This is a practical guide to data sharing agreements in health and social care, covering roles, requirements, examples, sector context and drafting challenges.
Data Sharing Agreements (DSA) in the health and social care sector
A Data Sharing Agreement (DSA) is a written agreement put in place to govern the sharing of personal data between two or more data controllers. It outlines the purposes of the data sharing, what happens to the data at each stage, and the parties’ respective roles and responsibilities. In recent years, the health and social care sector has seen a radical move towards sharing data to improve patient care, streamline operations, facilitate research and development, and manage rising population health concerns.
Consequently, DSAs play an important role in ensuring that health and social care organisations can share data while ensuring compliance with data protection legislation and safeguarding patient data and privacy.
This article sets out the key data protection roles involved in data sharing within the health and social care sector, how to determine when a DSA is required, typical data sharing scenarios, sector-specific considerations, and the pitfalls to be aware of with commonly used DSA drafting tools.
For more general information about Data Sharing Agreements, please see our article on Everything You Need To Know About Data Sharing Agreements.
Data Protection Roles
Before sharing any personal data, it is essential to understand your organisation’s role under data protection law, specifically the United Kingdom General Data Protection Regulation (UK GDPR). Notably, the transfer or sharing of data is considered a distinct processing activity under data protection legislation.
In most cases, your organisation will be acting as:
- A data controller: a [natural or] legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
- A data processor: a [natural or] legal person, public authority, agency or other body which processes personal data on behalf of the controller; or
- A data sub-processor: a third-party data processor engaged by a data processor to sub-contract all or some of the processing.
For example, the data protection roles can be illustrated where an NHS hospital trust wants to replace multiple departmental record-keeping systems with a single, trust-wide Electronic Patient Record system (EPR) from a single supplier. Here, the trust alone determines how and why the patients’ personal data will be processed; they will direct the supplier to assist with transferring the data to the new system. The supplier will only be acting under the trust’s instructions and not processing the data for their own purposes. Therefore, the hospital trust is considered the data controller in this scenario, while the supplier is the data processor.
It is important to be aware of your organisation’s data protection role to determine the type of information governance agreement needed for the data sharing process. A DSA should be established between two or more controllers who share personal data with each other. Data sharing between a controller and a processor, such as that between the hospital trust and supplier, or between a processor and a sub-processor, should instead be governed by a Data Processing Agreement (DPA). To find out more about DPAs, please see our article on Understanding the Difference Between Data Controller and Data Processor.
Types of Controllership
If all organisations involved in the data sharing activity are data controllers, you should determine whether they are joint or independent controllers.
- Joint controllers arise where two or more organisations jointly decide both the purposes and means of processing the same personal data.
- In contrast, organisations are independent controllers where they process the same personal data for separate, distinct purposes.
For example, an Integrated Care Board (ICB) initiates a population health management project to support service planning. It asks a group of GP practices and local hospitals to share patient data for analysis and appoints external analysts to generate insights into population health. The ICHP also contracts a cloud hosting supplier that will store and pseudonymise the data to ensure the individuals are protected from identification during the analysis. In this scenario, the ICB determines why and how the data is processed (i.e. the purpose and means) and is therefore acting as a data controller.
As part of the project, GP practices and hospitals may receive risk notifications about patients under their care, along with a key enabling re-identification. They use this information to re-identify patients to whom they can deliver direct care interventions. In doing so, they independently decide how and why to use the personal data and with whom it is shared. This means the GP practices and hospitals are also acting as data controllers.
Although all the parties are data controllers, they are independent controllers, as they are processing the data for different purposes, namely population health analysis and direct care provision, rather than jointly determining a common purpose.
The Need for a DSA
When controllers agree to share personal data with each other, it is important to document the agreed terms of that sharing. Although the UK GDPR does not require parties to adopt a formal written agreement in every case, the Information Commissioner (IC) advises that Data Sharing Agreements (DSAs) should always be drafted as a matter of best practice, particularly if special categories of data are being shared, or the data sharing is occurring on a large-scale.
- Under Article 26 UK GDPR, joint controllers must put in place a “transparent arrangement” that allocates their respective roles and responsibilities for compliance. IC guidance notes that a DSA can be used to support this arrangement, including clarifying responsibilities for handling subject access requests, data retention and deletion, developing privacy notices, acting as the point of contact, and implementing appropriate security measures.
