Tag: data sharing agreement vs data processing agreement

  • Data Sharing Agreement vs Data Processing Agreement: What Research Offices Get Wrong

    A data sharing agreement governs an exchange of personal data between two or more independent data controllers, while a data processing agreement is the contract that Article 28 UK GDPR makes mandatory whenever a controller instructs a processor to handle data on its behalf. Research offices most often need the former for multi-institution collaborations and the latter for any third-party processor, such as a survey platform, transcription service, or cloud host.

    A data sharing agreement is a contract between two or more data controllers who each independently decide how they will use a shared dataset. A data processing agreement is the contract GDPR Article 28 requires whenever a controller engages a processor that acts only on documented instructions and has no independent decision-making power over the data.

    What Is the Difference Between a Data Sharing Agreement and a Data Processing Agreement?

    The confusion research offices run into is structural, not semantic. A data sharing agreement vs data processing agreement question always comes down to one fact: who controls the data, and who merely acts on it. A data sharing agreement documents a controller-to-controller relationship. A data processing agreement documents a controller-to-processor relationship. Everything else — what clauses are mandatory, what liability attaches, whether the ICO expects to see it — follows from that single distinction.

    Two universities pooling anonymised cohort data for a joint publication are both controllers; they need a data sharing agreement. A university engaging a transcription service to convert interview recordings is the controller, and the vendor is the processor; that relationship needs a data processing agreement. The two documents are not interchangeable.

    Feature Data Sharing Agreement (DSA) Data Processing Agreement (DPA)
    Relationship Controller to controller Controller to processor
    Decision-making Each party decides its own purposes and means Processor acts only on the controller’s documented instructions
    Legal mandate Not mandatory in itself, but the ICO’s statutory code treats it as expected good practice Mandatory under Article 28 UK GDPR whenever a processor is engaged
    Typical research use Multi-institution consortia, joint publications, shared registries Survey platforms, transcription services, cloud hosting, statistical consultancies
    Governing source ICO Data Sharing Code of Practice (statutory, under s.121 Data Protection Act 2018) Article 28, UK GDPR / EU GDPR

    When Is a Data Sharing Agreement Required for a Research Collaboration?

    A data sharing agreement becomes necessary the moment two or more organisations — for example, two universities, a university and an NHS trust, or a university and an industry partner — each intend to use a shared dataset for their own research purposes. Under the ICO’s Data Sharing Code of Practice, a statutory code issued under section 121 of the Data Protection Act 2018, a formal agreement is not an absolute legal requirement, but the ICO expects one wherever routine or systematic sharing occurs between controllers, treating it as evidence of accountability under the UK GDPR.

    In practice, most collaborative research grants involving identifiable participant data — clinical cohorts, survey respondents, student records — should have a data sharing agreement in place before data changes hands, regardless of whether the grant terms mention one.

    When Is a Data Processing Agreement Legally Mandatory?

    Unlike a data sharing agreement, a data processing agreement is not discretionary. Article 28 of the UK GDPR requires a written contract wherever a controller uses a processor, and that extends down the chain: if a processor sub-contracts further, another written agreement is needed there too. For a research office, this covers any external service handling personal data on the institution’s instructions without deciding why or how it is used — a data-collection tool, a statistical analysis contractor, or a transcription vendor.

    A data processing agreement must specify the subject matter, duration, and purpose of processing, the categories of data and data subjects involved, each party’s rights and obligations, and the security and breach-notification terms the processor must meet. Missing any of these terms is a compliance gap, not a drafting preference.

    Where Do Joint Controller Arrangements Fit?

    The case research offices most commonly mishandle is not DSA-versus-DPA at all — it is where two institutions jointly determine the purposes and means of processing one dataset, rather than each independently using their own copy. That relationship is governed by Article 26 UK GDPR, which requires a joint controller arrangement setting out each party’s responsibilities, particularly around data subject rights, and requires that the “essence” of that arrangement be made available to data subjects.

    This distinction matters for consortium research funded through instruments such as Horizon Europe, where the Model Consortium Agreement typically sits alongside — not instead of — any joint-controller documentation for personal data. UKRI-funded projects carry a parallel obligation: an approved data management plan is a standard grant condition, but it is a research-governance document, not a substitute for the GDPR-compliant contract.

    A data sharing agreement and a joint controller agreement are frequently confused because both involve multiple controllers. The dividing line is independence of purpose: if each party uses the data for its own separate research question, a data sharing agreement applies; if the parties jointly decide the purpose and means of one processing activity, Article 26 applies instead.

    Frequently Asked Questions

    What Is the Difference Between a DPA and a DSA?

    A DPA (data processing agreement) governs a controller-to-processor relationship and is mandatory under Article 28 UK GDPR. A DSA (data sharing agreement) governs a controller-to-controller relationship and is not strictly mandatory, but is expected best practice under the ICO’s statutory code wherever personal data moves between independent organisations.

