Data Sharing Agreements

Before University personal data can be shared with a third party such as another University or external stakeholder the University will have to review or put in place an arrangement to ensure that the sharing is lawful in line with data protection laws. 

Where sharing is necessary on a one off basis then an agreement is not required and sharing can be undertaken provided a lawful basis is in place. However, where the sharing is going to be part of an ongoing arrangement such as a research project or as part of a funding requirement the University it is essential that a Data Sharing Agreement is put in place.  

Data Sharing Agreements set out the framework for the sharing of personal data and documents, the purpose of the sharing, covers what happens to the data at each stage and puts in place standards that help all the parties involved in the sharing to be clear about their roles and responsibilities. 

An agreement is a key document that allows the University to demonstrate its compliance with data protection laws and protects the University in the event that the third party partner causes a breach. 

The type of agreement required can depend on the nature of the activity and parties involved in the sharing (see workflow for further information on identifying the correct agreement required).  

  • A ‘Data Sharing Agreement' is required where a number of  'data controllers' (a body that determines the purpose of processing personal data) intend on sharing personal information routinely and regularly between themselves   (e.g. USW has a data sharing agreement with the Student Union in respect of information shared such as employment information)

  • A 'Data Processing Agreement' is required when the University as a data controller contracts an outside company to undertake a task that involves the processing of personal data on its behalf (e.g. Microsoft provide the University with cloud storage through Sharepoint and One Drive.  They undertake this service on the University's behalf and act under its instruction). 

  • A 'Data Disclosure Agreement' - Where there is a one way transfer of personal data from one data controller to another.

There is no need for a data sharing agreement or a contract when sharing personal data internally within the University, however, staff should consider whenever they do share personal data with colleagues whether it is necessary and whether they could achieve the same outcome by sharing less data.  

Further advice is available from the Information Compliance Unit - [email protected]

To learn more, the Information Commissioner Office's Data Sharing Code of Practice has recently been updated and provides a comprehensive overview relating to data sharing.