Navigating Data Sharing Agreement Templates: All You Need to Know

What are Data Sharing Agreements?

Data sharing agreements are contracts between two or more parties that set out the terms of access and use over data. DSA’s have, however, become multi-purpose, multi-layered documents that can create efficiencies, reduce risks, and impose obligations upon all parties to an agreement including operational procedures, level of access, allowed uses, and security provisions.
The intended purpose of a data sharing agreement is generally quite simple; for example, a data sharing agreement is often entered into by a university research facility to permit two university departments to share data among faculty for research purposes. Another example is a health care data sharing agreement which may outline the relationship between a hospital and another health care facility in order to share copies of a patient’s health information with one another to ensure the continuity of care for the patient.
Increasingly DSAs are being used to share datasets between non-university/health care facility partners. These contracts are becoming more common place given the emergence of partnerships between academic institutions and technology companies , including social media sites, cloud and web based service providers, artificial intelligence companies, and other software developers. DSAs have also been broadly created by companies to share information gathered by consumer smart devices.
As you will see throughout the blog, the various complexities inherent in each partnership give rise to multiple ways DSAs are being modified to suit each relationship. As the breadth of arrangements grow, and the types of data sharing becomes much more complicated, the forms and templates for Data Sharing Agreements have evolved to address these differing needs.

Key Elements of a Data Sharing Agreement

At the outset, it is vital that the data sharing agreement identifies the parties. Obviously, the actual identity of the parties will need to be obtained as well. A definitive list of participants and whether or not a particular relationship is to be covered is critical as these agreements often result in disputes over whether a particular party is included within the scope of the agreement (as either a user or a provider of data). Once the parties are identified, you should require the parties to set forth the category or categories of data that will be shared pursuant to the agreement. The categories can be general in nature (e.g., demographics, health data, physician data, prescription data, patient data) or they can be more specific and provide a list of exactly what data is intended to be shared as part of the agreement (e.g., lab test results, medication history, purchasing patterns, race or ethnicity).
Limiting the purpose of the allowable use of the data is the next component of the agreement. Even though the parties may be known and the exact type of data is described in the agreement, the true interest of the parties is often hidden. By limiting the obligation only to specific data, the potential for abusive data use is minimized. For example, providers who are interested in a patient’s race, ethnicity, or drug history may simply be looking to evaluate their practice patterns, but at the end of the day, the data could also be used to deny patients access to care on the basis of those characteristics.
The last component which should be in any data sharing agreement is some type of description of how the shared data is going to be protected. While there often is tension between the desire to offer the broadest view of potential data uses, the actual method for protecting the agreement (and the data under it) should be included.

Relevant Legal Issues in Data Sharing Agreements

Data sharing agreements (DSA) can be complicated to draft and require careful consideration of a host of legal and regulatory requirements. Many DSA contain various legal terms and provisions that do not often make sense to business users, but are nonetheless essential to the validity of the data sharing relationship. This section will cover broadly just some of the legal and regulatory considerations in the DSA context.
It is critical that DSA comply with applicable data protection laws. For example, under the EU General Data Protection Regulation (GDPR), personal data cannot be transferred to a non-EU country unless the relevant territory ensures "adequate" protection of personal data and the parties enter into an appropriate data transfer agreement. Under the California Consumer Privacy Act (CCPA), except for certain limited types of personal information, covered entities must provide their customers with an opt-out web page link on their websites for a period of at least 30 days before the data is sold. Therefore, when drafting a DSA, one must consider the specific requirements under the relevant data protection laws.
Privacy notices and consents are also relevant in the DSA context: Are any third-parties involved in processing personal data? Are the relevant parties subject to the California Privacy Rights Act (CRPA)? Has the individual been provided with an express notice? Has the consumer consented to the data sharing?
There are also specific contractual and liability issues to consider, including warranties, representations, support and maintenance obligations, indemnity obligations in case of third-party claims, and termination of the relationship.

Advantages of Utilizing a Data Sharing Agreement Template

A major benefit of using a data sharing agreement template is that it can save you time. Having a template means you do not need to waste precious hours creating a new agreement for every data sharing arrangement you enter into. Instead, you can easily enter into new agreements with third parties by adapting the template. Further, a template can ensure you keep track of the changes you make to agreements you enter into. The template may enable you to insert ‘tracked changes’ onto all subsequent copies you amend after original approval, so that you have a record of the changes for auditing purposes.
A data sharing agreement template will allow you to give the same agreement to all third party commercial partners you share personal data with. The consistency of a template can save you the challenge of remembering whether you entered into an agreement in different terms with particular third party commercial partners in the past.
A common use of a data sharing agreement template is for use when entering into a data sharing arrangement with a number of Local Authorities under the terms of a protocol. The ability of the protocol to allow a data sharing agreement template to be used should speed up the introduction of the scheme which the data sharing arrangement is intended to implement, and ultimately improving the service.
Using data sharing agreement templates in your organisation will also help you to make sure you have implemented minimum legal requirements for agreements. It will provide a means for you to ensure that your data sharing agreements contain the terms you are required to include under the data protection legislation, and also to include any additional terms you require.