    Is a DPA the Same as an NDA?

    No. A data processing agreement specifically governs how personal data is processed under GDPR, including security measures and sub-processor rules. An NDA (non-disclosure agreement) protects confidential information generally — trade secrets, unpublished results, commercial terms — and carries no GDPR obligations of its own. Research collaborations frequently need both, for different purposes.

    Does the UK Use GDPR or DPA?

    Both, and the shared acronym is itself a source of confusion. The UK operates the UK GDPR alongside the Data Protection Act 2018 (DPA 2018), which supplements it domestically. Research offices should note that “DPA” means something different in each context: the Data Protection Act 2018 is UK legislation, while a data processing agreement is a specific contract required under that legislation’s GDPR framework.

    What Is the Difference Between a DPA and a Data Sharing Agreement?

    The same core distinction applies: a data processing agreement binds a processor acting on a controller’s instructions, while a data sharing agreement binds two or more controllers each pursuing their own purposes. Signing the wrong one leaves a research office either over-contracting a simple vendor relationship or under-documenting a genuine controller-to-controller data exchange.

    A Decision Checklist for Research Offices

    Before drafting either document, a research office should establish:

    • Is the other party deciding independently how to use the data, or only following our instructions? Independent use points to a data sharing agreement; instruction-only use points to a data processing agreement.
    • Are two or more institutions jointly deciding the purpose and means of a single processing activity? If so, Article 26 UK GDPR joint controller terms apply, not a standard data sharing agreement.
    • Does the collaboration involve a funder-mandated data management plan (for example, under UKRI or Horizon Europe terms)? A data management plan complements but does not replace the GDPR-compliant contract.
    • Is any processor sub-contracting further processing? Each link in that chain needs its own written data processing agreement under Article 28.
    • Does the exchange involve special category data — health records, genetic data, criminal offence data? These generally raise the bar for documented lawful basis and security terms in either agreement type.

    The Bottom Line for Research Administration

    Research offices that treat data sharing agreements and data processing agreements as interchangeable paperwork expose their institutions to two distinct risks: an unenforced Article 28 obligation with a processor, or an undocumented controller-to-controller exchange the ICO’s statutory code expects to see evidenced. Getting the classification right — controller-to-controller, controller-to-processor, or joint controller — determines which contract is legally required, which is merely good practice, and what each must contain. As multi-institution, multi-funder consortia become the norm, that classification step belongs at the front of every research office’s data governance workflow, alongside the project’s data management plan.

  • EU-US Data Privacy Framework for Research Data

    The EU-US Data Privacy Framework (DPF) is the adequacy mechanism that lets UK and EU research institutions send personal data to self-certified US collaborators without signing Standard Contractual Clauses, provided the US recipient holds active DPF status covering the right data category. Where a collaboration involves health, genetic or other sensitive research data, extra labelling duties apply before the transfer can rely on the Framework at all.

    The EU-US Data Privacy Framework is a voluntary self-certification scheme, administered by the US Department of Commerce and underpinned by the European Commission’s 10 July 2023 adequacy decision, that recognises participating US organisations as offering GDPR-equivalent protection for personal data received from the EEA. A parallel UK adequacy instrument extends the same recognition to transfers made under UK GDPR. For research offices coordinating cross-border studies, biobanks, consortium agreements or collaborative datasets with US partners post-Brexit, choosing correctly between the DPF, the UK Extension and Standard Contractual Clauses (SCCs) determines whether a transfer is lawful on day one or exposed to later challenge.

    What is the EU-US Data Privacy Framework?

    The EU-US Data Privacy Framework replaced the invalidated EU-US Privacy Shield after the Court of Justice of the European Union’s 2020 Schrems II ruling found US surveillance law did not offer equivalent protection. The European Commission’s adequacy decision of 10 July 2023 concluded that the DPF ensures an adequate level of protection for personal data transferred to certified US organisations, removing the need for Standard Contractual Clauses on covered transfers.

    Eligibility is narrower than it first appears. Only US organisations regulated by the Federal Trade Commission or the Department of Transportation may self-certify, which excludes many non-profits, banks, insurers and telecoms — categories that include some university-affiliated research foundations and repositories. Institutions must verify a partner’s active status on the official DPF list before relying on it, and confirm the certification covers the specific data category (HR or non-HR) being shared.

    How does the UK Extension (Data Bridge) work post-Brexit?

    Since Brexit, UK organisations cannot rely on the EU adequacy decision directly. The Data Protection (Adequacy) (United States of America) Regulations 2023 created a separate UK Extension — commonly called the UK-US Data Bridge — which came into force on 12 October 2023 and lets UK organisations, including universities and Gibraltar-based bodies, make restricted transfers to US businesses that have separately self-certified to the UK Extension.

