Data Sharing Agreement

A Data Sharing Agreement in the United States governs the relationship between the parties by fixing what each must do.

The legal framework governing US Data Sharing Agreements is fragmented across multiple federal and state laws, each addressing a specific type of data or industry sector. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (45 CFR §§ 164.500-534) requires that covered entities sharing protected health information (PHI) with business associates execute a Business Associate Agreement (BAA) — a specialized Data Sharing Agreement containing the mandatory provisions of 45 CFR § 164.504(e). Under the Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g), schools and educational agencies may share student records with third parties only under written agreements specifying the authorized uses and prohibiting re-disclosure. The California Consumer Privacy Act (CCPA, Cal. Civ. Code § 1798.100) and the California Privacy Rights Act (CPRA) require businesses that share personal information with third parties for cross-context behavioral advertising to execute contracts imposing CCPA-compliant restrictions on the recipient's use of the data.

For financial data sharing, the Gramm-Leach-Bliley Act (GLBA, 15 U.S.C. § 6801) requires financial institutions sharing nonpublic personal information with service providers to obtain contractual assurances that the service provider will maintain appropriate safeguards. The Federal Trade Commission's updated Safeguards Rule (16 CFR Part 314, effective 2023) specifies the content of these contractual requirements. For government data sharing, the Privacy Act of 1974 (5 U.S.C. § 552a) restricts federal agencies from disclosing records about individuals to other agencies without a written data sharing agreement establishing compatible uses.

A Data Sharing Agreement differs from a Non-Disclosure Agreement (NDA) in scope and structure. An NDA focuses on preventing unauthorized disclosure of confidential information and typically does not address data subject rights, security standards, or regulatory compliance obligations. A Data Sharing Agreement is specifically tailored to data governance — it addresses the full lifecycle of data use, including permitted purposes, security controls, incident response, data subject requests, and retention and deletion schedules.

The emergence of state complete privacy laws — including Virginia's Consumer Data Protection Act (CDPA, Va. Code § 59.1-571), Colorado Privacy Act (CPA, C.R.S. § 6-1-1301), Connecticut Data Privacy Act, Texas Data Privacy and Security Act (TDPSA), and others — has expanded the universe of organizations that need Data Sharing Agreements by imposing data processing contract requirements on businesses subject to these state laws.

A US Data Sharing Agreement is needed whenever one organization transfers, provides access to, or makes available personal information or confidential data to another organization, and the parties need to establish formal terms governing that data's use, security, and disposition.

In healthcare, a Data Sharing Agreement (in the form of a HIPAA Business Associate Agreement under 45 CFR § 164.504(e)) is mandatory whenever a covered entity — a hospital system, physician group, health insurer, or pharmacy — shares protected health information with a service provider (IT vendor, billing company, cloud host, analytics firm, or legal counsel). Major health systems including Kaiser Permanente, Mayo Clinic, and HCA Healthcare execute thousands of BAAs with vendors annually. Non-compliance with the BAA requirement is a frequent basis for HHS Office for Civil Rights enforcement actions.

In education, Data Sharing Agreements are required under FERPA when schools share student records with third-party service providers (learning management system vendors, tutoring platforms, assessment companies). The Department of Education's FERPA regulations (34 CFR § 99.31(a)(1)) require written agreements specifying that the third party uses the records solely for purposes authorized by the school and does not re-disclose them.

For technology companies and digital advertising platforms operating under California's CCPA/CPRA, Data Sharing Agreements with advertising technology vendors, data brokers, and analytics providers are required to restrict the vendor's use of shared consumer personal information to the disclosed business purpose and to prohibit the vendor from selling or sharing the data with additional parties. The California Privacy Protection Agency (CPPA), established by the CPRA, enforces these requirements with fines up to $7,500 per intentional violation.

In research contexts — clinical trials, public health studies, academic research — Data Sharing Agreements govern the transfer of de-identified or limited datasets between research institutions under the NIH Data Sharing Policy, which requires data management and sharing plans for federally funded research, and the Common Rule (45 CFR Part 46), which governs human subjects research. Institutions like the National Institutes of Health (NIH), Centers for Disease Control and Prevention (CDC), and academic medical centers use Data Sharing Agreements to enable collaborative research while protecting patient privacy and institutional data rights.

Financial institutions sharing customer data with fintech partners, data aggregators (Plaid, MX, Yodlee), and open banking platforms need Data Sharing Agreements that address GLBA obligations, the Consumer Financial Protection Bureau's (CFPB) Section 1033 personal financial data rights rules, and applicable state financial privacy laws.

A complete US Data Sharing Agreement must address the full lifecycle of the shared data relationship — from initial transfer through deletion — with sufficient specificity to satisfy regulatory requirements and allocate responsibility between the parties. The following provisions are essential.

The data description and purpose limitation section identifies with specificity the categories of data being shared (e.g., names, contact information, Social Security numbers, protected health information, financial account data, biometric identifiers), the format and volume of the data, and the specific purposes for which the recipient may use the data. Purpose limitation is a core principle of US data privacy law: under HIPAA, a business associate may only use PHI for the purposes specified in the BAA; under CCPA, a service provider may only use personal information for the business purpose for which it was disclosed. Vague purpose descriptions like "internal business purposes" create compliance risk.

The data security requirements section specifies the technical and organizational measures the recipient must implement to protect the shared data. For HIPAA-covered data, the section must reference the HIPAA Security Rule (45 CFR §§ 164.302-318) and the required and addressable implementation specifications. For payment card data subject to PCI DSS, the section must require the recipient to maintain PCI DSS compliance. For general personal information, the section should require encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent), multi-factor authentication for administrative access, access controls limiting data to authorized personnel, audit logging, and regular security assessments.

The data subject rights and requests section specifies how the parties will cooperate to respond to individuals' rights requests under applicable state privacy laws — CCPA opt-out requests, CPRA deletion requests, Virginia CDPA access and correction rights — and under FERPA (student record access requests). The section should specify the timeframe for the recipient to assist the provider in responding to rights requests (typically within 5 to 10 business days of the request), since most state privacy laws impose 45-day response deadlines on the data controller.

The breach notification obligations section requires the recipient to notify the provider within a specified timeframe — typically 48 to 72 hours of discovery — of any actual or suspected security incident involving the shared data. This timeline must be compatible with the provider's own obligations under state breach notification laws, HIPAA's 60-day notification requirement, and the FTC Safeguards Rule's 30-day notification requirement. The section should specify the minimum content of the incident notification and the recipient's obligation to cooperate in the provider's breach investigation.

The data retention and deletion section specifies the maximum retention period for shared data, the conditions under which the recipient must delete or return the data (upon expiration of the agreement, completion of the specified purpose, or provider request), and the certification of deletion required by many privacy laws. HIPAA BAAs must address the return or destruction of PHI upon termination of the BAA (45 CFR § 164.504(e)(2)(ii)(J)).

The liability and indemnification section allocates responsibility between the parties for losses arising from breach of the agreement. Given that data breach costs — including regulatory fines, class action settlements, and breach response costs — can be substantial, the liability provisions in Data Sharing Agreements require careful negotiation, particularly regarding caps on liability, exclusions for consequential damages, and cyber insurance requirements.