Data Sharing Agreement Template Guide

When organizations share data, having clear rules is critical. A Data Sharing Agreement (DSA) is a formal contract that defines how data is exchanged, used, and secured between parties. This document is crucial for reducing risks, ensuring compliance with laws like GDPR and HIPAA, and preventing costly data breaches.

Key Highlights:

• Purpose: DSAs outline roles (e.g., data controller, processor), the purpose of sharing, and the type of data involved.
• Security: They require encryption (e.g., AES-256), access controls, and breach protocols.
• Compliance: DSAs help meet legal obligations like GDPR, CPRA, and HIPAA, including breach notifications and data subject rights.
• Confidentiality: Clear terms restrict data misuse, resale, or unauthorized access.

Using a DSA ensures accountability, protects sensitive information, and builds trust in business relationships. Regular reviews and updates keep agreements aligned with evolving laws and technology.

RDMbites | How to write a data sharing agreement between collaborators

sbb-itb-5f36581

Core Elements of a Data Sharing Agreement

A strong data sharing agreement (DSA) is essential to safeguard all parties involved while adhering to legal standards. At its core, a DSA should clearly identify the organizations participating and define their roles - whether as a data controller (deciding how data is used), a data processor (handling data on behalf of another entity), or a joint controller (sharing decision-making responsibilities). Under the UK GDPR and the Data Protection Act 2018, joint controllers are required to formalize their respective responsibilities in writing.

The agreement must also outline the purpose of data sharing and specify the exact data being exchanged. It’s crucial to document the lawful basis for processing data - such as consent or legitimate interests - especially when dealing with sensitive or special category data. The Information Commissioner’s Office (ICO) often considers the presence of a DSA when investigating complaints about data sharing practices.

Parties, Roles, and Data Scope

Start by listing all organizations involved. Assign specific roles to each party and designate representatives responsible for managing the agreement and overseeing communications.

To clarify ownership and usage rights, label each party as either the Provider or Recipient for specific datasets. The Provider retains ownership and intellectual property rights, while the Recipient is granted limited usage rights for clearly defined purposes. The agreement should also detail what data will be shared, the intended purpose, and protocols for adding or removing parties from the arrangement. For joint controllers, Article 26 of the UK GDPR and Section 58 of the DPA 2018 require the agreement to designate a contact point for data subjects.

Data Types and Security Requirements

Once roles and data scope are established, categorize the data being shared and define security protocols. Data can be grouped into categories such as personal information, sensitive data (e.g., Protected Health Information under HIPAA), or public datasets. This classification dictates the necessary security measures.

Technical safeguards should include encryption (both at rest and in transit), secure authentication, access controls, and audit trails. For compliance in the U.S., agreements must address Personally Identifiable Information (PII) and Protected Health Information (PHI). Strong encryption, secure communication protocols, and role-based access restrictions are critical. The agreement should also include provisions for data accuracy, specify recording formats, and outline retention periods. When the agreement ends, it must detail protocols for securely deleting or returning the data.

"The future of data collaboration is about not exposing data in the first place. With Multi-Party Computation, we enable organizations to generate insights together without giving up control of their data."

• Kim Nørskov, Chief Success Officer, Partisia

These safeguards are crucial for meeting regulatory and legal requirements.

Regulatory and Legal Obligations

After defining data types and security measures, the next step is ensuring compliance with relevant legal and regulatory frameworks. Identify all laws that apply to the data sharing arrangement. In the U.S., this might include HIPAA for healthcare data, state laws like California’s CPRA, and federal regulations for specific industries. Under the CCPA/CPRA, businesses processing data for 100,000 or more consumers must adhere to specific data sharing and opt-out requirements.

