When do I need a data sharing agreement?

A data sharing agreement is needed whenever two or more organisations systematically share personal data. It is particularly important for ongoing arrangements, large-scale sharing, or sharing of sensitive data. Even one-off data sharing may benefit from a written agreement.

What is the difference between a data sharing agreement and a data processing agreement?

A data sharing agreement is used when organisations share data as independent or joint controllers. A data processing agreement (DPA) is required under Article 28 of the UK GDPR when one organisation processes personal data on behalf of another (controller-processor relationship).

Do I need to conduct a Data Protection Impact Assessment?

A DPIA is required under Article 35 of the UK GDPR where processing is likely to result in a high risk to individuals. Large-scale data sharing, sharing of special category data, or innovative uses of data are likely to trigger this requirement.

What happens if there is a data breach involving shared data?

The agreement should set out breach notification procedures. Under the UK GDPR, controllers must notify the ICO within 72 hours of becoming aware of a personal data breach that poses a risk to individuals. Data subjects must also be notified if the breach poses a high risk.

Can personal data be shared without consent?

Yes. Consent is only one of six lawful bases under Article 6 of the UK GDPR. Data sharing may also be lawful where it is necessary for the performance of a contract, compliance with a legal obligation, protection of vital interests, the performance of a public task, or legitimate interests.

How long should shared data be retained?

Data should only be retained for as long as necessary for the purposes for which it was shared (storage limitation principle). The agreement should specify retention periods and procedures for secure deletion or return of data at the end of the sharing arrangement.

BusinessUnited Kingdom

Free Data Sharing Agreement Template

Establish a lawful and transparent framework for sharing personal data between organisations with a GDPR-compliant agreement covering purposes, security measures, data subject rights, and breach notification procedures.

Create Your Data Sharing Agreement (UK)

Free to useInstant PDFNo account required

DATA SHARING AGREEMENT

United Kingdom · England And Wales · UK GDPR · DPA 2018 · Mutual

DATA CONTROLLER 1

National Health Trust

1 Victoria Street, London, SW1H 0ET

By: Dr Eleanor Price, ICO: ZA123456

DATA CONTROLLER 2

Metropolitan Council

City Hall, Broad Street, Birmingham, B1 2DP

By: James Okonkwo, ICO: ZB654321

Date: 2026-03-20 · Direction: Mutual

Lawful Basis: Public Task (Art.6(1)(e)) · Jurisdiction: England and Wales

This Data Sharing Agreement (the "Agreement") is entered into as of 2026-03-20 between National Health Trust, of 1 Victoria Street, London, SW1H 0ET ("Controller 1") and Metropolitan Council, of City Hall, Broad Street, Birmingham, B1 2DP ("Controller 2") (together the "Parties", each a "Party"). Each Party is a data controller as defined in Art.4(7) of the UK General Data Protection Regulation ("UK GDPR") as retained in domestic law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. This Agreement sets out the framework under which personal data will be shared between the Parties in compliance with UK GDPR and the Data Protection Act 2018 ("DPA 2018").

PURPOSE AND SCOPE OF DATA SHARING

The Parties agree to share personal data for the following purpose: Joint research into public health outcomes, service delivery improvement, and resource allocation planning across health and social care services. Data sharing shall be mutual, with both Parties providing and receiving personal data. The sharing of personal data under this Agreement shall be limited to what is strictly necessary and proportionate for the stated purpose, in accordance with the data minimisation principle (Art.5(1)(c) UK GDPR).

CATEGORIES OF PERSONAL DATA

The following categories of personal data will be shared under this Agreement: Name, date of birth, NHS number, postcode, service usage records, referral data, appointment history. The data subjects are: Patients and service users within the Birmingham metropolitan area. This Agreement involves special category data as defined in Art.9(1) UK GDPR, specifically: Health data (diagnosis codes, treatment records, medication history). The additional condition for processing under Art.9(2) UK GDPR and Schedule 1 DPA 2018 is: substantial public interest / explicit consent / necessary for reasons of public interest in the area of public health (as applicable).

