A data sharing agreement is legally required under UK GDPR when two or more institutions act as joint controllers of personal data in a research collaboration — Article 26 makes this a binding obligation, not a discretionary policy choice. It is a legal contract, distinct from a data management plan, with no equivalent status in data protection law. Searching for a generic data sharing agreement template UK institutions can copy is the wrong starting point: the correct document depends on your controller status, not a fill-in-the-blank form.
A data sharing agreement is a written contract between two or more organisations that sets out the purpose, scope, lawful basis, security standards, and responsibilities governing an exchange of personal data. For research administrators coordinating multi-institution studies, knowing exactly when one is mandatory — and how it differs from a data management plan or a data processing agreement — determines whether a project is compliant before the first dataset moves.
- Data sharing agreement vs data management plan: what’s the difference?
- When does UK GDPR require a data sharing agreement?
- What must a data sharing agreement contain?
- Data sharing agreement vs data processing agreement
- Common questions on data sharing agreements
- What this means for research administrators
- Getting the agreement right
Data sharing agreement vs data management plan: what’s the difference?
These two documents are frequently conflated in research administration, but they serve different functions. A data sharing agreement is a legally binding contract between institutions. A data management plan (DMP) is a research-planning document, usually required by a funder as a grant condition, describing how data will be collected, stored, and archived over a project’s life.
- Legal status — a data sharing agreement can be a binding contract; a DMP is a funder deliverable with no contractual force.
- Trigger — a data sharing agreement responds to UK GDPR obligations; a DMP responds to funder grant terms.
- Audience — a data sharing agreement binds the named institutions; a DMP is submitted to and reviewed by the funder.
- Content focus — a data sharing agreement covers lawful basis, security, and liability; a DMP covers data formats, repositories, and preservation.
UKRI’s data policy expects funded researchers to produce a DMP, and Horizon Europe’s Model Grant Agreement requires one as part of its open science obligations. Neither substitutes for a data sharing agreement where personal data crosses institutional boundaries — the two are complementary, not interchangeable.
When does UK GDPR require a data sharing agreement?
UK GDPR does not impose a blanket legal requirement to have a written data sharing agreement for every instance of data sharing. Whether one is mandatory depends on the legal relationship between the parties, not on the existence of a research project alone.
Under Article 26 of UK GDPR, organisations that jointly determine the purposes and means of processing personal data — for example, two universities co-designing a study and jointly deciding what data to collect and how to use it — are joint controllers. The law requires them to set out their respective responsibilities in an arrangement, including who handles privacy notices, subject access requests, and the primary contact point for data subjects.
Where institutions instead act as independent controllers — each using the shared data for its own separate purpose, such as one university passing anonymised cohort data to a partner for an unrelated secondary analysis — UK GDPR does not legally mandate a written agreement. The Information Commissioner’s Office (ICO) nonetheless recommends one as good practice, since it helps demonstrate the UK GDPR accountability principle.
The regulatory landscape shifted further with the Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025 and amends both UK GDPR and the Privacy and Electronic Communications Regulations — institutions should check DSIT’s commencement timetable before assuming legacy practices remain unchanged.
What must a data sharing agreement contain?
The ICO’s statutory Data Sharing Code of Practice sets out what a data sharing agreement should cover, regardless of whether it is legally mandatory in a given case. A research-focused agreement should address:
- The identity of every party, including a named Data Protection Officer contact.
- The specific research purpose and why the sharing is necessary to achieve it.
- A precise description of the data items shared, flagging any special category or criminal offence data.
- The lawful basis each party relies on, which may differ between institutions.
- The designated point of contact for data subjects — mandatory for joint controllers under Article 26.
- Security, retention, and end-of-project deletion or return arrangements.
- Breach-notification procedures and safeguards for any international data transfer.
The table below distinguishes the three documents most often confused.
| Document | Legally mandatory? | Governs | Typical owner |
|---|---|---|---|
| Data sharing agreement | Only for joint controllers (Article 26) | Lawful basis, roles, security, liability | Data Protection Officer / legal team |
| Data processing agreement | Yes, always (Article 28) | Processor’s instructions from the controller | Data Protection Officer / procurement |
| Data management plan | Only if the funder requires it | Data formats, storage, archiving over project lifecycle | Principal investigator / research office |
Data sharing agreement vs data processing agreement
A data sharing agreement and a data processing agreement address opposite relationships. A data sharing agreement applies between two or more controllers who each decide, jointly or independently, how personal data will be used. A data processing agreement applies when a controller instructs a processor — an organisation handling data solely on the controller’s instructions, such as a cloud storage provider — to process personal data on its behalf. Article 28 of UK GDPR makes the processing agreement mandatory in every controller-to-processor relationship, with terms prescribed by law; no equivalent blanket rule exists for controller-to-controller sharing.
Common questions on data sharing agreements
Is a data sharing agreement legally required?
A data sharing agreement is legally mandatory only when two or more organisations act as joint controllers under UK GDPR Article 26. For independent controllers sharing data for their own separate purposes, the ICO’s data sharing code recommends but does not legally require a written agreement — though skipping one weakens your accountability defence if challenged.
What is the difference between a data sharing agreement and a data processing agreement?
A data sharing agreement governs data moving between two controllers who each decide how it is used. A data processing agreement is legally required under UK GDPR Article 28 whenever a controller instructs a processor to handle data on its behalf. Confusing the two risks drafting entirely the wrong contractual terms for the relationship.
What are the 7 golden rules of data sharing?
The “seven golden rules” originate from UK government safeguarding guidance for practitioners, not from UK GDPR itself. They emphasise that data protection law is not a barrier to justified sharing, that sharing should be necessary and proportionate, and that decisions must be recorded — sound principles, but not a substitute for a formal data sharing agreement.
What is the data sharing law in the UK?
There is no single “data sharing law” — sharing personal data is governed by UK GDPR, the Data Protection Act 2018, and, since Royal Assent on 19 June 2025, the Data (Use and Access) Act 2025, which amends both frameworks. Research collaborations must also observe common-law confidentiality duties alongside these statutes.
What this means for research administrators
For institutions running multi-site studies, the practical starting point is a controller-relationship analysis, not a template download. Research offices should determine whether partners are jointly designing the research question — pointing to joint controllership and a mandatory Article 26 arrangement — or each applying the data to its own distinct purpose, pointing to independent controllership and a recommended, non-mandatory agreement. This should run alongside, not instead of, the DMP required by funders such as UKRI or Horizon Europe. Bodies like ARMA (the Association of Research Managers and Administrators) increasingly treat this controller-status check as standard due diligence, sitting alongside ethics review rather than as a legal afterthought.
Getting the agreement right
A data sharing agreement and a data management plan answer different questions: one sets the legal terms under which personal data moves between institutions; the other describes how research data will be handled and preserved over a project’s lifecycle. Joint decision-making about personal data requires the former as a matter of UK GDPR law; funders increasingly require the latter as a matter of grant compliance. Treating the two as interchangeable is the most common compliance gap in multi-institution research — build the controller-status check into standard research administration workflow, before data starts moving.