The agreement should define what constitutes a "personal data breach" and establish strict notification protocols for informing data controllers and affected individuals. It must also address data subject rights - such as the right to access, correct, or delete data - and specify which party is responsible for handling these requests. For federal data sharing in the U.S., determine whether you need agreements like a Computer Matching Agreement (CMA) for benefits verification, an Information Exchange Agreement (IEA) for inter-agency transfers, or a Data Use Agreement (DUA) for sharing PII/PHI. If data is transferred internationally, ensure compliance with local laws by conducting thorough security assessments.

Protecting Data Security and Confidentiality

Once the core elements of data sharing are in place, ensuring robust security measures and strict confidentiality terms becomes essential. Data breaches can cost millions and impact more than half of companies. This makes implementing comprehensive protections a must.

Technical Security Controls

Every agreement should mandate strong, multi-layered technical safeguards. Start with encryption: AES-256 for data at rest and TLS 1.3 for data in transit are industry standards. Add multi-factor authentication (MFA) and role-based access control (RBAC) to limit access to only those who need it.

Accountability hinges on audit logs. Every access attempt should be documented - who accessed the data, when, and why. For sensitive data sharing, explore privacy-focused tools like Multi-Party Computation (MPC), which allows collaborative analysis without exposing raw data. Despite its benefits, only 33% of businesses have adopted data clean rooms for secure collaboration.

Data minimization is another critical factor. Use techniques like anonymization and de-identification to reduce risks. Where feasible, provide read-only access to prevent unauthorized changes while still enabling analysis. Enforce Data Loss Prevention (DLP) protocols and adopt strict retention and deletion policies to reduce exposure to breaches.

While these technical measures are the backbone of security, they must be paired with well-defined confidentiality terms to ensure data use remains controlled.

Confidentiality Terms and Restrictions

Technical safeguards alone aren’t enough - clear contractual terms are necessary to govern data use. Define "Confidential Information" explicitly in your agreement and limit its use to specific, documented purposes. Avoid vague language like "any business purpose"; instead, specify terms like "solely for campaign reporting and audience analysis".

Include clauses that prohibit the sale, transfer, or disclosure of shared data to third parties or competitors without prior written consent. For compliance with regulations like the EU AI Act (effective 2026), require explicit consent before using shared data for training machine learning models. Set clear breach notification timelines - typically within 24 to 72 hours - and allocate responsibility for investigation expenses and credit monitoring. Partners should also maintain certifications like SOC 2 Type II or ISO 27001 as a condition of the agreement.

To ensure accountability, establish audit rights. These could include quarterly self-assessments or inspections of sub-processors. Under GDPR, maintain a list of all subcontractors and allow a 30-day objection window before new vendors handle shared data. Finally, make sure confidentiality obligations remain in effect even after the agreement ends, ensuring ongoing protection of shared data.

How to Create and Maintain Data Sharing Agreements

Data sharing agreements (DSAs) require ongoing attention - from drafting to regular updates - to ensure compliance and effectiveness. While not explicitly required under UK GDPR, the Information Commissioner's Office (ICO) highlights their importance in demonstrating accountability. Additionally, having a DSA in place can influence the resolution of data sharing complaints.

Writing Clear and Detailed Agreements

Once the key elements of a DSA are identified, the drafting process should focus on clarity and precision. Start by naming all involved parties, such as the data provider and recipient. Define the purpose and scope by explicitly stating the goals of the data exchange and why it is necessary. Specify the exact data to be shared - whether it’s personal identifiers, anonymized information, or aggregated datasets - and clearly outline what will not be included.

Identify the legal basis for data sharing under regulations like GDPR. Specify whether the justification relies on consent, legitimate interest, or another legal framework, and outline how each party will comply. Include minimum standards for technical and organizational safeguards, such as encryption, access controls, and audit trails. Clearly define the roles of each party - whether as data controllers, processors, or joint controllers.

Address retention and deletion procedures by specifying how long data will be stored, the conditions for deletion, and the methods for secure destruction or return. Include a breach response plan with clear timelines for notification and steps for mitigation. Finally, establish formal dispute resolution methods, such as mediation or arbitration. Throughout the document, use straightforward and accessible language to avoid ambiguity.

