All About Data Sharing Agreement Examples: An In-Depth Guide

Data Sharing Agreement Defined

A data sharing agreement is essentially a contract between two or more parties that lays out the rules regarding the handling of data that may potentially contain confidential information. Typically, this means that the data in question may contain personally identifiable information or PII that could lead to unauthorized access if proper measures aren’t taken. The purpose of a data sharing agreement is to prevent disclosures and misuse of confidential information while still ensuring that authorized users can access and utilize it for various pre-approved uses.
Businesses and other institutions engage in data sharing agreements because it enables them to operate more efficiently by pooling and sharing data in a strategic way . These agreements can come into play when multiple parties decide to pool information for studies or research and development endeavors. When done correctly, a data sharing agreement will give all parties involved a comprehensive roadmap for how that data can be accessed and utilized while limiting the potential for unauthorized sharing or exploitation.
Data sharing agreements are an important part of today’s increasingly technological world. Due to the prevalence of data breaches, municipalities, private companies, and other entities in both the public and private sectors must share data with other organizations in a responsible and secure manner. These agreements ensure that there are clear guidelines for protecting such information.

Components of a Data Sharing Agreement

Essential to any data sharing agreement are the fundamental components that outline the responsibilities and expectations of each participant in the sharing process. While not every agreement will follow the same format or address each of the components set forth below, these items should be considered and incorporated into agreements at a minimum, as applicable: Scope and Purpose – A data sharing agreement should include the parties implicated by the sharing and the purpose(s) for the sharing. For example, a seminal case on data sharing is University of Michigan v. Medicine Shoppe International, Inc. In Medicine Shoppe the plaintiff sought to share prescription data held by pharmacies at the University of Michigan advising the court that, "the purpose of sharing such information was to broaden [the plaintiff’s] utilization of and service to the prescribing population at the university." In addressing the request to share the data, the court stated: Insofar as Michigan Law states that one may not obtain information through the use of an ‘unreasonable search warrant,’ maybe the court should look to the ‘reasonableness’ of the purposes that underlie a request for information. If a request for information is made for an illegitimate purpose, one that is meant to evade regulatory requirements, or otherwise violates the rights of parties not privy to the request, is not the request itself unreasonable? As a general rule an attorney who acts in bad faith should not be heard to complain…(a) party acting in bad faith may not stand in the position of seeking an ancillary judicial proceeding for the immeasurable benefit of ulterior motives. Legal Obligations – The agreement should identify any and all legal obligations of the parties with respect to the data. This identification may be exhaustive (explicitly addressing each requirement) or categorical (addressing categories of legal obligations). For example, the agreement may note that disclosures of protected health information ("PHI") by covered entities, organized healthcare providers and business associates must comply with the HIPAA Privacy Rule. Alternatively, in another agreement where a party to the agreement is a business associate, the data sharing agreement should explicitly state that the party may not use or disclose PHI other than as permitted by the agreement, or as required to satisfy legal obligations. Data Security – The agreement should address how the data will be secured once shared. Security obligations may have been implemented at the source; however, access by a third party poses additional risk and liability. Depending on the type of data shared and the nature of the parties, data security protocols may be more or less stringent. For example, if the data shared is particularly sensitive or includes PHI, secure file transfer and encryption may be necessary. Alternatively, if the data being shared is not sensitive (national security), the data may be transferred through a web based access point with user authentication. The agreement should address the method of data sharing. Termination – The agreement should include a termination clause covering events such as breach of the agreement terms, discovery of improper use of the data and expiration of the agreement. For example, HIPAA affords the parties protection from the disclosure of PHI after termination by allowing the business associate to disclosure PHI for limited purposes upon termination, such as through a wind down period.

Legal Matters in Data Sharing

When entering into a data sharing agreement, there are many legal considerations to take into account. One of these is compliance with legal requirements relating to privacy, data protection and e-Privacy rules, in particular.
In the European Union, as mentioned in other places in this article, the GDPR is the lead regulation for data sharing agreements. As mentioned above, one of the enforcement mechanisms under under the GDPR is an injunction, or "cease and desist" order. That is, the National Data Protection Authority (or the courts) can issue an injunction against a controller or processor found to be in breach of the regulation, requiring it to cease a certain activity, for example.
However, the more common enforcement mechanism under the GDPR is a fine or penalty. This is also, in addition to the injunction, a possible EU-wide sanction. A fine or penalty can amount to: a minimum of €10 million or 2% of the total worldwide annual turnover, a higher penalty of up to €20 million or 4% of the total worldwide annual turnover, in each case whichever is greater.
Another legal consideration in relation to data sharing agreements is compliance with California Proposition 37 2013 (which we refer to as the CCPA). The CCPA came into force on January 1, 2020, and regulates the processing in California of the personal data of natural persons who are residents of California.
The rights granted by the CCPA are extensive rights including the right to access, right to delete, right to non-discrimination and right to opt-out. However, CCPA also requires that controllers must confirm or deny the existence of personal data when so requested.

