Tag: data sharing agreement ico

  • Data Sharing Agreement vs Data Processing Agreement: What Research Offices Get Wrong

    A data sharing agreement governs an exchange of personal data between two or more independent data controllers, while a data processing agreement is the contract that Article 28 UK GDPR makes mandatory whenever a controller instructs a processor to handle data on its behalf. Research offices most often need the former for multi-institution collaborations and the latter for any third-party processor, such as a survey platform, transcription service, or cloud host.

    A data sharing agreement is a contract between two or more data controllers who each independently decide how they will use a shared dataset. A data processing agreement is the contract GDPR Article 28 requires whenever a controller engages a processor that acts only on documented instructions and has no independent decision-making power over the data.

    What Is the Difference Between a Data Sharing Agreement and a Data Processing Agreement?

    The confusion research offices run into is structural, not semantic. A data sharing agreement vs data processing agreement question always comes down to one fact: who controls the data, and who merely acts on it. A data sharing agreement documents a controller-to-controller relationship. A data processing agreement documents a controller-to-processor relationship. Everything else — what clauses are mandatory, what liability attaches, whether the ICO expects to see it — follows from that single distinction.

    Two universities pooling anonymised cohort data for a joint publication are both controllers; they need a data sharing agreement. A university engaging a transcription service to convert interview recordings is the controller, and the vendor is the processor; that relationship needs a data processing agreement. The two documents are not interchangeable.

    Feature Data Sharing Agreement (DSA) Data Processing Agreement (DPA)
    Relationship Controller to controller Controller to processor
    Decision-making Each party decides its own purposes and means Processor acts only on the controller’s documented instructions
    Legal mandate Not mandatory in itself, but the ICO’s statutory code treats it as expected good practice Mandatory under Article 28 UK GDPR whenever a processor is engaged
    Typical research use Multi-institution consortia, joint publications, shared registries Survey platforms, transcription services, cloud hosting, statistical consultancies
    Governing source ICO Data Sharing Code of Practice (statutory, under s.121 Data Protection Act 2018) Article 28, UK GDPR / EU GDPR

    When Is a Data Sharing Agreement Required for a Research Collaboration?

    A data sharing agreement becomes necessary the moment two or more organisations — for example, two universities, a university and an NHS trust, or a university and an industry partner — each intend to use a shared dataset for their own research purposes. Under the ICO’s Data Sharing Code of Practice, a statutory code issued under section 121 of the Data Protection Act 2018, a formal agreement is not an absolute legal requirement, but the ICO expects one wherever routine or systematic sharing occurs between controllers, treating it as evidence of accountability under the UK GDPR.

    In practice, most collaborative research grants involving identifiable participant data — clinical cohorts, survey respondents, student records — should have a data sharing agreement in place before data changes hands, regardless of whether the grant terms mention one.

    When Is a Data Processing Agreement Legally Mandatory?

    Unlike a data sharing agreement, a data processing agreement is not discretionary. Article 28 of the UK GDPR requires a written contract wherever a controller uses a processor, and that extends down the chain: if a processor sub-contracts further, another written agreement is needed there too. For a research office, this covers any external service handling personal data on the institution’s instructions without deciding why or how it is used — a data-collection tool, a statistical analysis contractor, or a transcription vendor.

    A data processing agreement must specify the subject matter, duration, and purpose of processing, the categories of data and data subjects involved, each party’s rights and obligations, and the security and breach-notification terms the processor must meet. Missing any of these terms is a compliance gap, not a drafting preference.

    Where Do Joint Controller Arrangements Fit?

    The case research offices most commonly mishandle is not DSA-versus-DPA at all — it is where two institutions jointly determine the purposes and means of processing one dataset, rather than each independently using their own copy. That relationship is governed by Article 26 UK GDPR, which requires a joint controller arrangement setting out each party’s responsibilities, particularly around data subject rights, and requires that the “essence” of that arrangement be made available to data subjects.

    This distinction matters for consortium research funded through instruments such as Horizon Europe, where the Model Consortium Agreement typically sits alongside — not instead of — any joint-controller documentation for personal data. UKRI-funded projects carry a parallel obligation: an approved data management plan is a standard grant condition, but it is a research-governance document, not a substitute for the GDPR-compliant contract.

    A data sharing agreement and a joint controller agreement are frequently confused because both involve multiple controllers. The dividing line is independence of purpose: if each party uses the data for its own separate research question, a data sharing agreement applies; if the parties jointly decide the purpose and means of one processing activity, Article 26 applies instead.

    Frequently Asked Questions

    What Is the Difference Between a DPA and a DSA?

    A DPA (data processing agreement) governs a controller-to-processor relationship and is mandatory under Article 28 UK GDPR. A DSA (data sharing agreement) governs a controller-to-controller relationship and is not strictly mandatory, but is expected best practice under the ICO’s statutory code wherever personal data moves between independent organisations.

    Is a DPA the Same as an NDA?

    No. A data processing agreement specifically governs how personal data is processed under GDPR, including security measures and sub-processor rules. An NDA (non-disclosure agreement) protects confidential information generally — trade secrets, unpublished results, commercial terms — and carries no GDPR obligations of its own. Research collaborations frequently need both, for different purposes.

    Does the UK Use GDPR or DPA?

    Both, and the shared acronym is itself a source of confusion. The UK operates the UK GDPR alongside the Data Protection Act 2018 (DPA 2018), which supplements it domestically. Research offices should note that “DPA” means something different in each context: the Data Protection Act 2018 is UK legislation, while a data processing agreement is a specific contract required under that legislation’s GDPR framework.

    What Is the Difference Between a DPA and a Data Sharing Agreement?

    The same core distinction applies: a data processing agreement binds a processor acting on a controller’s instructions, while a data sharing agreement binds two or more controllers each pursuing their own purposes. Signing the wrong one leaves a research office either over-contracting a simple vendor relationship or under-documenting a genuine controller-to-controller data exchange.

    A Decision Checklist for Research Offices

    Before drafting either document, a research office should establish:

    • Is the other party deciding independently how to use the data, or only following our instructions? Independent use points to a data sharing agreement; instruction-only use points to a data processing agreement.
    • Are two or more institutions jointly deciding the purpose and means of a single processing activity? If so, Article 26 UK GDPR joint controller terms apply, not a standard data sharing agreement.
    • Does the collaboration involve a funder-mandated data management plan (for example, under UKRI or Horizon Europe terms)? A data management plan complements but does not replace the GDPR-compliant contract.
    • Is any processor sub-contracting further processing? Each link in that chain needs its own written data processing agreement under Article 28.
    • Does the exchange involve special category data — health records, genetic data, criminal offence data? These generally raise the bar for documented lawful basis and security terms in either agreement type.

    The Bottom Line for Research Administration

    Research offices that treat data sharing agreements and data processing agreements as interchangeable paperwork expose their institutions to two distinct risks: an unenforced Article 28 obligation with a processor, or an undocumented controller-to-controller exchange the ICO’s statutory code expects to see evidenced. Getting the classification right — controller-to-controller, controller-to-processor, or joint controller — determines which contract is legally required, which is merely good practice, and what each must contain. As multi-institution, multi-funder consortia become the norm, that classification step belongs at the front of every research office’s data governance workflow, alongside the project’s data management plan.