Skip to main content

BETA This is a new service - your feedback (opens in a new tab) will help us to improve it.

Get an overview of your obligations with the data checklist for adopters.

This is required guidance

It is legally required and it is an essential activity.

This Guide covers:

  • England

From:

Adopters - Data Protection agreements and contracts

Reviewed: 15 January 2023

Reviewed by: Health and Care IG Panel

It is important for adopters to have appropriate data agreements and contracts in place to formalise arrangements around access to and use of health and care data.

Below are the 2 types of agreements and contracts you should consider:

A Data Sharing Agreement

A Data Sharing Agreement (DSA) is a written agreement put in place to govern the sharing of personal data between 2 or more independent data controllers. It is good practice to have a DSA because it sets out the purposes for data arrangements, covers what is to happen to the data at each stage, sets standards, and helps all the parties to be clear about their respective roles. It can help your organisation demonstrate compliance with data protection law.

You can use the standardised data sharing and processing agreement template developed by the Health and Care IG Panel. If the research uses data received direct from NHS organisations, you should use one of the HRA’s templates for supporting documents available on IRAS to complete the DSA.

A Controller–Processor Contract

If a controller uses a processor to carry out a particular processing activity on personal data it controls, a written contract (agreement) must be in place. As mentioned previously, controllers are the main decision-makers. Processors must meet the controller’s standards defining the purposes and means of the processing of personal data.

You can use the standardised data sharing and processing agreement template developed by the Health and Care IG Panel. When NHS organisations will be the processors, you should use one of the HRA’s templates for supporting documents available on IRAS.

The UK GDPR sets out what needs to be included in the contract. This is summarised in ICO’s guidance on contracts, which highlights necessary considerations so that both parties understand their responsibilities. For example, if a processor uses another organisation (that is, a sub-processor) to assist in its processing of personal data for a controller, it needs to have a written contract in place with that sub-processor.

Get an overview of your obligations with the data checklist for adopters.

This is required guidance

It is legally required and it is an essential activity.

This Guide covers:

  • England

From:

Get more support

To discover how the regulatory organisations can assist you and for contact details, visit our 'Get Support' page.

Is this article useful?

How can we improve this piece?

 Error:Select how we can improve this piece
Cancel

Thank you for your feedback!

To share additional insights about this page, please use the following link (opens in a new tab) to submit your observations.

Print this guidance (opens a PDF in a new tab)

Regulations are regularly updated. For the latest information, check the website as printed documents may be outdated.