- While a formal agreement is not mandatory under the UK GDPR for data sharing between independent controllers, drafting a written DSA is considered best practice to help demonstrate compliance with key data protection principles and to build and maintain trust with data subjects.
Parties to Data Sharing
Data sharing in the health and social care sector can occur across a wide range of organisations and settings, depending on the purpose of the processing and the relevant care, service, or project context.
This may include sharing data between integrated care boards (ICBs), hospital trusts, third party suppliers (e.g. providers of consulting or evaluation services), between private healthcare services and NHS England, and even with organisations in other sectors such as Voluntary and Community Sector (VCS) organisations and the Department for Work and Pensions (DWP).
Sector-specific considerations
Data sharing in the health and social care sector is subject to several additional legal and regulatory considerations, reflecting the sensitivity of the data involved and the context in which it is processed. Organisations should be mindful of the following:
- Statutory duties and lawful basis
In some cases, data sharing may be underpinned by a statutory obligation. For example, duties under the Health and Social Care (Quality and Safety) Act 2015 and Caldicott Principle 7 require personal data to be shared where it will facilitate the provision of health or social care, and it is in the individual’s best interests. This can be considered an appropriate lawful basis under Article 6 of the UK GDPR.
- Consent in practice vs. consent as a lawful basis
The concept of consent in a health and social care setting does not always align with consent as a lawful basis in data protection legislation. While personal data can be viewed and shared for direct care purposes by relying on implied or explicit patient consent, this ‘consent’ is different from the consent that the UK GDPR defines as a lawful basis for processing personal data.
- Common law duty of confidentiality
In addition to data protection considerations, organisations must comply with the common law duty of confidentiality. Where the purposes of processing personal data fall outside the scope of direct care, such as research, implied patient consent does not apply. In these cases, it may be necessary to make an application to the Confidentiality Advisory Group (CAG) under section 251 of the NHS Act 2006 for advice on whether data can be processed and shared without patients’ explicit consent.
Common Data Sharing Agreement Tools
The process of developing Data Sharing Agreements can be complex and resource intensive. It involves setting out permitted and restricted data uses which often requires futureproofing to account for evolving needs, an assessment of each party’s willingness to collaborate, and clear allocation of the parties’ legal responsibilities, all while maintaining regulatory compliance.
Several common pitfalls arise in the tools and approaches organisations typically use to draft DSAs:
- DSA drafting and editing on Microsoft Word
Many organisations still rely on Word documents to draft and negotiate DSAs. While familiar and accessible, this approach can be inefficient in multi-party arrangements, particularly where multiple versions are required. Proposed changes are difficult to track across stakeholders, and there is often limited visibility over the most up-to-date agreed position.
- Use of standard template DSAs
Template agreements are widely used to streamline drafting and ensure consistency. However, they are often generic and may not adequately reflect the specific requirements of health and social care data sharing, particularly where complex governance arrangements, special category data, or novel use cases are involved. As a result, significant manual tailoring is frequently required, reducing their efficiency benefits.
- AI-assisted drafting and review tools
Increasingly, organisations are exploring AI tools to support the drafting and review of DSAs. While these tools can improve speed and consistency in document creation, they also raise challenges. These include concerns around accuracy, the risk of overlooking context-specific legal or governance nuances, and uncertainty about how sensitive information is processed or stored within third-party AI systems. As a result, outputs typically require careful human review and should not be relied upon without expert advice.
Zolteria® is an IGS solution designed to simplify creation, management, and approval of DSAs and beyond. Organisations may wish to consider a more streamlined, cost and time-efficient digitised approach to managing DSAs and data sharing frameworks, particularly one that support the full lifecycle, from drafting and editing through to review, version control, and execution. For further information on the Zolteria platform, please contact IGS at info@informationgovernanceservices.com.
Conclusion
We hope this article has provided a helpful overview of DSAs in the health and social care sector, including the roles of parties involving in data sharing, when a DSA is required or advisable, typical data sharing scenarios, sector-specific considerations, and the limitations of common DSA drafting tools.
If you have any questions or would like support in developing a data sharing agreement, please explore our services or contact us and a member of our experienced data protection team will be happy to assist you.