LAWFUL BASIS

Each Party confirms that it has identified a valid lawful basis under Art.6(1) UK GDPR for the processing of personal data under this Agreement. The primary lawful basis relied upon is: Public Task (Art.6(1)(e)). Each Party warrants that it has complied with the transparency requirements of Art.13-14 UK GDPR and has provided appropriate privacy notices to data subjects.

DATA PROTECTION IMPACT ASSESSMENT

The Parties confirm that a Data Protection Impact Assessment (DPIA) has been completed in accordance with Art.35 UK GDPR prior to commencing data sharing under this Agreement. The DPIA has been reviewed and approved by the respective Data Protection Officers. The DPIA shall be reviewed annually or whenever there is a material change to the data sharing arrangement.

GOVERNING LAW AND JURISDICTION

This Agreement shall be governed by and construed in accordance with the law of England and Wales. The Parties agree that the courts of England and Wales shall have exclusive jurisdiction. Nothing in this Agreement affects the supervisory authority of the Information Commissioner's Office (ICO) under UK GDPR and DPA 2018.

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

In accordance with Art.32 UK GDPR, each Party shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: (a) data shall be transferred using encrypted file transfer (SFTP or equivalent); (b) all shared data shall be protected using AES-256 encryption for data at rest and TLS 1.2 or above for data in transit; (c) access shall be restricted using role-based access control (RBAC), with access granted only to personnel whose roles require it for the stated purpose; (d) multi-factor authentication shall be required for all systems used to access shared data; (e) all access shall be logged and audit trails maintained for a minimum of twelve (12) months; (f) regular vulnerability assessments and penetration testing shall be conducted at least annually; (g) staff with access to shared data shall receive data protection training at least annually; and (h) both Parties shall maintain Cyber Essentials certification (or equivalent) throughout the term of this Agreement.

DATA QUALITY AND ACCURACY

Each Party providing data under this Agreement warrants that the personal data is accurate, up-to-date, and complete at the time of sharing, in compliance with the accuracy principle (Art.5(1)(d) UK GDPR). Each Party shall: (a) promptly notify the other of any inaccuracies discovered in shared data; (b) implement reasonable measures to ensure the ongoing quality of shared data; (c) correct or delete inaccurate data within five (5) business days of notification; and (d) not make decisions based on shared data without reasonable verification of its accuracy.

DATA RETENTION AND DELETION

Shared personal data shall be retained only for twenty-four (24) months from the date of receipt, or for such shorter period as is necessary for the stated purpose, in compliance with the storage limitation principle (Art.5(1)(e) UK GDPR). Upon expiry of the retention period or termination of this Agreement (whichever is earlier), each Party shall securely delete all shared personal data using industry-standard secure deletion methods and provide written certification of deletion to the other Party within thirty (30) days. Backup copies shall be deleted within ninety (90) days of the primary deletion, subject to applicable legal retention requirements.

PERSONAL DATA BREACH NOTIFICATION

In the event of a personal data breach (as defined in Art.4(12) UK GDPR) involving shared data, the Party that becomes aware of the breach shall: (a) notify the other Party without undue delay and in any event within 24h of becoming aware; (b) provide full details including: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach; (c) co-operate fully with the other Party's investigation; (d) not make any public statement regarding the breach without first consulting the other Party. Each Party remains independently responsible for reporting breaches to the ICO under Art.33 UK GDPR (within 72 hours) and notifying affected data subjects under Art.34 UK GDPR where there is a high risk to their rights and freedoms. The Parties shall maintain a joint breach register documenting all incidents involving shared data.

10.

DATA SUBJECT RIGHTS

Each Party shall co-operate with the other to facilitate the exercise of data subject rights under Chapter III UK GDPR, including: (a) the right of access (Art.15) - Subject Access Requests (SARs); (b) the right to rectification (Art.16); (c) the right to erasure (Art.17); (d) the right to restriction of processing (Art.18); (e) the right to data portability (Art.20); and (f) the right to object (Art.21). Upon receipt of a data subject request relating to shared data, the receiving Party shall notify the other Party within two (2) business days. The Parties shall respond to data subject requests within the statutory timeframe of one (1) calendar month (Art.12(3) UK GDPR). Each Party shall maintain records of all data subject requests relating to shared data.