How to Tailor a Data Sharing Agreement Template

While obtaining a data sharing agreement template is a great first step, organizations will need to customize it. Templates do not contain or reflect the organization’s policies. One common example would be a data sharing agreement sharing with a business associate. Per the HIPAA privacy and security rules if the data sharing agreement is for such purposes a few additional clauses might need to be tailored around the use and disclosure of protected health information. For instance, the agreement needs to define the limited purpose of the sharing and how the data should be handled, deleted, breached, etc.
Another example of customization could also be where there is a data sharing agreement with an academic organization. Often times, there will be some way for that the organization that is sharing the data will need to audit or request a report from the academic group. As such , express language around audit and report rights upon notice of a breach may be required.
With all of this customization, the organization may question whether the data sharing agreement still reflects their policies and procedures. For instance, when it comes to security, a data sharing agreement may have some minimum standards such as requiring random audits of the data by a third party. Essentially the organization should be sure that the data sharing agreement template is modified to reflect their own policies and that the policies in question have adopted evidence based standards for the particular situation. If not, the organization’s policies may not align with the agreement and that may make enforcement of the agreement a little trickier.

Pitfalls in Data Sharing Agreements

Often when organizations are making the leap from having no agreement to developing their first data sharing agreement, they look for existing templates online and work with them. This can lead to inadvertent mistakes and omissions that can create liability for the organization that they otherwise wouldn’t have had.
Common issues that we see include:
Failing to assess whether the data is sensitive and requires heightened protection. The desire to have a data sharing agreement as soon as possible, because the parties want to start sharing the data now. Without carefully assessing the sensitivity of the data and whether it requires additional protections, you could find yourself in trouble down the road.
Involving too many people in the review process and staff don’t understand what they’re looking at. Staff who are not data security professionals or who are not responsible for managing any risk related to the data in question. As a result these individuals may fail to recognize severe gaps in the protection of the data that the organization does not wish to have in place.
Failing to use language that’s appropriate for your organization. Not all organizations can be covered by a single template, and while many nonprofit contracts are similar, in particular there can be quite a bit of variation in the scope of services provided, particularly for health care organizations.
Not including police provisions in the event of unlawful or unauthorized disclosures. Privacy law requires that you report data breaches and unauthorized disclosures. If you have a data sharing agreement that does not include these provisions, you may not be in compliance with privacy breach requirements.

Essential Strategies for Data Sharing Agreements

The implementation of data sharing agreement templates should come with a standard set of best practices. These best practices ensure that parties are aware of certain issues related to the data sharing agreements and can act accordingly. The issue of transparency is one of the leading issues that data sharing agreements face. For example, when data is shared, parties should always provide notice to customers of the data sharing agreement.
In addition to notification, consumers may have the ability to opt out of the data sharing agreement. Therefore, the terms of the agreements and the obligations of the parties should be transparent. Transparency not only involves written notice of data being shared, but it could also mean written notice about customer preferences. For instance, if a member is required to meet certain requirements to have his/her data shared, then the member should have the opportunity to confirm that the member has met all the requirements.
Transparency also involves the protection of data. Parties to data sharing agreements must ensure that any data that is shared is properly stored. Additionally, parties should ensure that steps are taken to secure the data from unauthorized access. Similarly, data should only be shared in accordance with the terms and conditions of the data sharing agreement. In addition to the data being appropriately stored and secured, the data should also be destroyed or deleted after the end of the data sharing agreement. In most cases, data sharing agreements should have a retention period that ends after a certain amount of time. Overall, data sharing agreements should also ensure that data is used for only certain purposes.

Templates for Data Sharing Agreements

A prudent course of action is to rely on the templates that have been developed over time by professional organizations and government agencies that have significant experience in the relevant areas. Leading industry organizations, such as the HIMSS Interoperability & HIE Workgroup offer model data sharing agreements from time to time. Other health information organizations also provide such resources. For example, the GE Centricity Group provides a Health Information Exchange toolkit that includes examples of the types of documents that an HIE would use, including a master data sharing agreement, as well as the foundational privacy and security agreements and policies. The Georgia Technology Authority has also developed a model data sharing agreement. At the federal level , the HHS Office of the National Coordinator for Health Information Technology offers a Toolkit for Early HIE Governance with two example data sharing agreements. State data sharing programs often make their agreements public as well.
Academic institutions and research centers are another source for model agreements. For example, researchers associated with the University of Washington and Stanford, the Pacific Northwest Evidence-based Practice Center, and the University of Minnesota have each developed model data sharing agreements for research purposes. Also, – as discussed in this article – the National Institutes of Health has implemented new sharing rules with which institutions must comply. Many of the new NIH requirements are highly relevant for research and some research institutions may have developed model data sharing agreements to assist their researchers in meeting these NIH requirements.