    Per the Information Commissioner’s Office, a UK institution relying on the Data Bridge must confirm the US recipient has active status on the DPF list, has specifically opted into the UK Extension (not only the EU-US DPF), and that its registration covers the correct data type. Periodic re-checks are required, since a US partner can lose or withdraw certification at any point during a live research project.

    EU-US Data Privacy Framework vs Standard Contractual Clauses for research data

    Where a US collaborator is not DPF-certified — common among smaller labs, non-profits and public bodies outside FTC/DoT jurisdiction — Standard Contractual Clauses remain the fallback transfer mechanism. UK exporters use the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU’s SCCs, and, following Schrems II, must complete a Transfer Risk Assessment (TRA) examining whether US law could undermine the contractual protections.

    Feature DPF / UK Extension (Adequacy) Standard Contractual Clauses (SCCs)
    Legal basis Adequacy decision (EU) / adequacy regulations (UK) Contractual safeguard under UK GDPR Art. 46 / EU GDPR Art. 46
    Recipient eligibility Limited to self-certified, FTC/DoT-regulated US organisations Any US recipient, regardless of sector
    Transfer Risk Assessment required No Yes, mandatory since Schrems II
    Sensitive/special category data Must be explicitly flagged as “sensitive” to the recipient Protections negotiated within the contract and TRA
    Ongoing obligation Periodic verification of active DPF/UK Extension status Periodic review of the TRA and supplementary measures

    Many research offices now adopt a “belt and braces” approach: relying on the Data Bridge where a partner is certified, while keeping SCCs signed as a fallback in case certification lapses mid-project — a real risk, since a US partner can be forcibly removed from the DPF list by the Department of Commerce.

    Data sharing agreement vs data processing agreement: which applies?

    A data sharing agreement (DSA) and a data processing agreement (DPA) serve different roles in a research collaboration, and confusing them is a common compliance gap. A DSA is used when two institutions each act as independent or joint controllers — for example, two universities pooling anonymised survey results for a shared analysis. A DPA (required under UK GDPR Article 28) is used when one party processes data solely on the instructions of another, such as a US cloud vendor hosting a UK institution’s research dataset.

    • Use a DSA when both parties determine the purposes of processing (joint or independent controllers).
    • Use a DPA when one party is a processor acting only on the controller’s documented instructions.
    • Either document sits alongside, not instead of, the transfer mechanism (DPF, UK Extension or SCCs) — the agreement governs the relationship; the mechanism governs the lawfulness of the cross-border movement itself.

    What special rules apply to sensitive research data?

    Research data frequently includes health records, genetic material or biobank samples — categories UK GDPR classifies broadly as special category data. The DPF’s definition of “sensitive data” is narrower: only genetic data, biometric data used for unique identification, information about sexual orientation, and criminal offence data are covered, and only if the UK or EU sender proactively identifies and marks them as sensitive before transfer.

    This is a frequently overlooked gap for research consortia: personal data revealing ethnicity, religion, trade union membership or health status more broadly is special category data under UK GDPR but is not automatically treated as sensitive under the DPF unless explicitly flagged. Institutions transferring such data should apply a persistent classification (metadata tags or labelling) that survives onward sharing by the US recipient, and document this step in the study’s data management plan.

    Frequently asked questions

    What is the EU-U.S. Data Privacy Framework?

    The EU-U.S. Data Privacy Framework is a self-certification scheme allowing US organisations to receive personal data from the EEA under an EU adequacy decision. It replaced the invalidated Privacy Shield and removes the need for Standard Contractual Clauses for covered, certified transfers.

    What happened to the EU-US Privacy Shield?

    The Privacy Shield was invalidated in July 2020 by the Court of Justice of the EU in Schrems II, which found US surveillance access to personal data was not sufficiently limited. The Data Privacy Framework was negotiated as its successor and adopted in 2023.

    What is the status of the EU-U.S. Data Privacy Framework?

    As of mid-2026 the DPF remains in force, with the EU adequacy decision, the UK Extension and the Swiss-US DPF all active, though the mechanism continues to face legal challenges in the European courts, as its predecessors did.

    Implications for research institutions

    For research administrators managing international collaborations, the practical task is procedural discipline: verify DPF or UK Extension status before every transfer, not just at project setup; classify sensitive data explicitly; and keep SCCs and a completed Transfer Risk Assessment on file as a contingency. Given the DPF’s contested legal history, institutions that treat adequacy as a convenience rather than a permanent guarantee will be best placed to keep collaborations lawful if the Framework is narrowed or challenged again.

    These obligations sit within the broader compliance landscape that research administration teams increasingly own alongside funders, ethics committees and legal counsel — making data transfer literacy as core to running an international study as the science itself.