11.

INTERNATIONAL DATA TRANSFERS

The Parties confirm that no personal data shared under this Agreement shall be transferred outside the United Kingdom. If either Party intends to transfer shared data internationally in the future, it must first obtain the written consent of the other Party and ensure adequate safeguards are in place in compliance with Art.44-49 UK GDPR.

12.

AUDIT RIGHTS

Each Party shall have the right to audit the other Party's compliance with this Agreement on an annual basis. Audits may be conducted by the Party itself or by an independent third-party auditor appointed by the Party. The auditing Party shall give at least thirty (30) days' written notice. The audited Party shall provide reasonable access to premises, systems, and personnel, and shall co-operate fully with the audit. Audit findings shall be shared with both Parties and any remedial actions agreed shall be implemented within an agreed timeframe. The cost of audits shall be borne by the auditing Party unless the audit reveals a material breach, in which case the audited Party shall bear the cost.

13.

INDEMNIFICATION AND LIABILITY

Each Party shall indemnify and hold harmless the other Party from and against all claims, damages, losses, costs, and expenses (including reasonable legal fees) arising from: (a) a breach of this Agreement by the indemnifying Party; (b) a breach of UK GDPR or DPA 2018 by the indemnifying Party; or (c) any claim by a data subject or the ICO resulting from the indemnifying Party's failure to comply with its obligations. Liability shall be allocated between the Parties in accordance with Art.82 UK GDPR, which provides that each controller involved in processing shall be liable for the damage caused by processing that infringes the UK GDPR. Nothing in this Agreement limits liability for death or personal injury caused by negligence or for fraud.

14.

TERMINATION

Either Party may terminate this Agreement by giving 30 days' written notice. Either Party may terminate immediately if: (a) the other Party commits a material breach of this Agreement or UK GDPR and fails to remedy it within fourteen (14) days of written notice; (b) the ICO issues an enforcement notice or order relating to the data sharing; (c) the other Party's ICO registration lapses or is revoked; or (d) the other Party becomes insolvent. Upon termination, all shared data shall be securely deleted or returned in accordance with the retention and deletion clause. Obligations relating to confidentiality, indemnification, and data subject rights shall survive termination.

15.

GENERAL PROVISIONS

Entire Agreement: This Agreement constitutes the entire agreement between the Parties relating to data sharing. Variation: No variation shall be effective unless in writing and signed by both Parties. Waiver: No failure to exercise any right shall constitute a waiver. Severability: Invalid provisions shall not affect remaining terms. Third Party Rights: Data subjects may enforce their rights under UK GDPR directly; no other third party has rights under the Contracts (Rights of Third Parties) Act 1999. Review: This Agreement shall be reviewed at least annually by both Parties' Data Protection Officers to ensure continued compliance and relevance. Notices: All notices shall be sent to the DPO email addresses specified herein. Counterparts: This Agreement may be executed in counterparts, each of which shall constitute an original.

IN WITNESS WHEREOF, the parties have executed this Agreement as of the Effective Date first written above.

DATA CONTROLLER 1

Dr Eleanor Price

DPO: dpo@nht.nhs.uk

National Health Trust

Date: ____________________

DATA CONTROLLER 2

James Okonkwo

DPO: dpo@metcouncil.gov.uk

Metropolitan Council

Date: ____________________

What Is a Data Sharing Agreement?

A data sharing agreement is a contract between two or more organisations that sets out the terms and conditions under which personal data is shared between them. It establishes the lawful basis for sharing, the purposes for which data may be used, the security measures required, and the responsibilities of each party as data controllers or processors.

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, organisations that share personal data must ensure that the sharing is lawful, fair, and transparent. A data sharing agreement is a key accountability measure that demonstrates compliance with data protection principles and provides a clear governance framework.

Data sharing agreements are essential in a wide range of contexts, including partnerships between public sector bodies, joint ventures, supply chain arrangements, research collaborations, and any situation where organisations need to exchange personal data to deliver services or achieve shared objectives.

What's Covered in This Template

This data sharing agreement template includes all essential provisions for GDPR-compliant data sharing between organisations.