Types of Data Sharing Agreements

Data sharing agreements can take on different forms based on the extent of information shared, the parties to the agreement, and the nature of the data. For example, the National Conference of State Legislatures identified two categories of data sharing: bilaterals, under which the entities agree to share a specific set of data on a consent basis, and multilaterals, with participation more open, possibly non-consensual, and with many data donors.
One common type of data sharing agreement is an internal data sharing agreement. For example, Kelly v. Google, Inc. investigated internal sharing programs at Google under which it shared location data, among other things. Several third parties were permitted to review consumers’ location data in certain cases, without their consent or knowledge, including companies involved in ad serving platforms, account review processes, and operations. The federal district court in the Northern District of California examined the privacy impact of these practices and tentatively concluded that Google’s disclosures were not a breach of its privacy policies, which explicitly limited that disclosure to "trusted business partners."
External data sharing agreements can also take different forms, and a few examples are below.
Bilateral data sharing typically involves two parties contracting to share information through a bilateral agreement. For example, the University of Toronto enters into a bilateral data sharing agreement with the Centers for Disease Control to share mental health information while the Food and Drug Administration enters into bilateral data sharing agreements with various international regulatory authorities to share product data.
Multilateral data sharing involves at least three parties and can be structured in several ways. A number of federal agencies, including the Federal Communications Commission, National Oceanic and Atmospheric Administration, and the Department of Justice, currently participate in the International Criminal Police Organization, which is primarily governed by an agreement made in 1956 called the General Secretariat Agreement, similar to a data sharing agreement. State-based public health data sharing among states through the Council for State and Territorial Epidemiologists also illustrates a multilateral agreement.

Making a Data Sharing Agreement

Data sharing agreements are crucial for organizations that aim to share data in a manner that is mutually beneficial, secure, and compliant with all applicable laws. It is essential that such agreements are drafted with care and consideration of all applicable regulatory requirements.
What should be included in a data sharing agreement?
The following considerations are recommended in drafting a data sharing agreement:

  • (1) identify and understand the applicable laws;
  • (2) define the roles and responsibilities of each party;
  • (3) identify the purpose of the data sharing activity;
  • (4) ensure that the data sharing activity is conducted in a way that is fair and lawful;
  • (5) establish appropriate contractual safeguards; and
  • (6) include provisions for termination, expiration, and dispute resolution.

How to draft a data sharing agreement?

(1) Identify and understand the applicable laws and regulations:

Determine the specific actions that will be carried out under the data sharing agreement, as well as the types of data that will be processed. This determination should include a risk assessment that helps identify the perceived or actual risks of the data sharing arrangement for each party. Make sure to consult with a legal counsel or privacy professional with expertise in this area and with knowledge of any data protection regulations applicable to each party, its employees, and its customers. The most suitable type of data sharing arrangements is a data protection impact assessment (DPIA). DPIAs assess the potential effects of a data sharing activity on personal data rights and freedoms as well as help organizations comply with their regulatory obligations. If a DPIA is used, make sure to use plain language, as opposed to legal jargon, when describing the nature of the data sharing activity. Offer the parties an opportunity to ask questions about the data sharing activity at an early stage of the process.

(2) Define the roles and responsibilities of each party in the agreement:

What is the purpose of the data sharing activity? Answering this question may help clarify who the parties will be in the data sharing agreement. The parties may be controllers , processors, or both, and they need to understand what their responsibilities will be under the agreement, depending on their role. For example, if a data sharing activity involves a controller sharing data with a processor, the controller would need a written contract with the processor that outlines the processor’s specific obligations and responsibilities in handling the data.

(3) Identify purpose of the data sharing activity:

You should clearly identify the purpose of the data sharing activity so as to establish the lawful basis of sharing the data. For example, in the employment context, an organization may need to share an employee’s personal data with a bank in order to comply with its legal obligations under a loan program. The sharing of the information in this case would be determined by the applicable laws and not only by the parties’ interests. As such, the organization would also need a written agreement in place with the bank, outlining the bank’s specific obligations related to the sharing of the employee’s personal information.

(4) Conduct the data sharing activity in a fair and lawful manner:

Be as transparent as possible about the nature and purpose of the data sharing activity. Prepare a privacy notice and share it with parties involved in the arrangement. The specific individuals may be customers or employees of the organization, for example.

(5) Establish contractual safeguards:

Clarify the parties’ obligations under the data sharing agreement and include contractual safeguards to help prevent any misuse of the shared data under the agreement. Include references to and copies of all privacy notices as well as risk assessments and DPIAs linked to the data sharing activity.

(6) Include provisions for termination, expiration, and dispute resolution:

All data sharing agreements should have termination provisions, mention expiration timelines, and offer a dispute resolution mechanism.

