Data Sharing Agreement (UK)

A Data Sharing Agreement in the United Kingdom sets the service levels, data-handling duties, fees, and liability terms under which the technology or platform is supplied, with its requirements set by the Companies Act 2006.

Under Article 5(2) of the UK GDPR, the accountability principle requires data controllers to be able to demonstrate compliance with the data protection principles set out in Article 5(1). A documented Data Sharing Agreement is a primary mechanism through which organisations demonstrate that their data sharing arrangements comply with the UK GDPR's requirements for lawful basis (Article 6), purpose limitation, data minimisation, security (Article 32), and retention. The ICO's statutory Data Sharing Code of Practice, published under section 121 of the DPA 2018, strongly recommends that organisations put a Data Sharing Agreement in place whenever they systematically share personal data.

Where two or more organisations jointly determine the purposes and means of processing personal data — for example, two NHS trusts sharing patient data for a joint research programme, or two retailers sharing customer data for a joint loyalty scheme — they are joint controllers under Article 26 of the UK GDPR and must enter into a joint controller arrangement that defines their respective responsibilities. A Data Sharing Agreement that addresses the Article 26 requirements can serve as the joint controller arrangement.

Where one organisation shares personal data with another organisation that processes it exclusively on the first organisation's instructions — for example, a local authority sharing resident data with a third-party IT provider — the receiving organisation is a processor under Article 28 of the UK GDPR and a written data processing agreement is mandatory. A Data Sharing Agreement is appropriate for controller-to-controller sharing; a data processing agreement is required for controller-to-processor transfers. The two documents serve distinct legal purposes and should not be conflated.

The UK GDPR's rules on international data transfers (Chapter V) apply whenever personal data is transferred outside the United Kingdom to a country not covered by an adequacy regulation made by the UK Secretary of State under section 17A of the DPA 2018. The Data Sharing Agreement should address international transfers where relevant, specifying the appropriate safeguards — such as the UK International Data Transfer Agreement (IDTA) or the Addendum to EU SCCs — adopted by the parties.

The legal framework governing the Data Sharing Agreement (UK) in United Kingdom draws on several key statutes and regulatory bodies. Under the Companies Act 2006, Companies House maintains the register of UK companies. Section 386 of the Companies Act 2006 sets accounting record obligations. The Competition and Markets Authority (CMA) enforces the Consumer Rights Act 2015. The Financial Conduct Authority (FCA) regulates financial services under the Financial Services and Markets Act 2000. The High Court of Justice has jurisdiction under the Senior Courts Act 1981. Parties executing a Data Sharing Agreement (UK) in United Kingdom should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies Act 2006 sets the foundational requirements.

A UK Data Sharing Agreement is needed whenever two or more organisations systematically share personal data and wish to document the legal basis, purposes, security standards, and responsibilities governing that sharing in accordance with the UK GDPR and the ICO's Data Sharing Code of Practice.

Two NHS trusts or integrated care boards sharing patient records to deliver joined-up care pathways under the Health and Social Care Act 2012 need a Data Sharing Agreement that identifies the lawful basis for sharing health data (special category data under Article 9(2) UK GDPR — typically Article 9(2)(h) for medical purposes), the categories of data shared, the security measures applied, and the data subject rights notification arrangements.

A local authority and a housing association sharing tenancy data and support needs information to deliver homelessness prevention services under the Homelessness Reduction Act 2017 need a Data Sharing Agreement that confirms the lawful basis (typically Article 6(1)(e) — public task — for the local authority, and Article 6(1)(f) — legitimate interests — for the housing association), the retention period, and the rights of residents to object.

Two financial services firms sharing customer data for the purposes of fraud prevention and detection under the Financial Services and Markets Act 2000 need a Data Sharing Agreement that confirms compliance with the ICO's guidance on sharing data for fraud prevention, the lawful basis (Article 6(1)(f) — legitimate interests), and the appropriate safeguards to protect the data subjects' rights and freedoms.

An employer and an occupational health provider sharing employee health information for fitness-for-work assessments need a Data Sharing Agreement covering special category health data under Article 9(2)(b) UK GDPR (processing necessary for the purposes of carrying out obligations in the field of employment law), the confidentiality obligations of the occupational health provider, and the restrictions on the information shared with the employer versus that retained by the occupational health provider.

A police force and a local authority sharing data under a Community Safety Partnership (under the Crime and Disorder Act 1998) to address anti-social behaviour need a Data Sharing Agreement that identifies the appropriate lawful basis for each category of data shared, confirms compliance with the Law Enforcement Processing provisions of Part 3 of the DPA 2018, and establishes procedures for data subject access requests.

A UK Data Sharing Agreement must include the following elements to satisfy the UK GDPR's accountability principle (Article 5(2)) and the ICO's Data Sharing Code of Practice requirements.

The parties and roles section must identify each organisation involved in the sharing arrangement and specify their role: data controller (an organisation that determines the purposes and means of processing), joint controller (where two organisations jointly determine purposes and means), or data processor (where an organisation processes data on another's instructions). Correctly identifying roles determines which provisions of the UK GDPR apply — Article 26 for joint controllers or Article 28 for processors.

The purpose of sharing clause must clearly state why the personal data is being shared — the specific purpose or purposes for which each sharing partner will use the data. The UK GDPR's purpose limitation principle (Article 5(1)(b)) prohibits using personal data for purposes incompatible with those for which it was originally collected. The agreement must confirm that the sharing purpose is compatible with the original collection purpose, or identify the basis on which the personal data can be used for a new purpose.

The lawful basis for sharing must be identified for each category of personal data and for each sharing party. For ordinary personal data, one of the six lawful bases in Article 6(1) UK GDPR must apply. For special category data (health, race, religion, sexual orientation, biometric data, etc.), an additional condition under Article 9(2) must also be satisfied. The agreement should reference the specific Article 6 and Article 9 basis relied upon and explain why it applies.

The data categories and data subjects section must describe the types of personal data shared — for example, name, address, date of birth, National Insurance number, health records, financial data — and the categories of data subjects whose data is shared (employees, customers, service users, children, vulnerable adults). Specificity here reduces the risk of over-sharing beyond what is permitted under the data minimisation principle (Article 5(1)(c)).

The security requirements clause must specify the technical and organisational measures each party must implement under Article 32 UK GDPR to protect the shared data — including encryption in transit and at rest, access controls, audit logging, pseudonymisation where appropriate, and the security standards (such as Cyber Essentials or ISO 27001) that sharing partners are expected to meet.

The data breach notification procedure must specify how each party will notify the other of any personal data breach affecting the shared data, and must confirm that breaches likely to result in risk to individuals will be reported to the ICO within 72 hours under Article 33 UK GDPR. The agreement should identify a named contact at each organisation for breach notifications.

The retention and deletion clause must specify how long each party will retain the shared personal data, the process for securely deleting or anonymising the data at the end of the retention period, and any exceptions — such as where data must be retained for legal proceedings or statutory audit purposes.

The data subject rights procedure must confirm how each party will handle data subject access requests (DSARs) under Article 15, rectification requests under Article 16, erasure requests under Article 17, and objections under Article 21 in relation to the shared data, and how the parties will cooperate where a DSAR spans data held by more than one party. The forms-legal.com Data Sharing Agreement (UK) template covers the mandatory elements under Companies Act 2006.