Parties and Roles

Identification of each party and their role as data controller, joint controller, or data processor.

Purpose of Sharing

Clear description of the purposes for which personal data is being shared and any restrictions on further use.

Lawful Basis

The lawful basis for processing under Article 6 of the UK GDPR, and any additional conditions for special category data.

Data Description

Categories of personal data shared, categories of data subjects, and the volume and frequency of data transfers.

Security Measures

Technical and organisational measures required to protect the shared data, including encryption, access controls, and audit trails.

Data Subject Rights

Procedures for handling data subject access requests, rectification, erasure, and other rights under the UK GDPR.

Data Retention

Retention periods for shared data and procedures for secure deletion or return of data at the end of the agreement.

Breach Notification

Obligations to notify each other and the ICO in the event of a personal data breach, including timelines and procedures.

International Transfers

Provisions for transfers of personal data outside the UK, including appropriate safeguards under UK GDPR.

Liability and Indemnity

Allocation of liability for data protection breaches and indemnification provisions between the parties.

How to Create a Data Sharing Agreement

Our template walks you through each section so you can create a comprehensive data sharing agreement that meets UK GDPR requirements.

1
Identify the Parties and Their Roles
Enter the details of each organisation involved in the data sharing arrangement. Determine whether each party is acting as an independent data controller, a joint controller, or a data processor, as this affects legal responsibilities.
2
Define the Purpose and Lawful Basis
Clearly describe the purposes for which personal data will be shared and identify the lawful basis for processing under Article 6 of the UK GDPR. If special category data is involved, identify the additional condition under Article 9.
3
Describe the Data and Data Subjects
Specify the categories of personal data to be shared, the categories of data subjects (such as customers, employees, or patients), and the anticipated volume and frequency of data transfers.
4
Set Security and Breach Procedures
Outline the technical and organisational security measures each party must implement. Include a clear breach notification procedure with timelines for notifying each other and the ICO as required by Articles 33 and 34 of the UK GDPR.
5
Address Retention, Rights, and Termination
Specify data retention periods, procedures for handling data subject rights requests, and what happens to shared data when the agreement ends (return, deletion, or anonymisation). Include liability and indemnity provisions.

Legal Considerations

Data sharing agreements must comply with the UK GDPR and the Data Protection Act 2018. The Information Commissioner's Office provides detailed guidance on data sharing frameworks.

This template is for informational purposes only and does not constitute legal advice. Consult a qualified solicitor for advice specific to your situation.

Reviewed for England & Wales law

UK GDPR Compliance

The UK GDPR requires that all processing of personal data is lawful, fair, and transparent (Article 5). Organisations sharing personal data must identify a lawful basis under Article 6, implement appropriate safeguards, and be able to demonstrate compliance through documentation. A data sharing agreement is a key part of this accountability framework.

Controller vs Processor Relationships

The legal requirements differ significantly depending on whether the parties are independent controllers, joint controllers (Article 26 UK GDPR), or in a controller-processor relationship (Article 28 UK GDPR). Joint controllers must determine their respective responsibilities for compliance in a transparent arrangement. Controller-processor relationships require a written processing agreement with specific mandatory terms.

ICO Data Sharing Code of Practice

The Information Commissioner's Office has published a Data Sharing Code of Practice under section 121 of the Data Protection Act 2018. While not legally binding, the code is admissible in legal proceedings and the ICO expects organisations to follow its guidance. The code covers systematic data sharing, one-off data sharing, and data sharing for research purposes.

International Data Transfers

If personal data is transferred outside the UK, appropriate safeguards must be in place under Articles 44 to 49 of the UK GDPR. This may include reliance on adequacy decisions, standard contractual clauses approved by the ICO, or binding corporate rules. The agreement should specify any international transfers and the safeguards used.

Frequently Asked Questions

Create Your Data Sharing Agreement Now

Use our GDPR-compliant template to establish a clear framework for sharing personal data. Fill in the details, preview your agreement, and download a professional PDF.

Create Your Data Sharing Agreement (UK)Browse All Templates

Free · Instant PDF · No account required