Conducting Regular Reviews and Updates

Plan for regular reviews - whether quarterly or annually - and make immediate updates when regulations or data-sharing purposes change. For example, new legislation like the Data (Use and Access) Act, introduced in June 2025, may require adjustments to existing agreements. Regularly review technical safeguards, such as encryption protocols and access controls, to ensure they meet current standards.

"A stagnant data sharing agreement is a liability; a living one adds value." - Partisia

These reviews should also align with your documentation practices to keep everything up-to-date and compliant.

Record-Keeping and Documentation Practices

Maintain a thorough Records of Processing Activities (ROPA) that outlines operations, purposes, and durations. Store signed agreements, amendments, and Confirmation Letters of Participation in a centralized repository for easy access. Keep detailed audit trails to log data access and its purpose.

Document data end-of-life processes by retaining certificates of destruction or similar records when data is deleted or returned. Regularly verify the accuracy of shared data and ensure staff are trained on DSA protocols. Under GDPR, failing to comply with these requirements can result in fines of up to €20 million or 4% of annual global turnover.

"A data sharing agreement... should help you to justify your data sharing and demonstrate that you have been mindful of, and have documented, the relevant compliance issues." - Information Commissioner's Office (ICO)

Conclusion: Building Compliant Data Sharing Practices

Data sharing agreements (DSAs) play a key role in managing risks and ensuring accountability in data management. By integrating DSAs into their processes, organizations provide themselves with a safety net during regulatory scrutiny. For instance, the Information Commissioner's Office (ICO) specifically evaluates whether a data sharing agreement is in place when examining how organizations handle data. With potential GDPR penalties reaching as high as €20 million or 4% of global annual revenue, the financial risks of non-compliance are substantial.

Beyond regulatory compliance, a well-designed DSA fosters trust by clearly outlining how data will be used, protected, and managed. This clarity helps minimize misunderstandings and reduces inefficiencies in operations.

To truly benefit from DSAs, organizations must make them a standard part of every data-sharing interaction - whether working with research collaborators, third-party vendors, or cloud service providers. These agreements should detail what data is included or excluded, establish protocols for addressing breaches (complete with response timelines), and specify retention periods along with secure deletion processes.

Think of your DSAs as dynamic documents that grow and adapt with your business. Regularly reviewing and updating them ensures they stay aligned with evolving regulations, such as the Data (Use and Access) Act, which became law on June 19, 2025. Keeping these agreements up to date is crucial for maintaining compliance and building long-term trust in your data-sharing practices.

FAQs

When do I need a data sharing agreement?

A data sharing agreement is essential when exchanging personal, sensitive, or regulated information between parties. It lays out clear terms regarding responsibilities, protections, and compliance requirements. This is particularly crucial when handling sensitive details like health records or financial data, managing cross-border data transfers, or working with third-party vendors. Such agreements help safeguard against misuse, breaches, and legal risks, ensuring adherence to regulations like GDPR or CCPA.

Who is the controller vs. processor in a DSA?

In a Data Sharing Agreement (DSA), the parties involved are typically independent controllers. Each party decides its own purposes and legal basis for processing data and takes full responsibility for its respective activities.

On the other hand, a Data Processing Agreement (DPA) outlines the relationship between a controller and a processor. In this setup, the processor manages data strictly on behalf of the controller.

What should a DSA say about breaches and deletion?

A well-crafted data sharing agreement must spell out how to handle breaches. This includes defining who needs to be notified, the timeline for notification, and any required actions to mitigate risks.

Additionally, it should detail protocols for data deletion. This means specifying how long data will be retained and outlining secure methods for its removal once it’s no longer needed. These measures are key to maintaining compliance and ensuring data is managed responsibly.

Related Blog Posts

• Internal Data Breach Reporting Checklist
• Best Practices for Third-Party Data Sharing
• GDPR Breach Notification Letter Templates
• Checklist for Data Sharing Agreement Compliance