Data Protection agreements and contracts
Reviewed by: Health and Care IG Panel
It is important for adopters to have appropriate data agreements and contracts in place to formalise arrangements around access to and use of health and care data.
Below are the 2 types of agreements and contracts you should consider:
A Data Sharing Agreement
A Data Sharing Agreement (DSA) is a written agreement put in place to govern the sharing of personal data between 2 or more independent data controllers. It is good practice to have a DSA because it sets out the purposes for data arrangements, covers what is to happen to the data at each stage, sets standards, and helps all the parties to be clear about their respective roles. It can help your organisation demonstrate compliance with data protection law.
You can use the standardised data sharing and processing agreement template developed by the Health and Care IG Panel. If the research uses data received direct from NHS organisations, you should use one of the HRA’s templates for supporting documents available on IRAS to complete the DSA.
A Controller–Processor Contract
If a controller uses a processor to carry out a particular processing activity on personal data it controls, a written contract (agreement) must be in place. As mentioned previously, controllers are the main decision-makers. Processors must meet the controller’s standards defining the purposes and means of the processing of personal data.
You can use the standardised data sharing and processing agreement template developed by the Health and Care IG Panel. When NHS organisations will be the processors, you should use one of the HRA’s templates for supporting documents available on IRAS.
The UK GDPR sets out what needs to be included in the contract. This is summarised in ICO’s guidance on contracts, which highlights necessary considerations so that both parties understand their responsibilities. For example, if a processor uses another organisation (that is, a sub-processor) to assist in its processing of personal data for a controller, it needs to have a written contract in place with that sub-processor.