Common Mistakes and Their Solutions

An all-too-common pitfall is a failure to be clear on the purpose of the DSA. A data sharing agreement should be as concise as possible to keep things clear, but be as specific as needed to ensure the privacy and security of data being shared. Less experienced companies may be tempted to sign what appears to be a form agreement without fully understanding what they are signing. Because DSAs can vary considerably and there’s no set template between data sharing companies, the lack of a clear understanding of the terms could lead to improper use of the data and possible sanctions.
Communication is the key to dealing with this common mistake and avoiding a DSA that creates risk for both parties. When working with outside entities on a DSA, be sure to set clear and consistent communication practices throughout the process. Consider how you will track and document communication from the beginning of the DSA process. In addition, annual or semi-annual reviews of agreements and processes should be implemented to ensure compliance is being tracked consistently and thoroughly.
Ambiguous language can also thwart any DSA. Unless the DSA is concise and contains clear, simple language, it may not be implemented successfully. In addition, ambiguous terms may lead to confusion about the extent to which the agreement allows for the use of shared data. Likewise, a poorly written definition can leave holes that could allow other, unintended uses of the data.
When reviewing a DSA, terms should be clearly defined within the context of the DSA. Use of easy-to-understand language will help to ensure a mutual understanding by parties and compliance with the DSA during the life of the DSA. When possible, avoid using industry jargon or acronyms which may not be widely understood or interpreted to mean the same thing by the parties. If unsure, err on the side of caution and include a definition.
Another misstep is failing to implement proper security measures in a DSA. Security protocols should to be carefully reviewed and implemented to ensure confidentiality, integrity and authenticity of data being shared. Organizations can reduce their level of risk by openly communicating security requirements and practices with the other party at the DSA negotiation process.
Reviewing the DSA and appropriate security protocols and practices for regular updates should be part of any ongoing compliance practice. Establishing a periodic review of DSAs ensures that both parties’ security measures have not changed and that both organizations are aware of any changes in applicable laws, rules, regulations, and guidance that may impact the agreement.

Examples of Data Sharing Agreements

1. DCHS and GeekWire Health and Tech Alliance

The Washington state Department of Children, Youth and Families (DCYF) and GeekWire announced a first-of-its-kind data-sharing agreement that will help both organizations understand how children who enter the state foster care system fare as adults. The two organizations initially partnered in 2014 and have since teamed up to create the nonprofit Washington state Health and Tech Alliance, which released its first report based on data collected from the state department. The program is slated to continue through the end of 2018, with periodic reports being produced by the Health and Tech Alliance research team in partnership with the Washington state Office of Financial Management and DCYF.

2. Tropical Diseases Due Diligence: ICR Health Intelligence and The Gates Foundation

At the Foundation’s request, ICR Health Intelligence and the Bill and Melinda Gates Foundation partnered to create an access and attributions network model (partially supported by the Gates Foundation) to help the Gates Foundation decide how best to allocate resources to prevent tropical diseases. The two organizations synthesized scientific, economic, and social data and used GIS software to visualize results and formulate their recommendations.

3. Sanofi Pasteur and the Tufts Medical Center

When Sanofi Pasteur realized that it needed to better analyze how its products were used in hospitals, the organization partnered with the Tufts Medical Center to create a data warehouse. After first creating data sharing agreements to establish its infrastructure, both organizations worked together to digitize records and import them into the database. This streamlined process saved the organization time and a significant amount of money in the long term. According to the organization, the partnership has led to improved efficiency in the clinical trial process and has assisted in creating new vaccines.

The Future of Data Sharing Agreements

As we look to the future, data sharing agreements are poised to evolve in new and interesting ways. For example, one trend that is likely to gain traction in the near term is the use of artificial intelligence (AI) in the data sharing process. With the rise of machine learning and big data analytics, it is likely that data sharing agreements will increasingly become automated through the use of AI tools. This would not only speed up the contract negotiation process, but also reduce the likelihood of human error.
Another area for growth in the future of data sharing agreements is the ability to govern the data after the information has been shared. Currently, data sharing agreements focus primarily on the front-end of the transaction, such as how the parties will share the data, what data will be shared, and how long the data can be used for. However , as data breaches and misuse of shared data become more prevalent, there is likely to be a push for data sharing agreements to include more robust governance controls. This type of change could include protocols for deleting data after a certain time period or tracking how the data is used after it is shared.
Finally, the future of data sharing agreements is likely to be influenced by the changing regulatory landscape around data privacy. For instance, the European Union’s General Data Protection Regulation (GDPR) imposes strict requirements on companies that share data with third parties. This includes requiring companies to have a data sharing agreement in place with the third party prior to sharing the data. As more and more jurisdictions implement similar laws, the requirements for data sharing agreements are likely to become stricter.

Leave a Reply

Your email address will not be published. Required fields are marked *