreement and a data processing agreement?
A data sharing agreement is very different to a data processing agreement, and it is important that your business understands the differences and uses the correct contractual document for its data sharing activities.
Controllers and processors need to enter into a mandatory data processing agreement. For this agreement, the UK GDPR specifically prescribes that a written contract is needed with various mandatory clauses.
Whilst it is not mandatory to enter a data sharing agreement, it is highly recommended as best practice. The ICO has noted in its guidance that having a data sharing agreement demonstrates good accountability – indeed, a well-drafted data sharing agreement can help evidence compliance. As such, in practice, businesses commonly enter into data sharing agreements (either by incorporating data sharing clauses into their commercial contracts or negotiating standalone contracts to govern the data sharing).
Which key clauses should I consider in a data sharing agreement?
There is a lot more freedom for commercial parties to negotiate the terms of a data sharing agreement.
Unlike a data processing agreement, a data sharing agreement does not have a prescribed format. In contrast, Article 28 of the UK GDPR sets out strict requirements about what a contract between a controller and processor should contain.
The types of provisions a data sharing agreement should include will depend on various matters – for example, whether the parties to the agreement are acting as joint controllers or independent controllers.
There is no one-size-fits-all approach for data sharing agreements and parties will need to consider issues including:
- How sensitive or risky the personal data in question is – for example, whether it is special category data or data concerning children.
- How much personal data will be shared and how risky the purposes of sharing are – for example if high-risk profiling will be a processing activity.
- Whether the personal data will remain in the UK or be transferred internationally.
The UK ICO has prepared a Data Sharing Code, containing various information around obligations and guidance on what a data sharing agreement should cover. Data controllers should review this guidance, to ensure that their data sharing practices reflect the ICO’s expectations.
Here are some key factors which should generally be considered as part of a data sharing agreement (some of which are also reflected in the UK ICO’s guidance):
- Clarity on each party’s role concerning the personal data which is being shared and the aims and purposes for sharing the data.
- Obligations for each party to comply with the UK GDPR and data protection legislation.
- A comprehensive description of the data being shared and whether any special category data is shared and why.
- Setting out parameters over the use of shared personal data – for example, whether the recipient data controller may use the shared personal data for marketing purposes.
- Details around providing assistance and dealing with data subjects exercising their rights – for example, what to do if there is a data subject access request.
- Details on the security measures used to protect personal data.
- Provisions around who is responsible for dealing with personal data breaches, including responsibility for communications with the ICO and data subjects.
- Setting out the lawful basis for sharing personal data between the parties.
- Documenting any relevant conditions for the processing of special category and/or criminal conviction or offence data, where relevant.
- Recording who is the responsible point of contact for data subjects.
- Agreeing upon any required international data transfer safeguards to the extent that personal data is transferred outside of the UK.
- Considering issues around liability and dealing with compensation claims.
What are some key issues to consider when drafting and negotiating data sharing agreements?
Again, this will depend on the circumstances, types of personal data and risks of the processing involved.
Here are some of the general issues for the parties to consider:
- When entering into a data sharing agreement, you should carefully consider each party’s roles and responsibilities and ensure that your agreement is carefully drafted accordingly. From the outset, ensure you understand whether each party will independently or jointly control personal data.
- As the parties are free to negotiate their own terms, you should also think about how best to protect yourself from risk commercially and avoid reputational damage if things go wrong.
- You should carefully determine what format of data sharing agreement is appropriate for your arrangement. For example, low-risk and minimal data sharing may warrant a simple set of data sharing terms as part of your wider commercial agreement. However, larger, and higher risk data sharing agreements (for example, projects concerning high-risk, or large volumes of sensitive data) may require a separate stand-alone data sharing agreement with more extensive provisions and protections.
- Where your organisation is sharing personal data with another controller, a data sharing agreement is a chance for you to ensure that the recipient controller acts responsibly and safeguards the data you share with them. You should ensure that the other controller can commit to complying with certain data protection obligations and that they have appropriate safeguards in place to secure personal data.
- You should decide upon any rules to impose where you are sharing personal data. For example, you may need to flow down certain data protection assurances you have promised to the data subject, to the recipient data controller.
- For joint controller agreements particularly, you should assess the apportionment of liability between the parties. Data subjects could pursue action and enforce their rights against either controller. As such, you will need to consider how to recover your losses if the other data controller is at fault and you suffer loss as a result.
- The inclusion of contractual indemnities could help you protect your organisation as a joint controller. For example, your organisation may wish to negotiate data protection indemnities to cover the risk of potential losses, such as data misuse and claims arising from it. This can be particularly helpful if you face liability due to a breach of the other controller. For example, if an individual seeks financial compensation from your organisation where you were not fully responsible for the damage they suffered.
Data sharing agreements can be particularly complicated and nuanced, in contrast to data processing agreements with prescribed terms. If you are in doubt when negotiating an agreement, you should seek legal advice.
It is important that your organisation spends time assessing your data sharing practices and which role it plays.
When you share personal data with another controller, you have several legal obligations under the UK GDPR rules. Failing to comply with those rules can lead to several negative consequences, from regulatory fines to reputational damage.
Although data sharing agreements are not strictly mandatory under the UK GDPR (in contrast to data processing agreements) they are nonetheless important documents for demonstrating accountability and reducing risk.
Having in place a robust data sharing agreement can help demonstrate compliance with the UK GDPR rules. It can also help protect your business from risk, for example, by setting out rules on the use of personal data and apportioning risk by allocating liability.
A data sharing agreement can also help foster good data management, by setting out rules around who will be responsible for certain actions – such as responding to requests from data subjects. Further, a data sharing agreement can help avoid mismatched expectations on the allocation of data protection responsibilities and give you comfort when sharing personal data. With a comprehensive data sharing agreement in place, you are more likely to prevent compliance risks and avoid complaints from data subjects.
Given the potential liability you could suffer for non-compliance, you must ensure that the correct contractual agreements are put in place for your data sharing. If you require support with understanding your legal obligations or putting in place the appropriate data sharing agreements, you should take legal advice.