Contracts and data sharing

It is good practice for you to have written data sharing agreements when controllers share personal data. This helps everyone to understand the purpose for the sharing, what will happen at each stage and what responsibilities they have. It also helps you to demonstrate compliance in a clear and formal way. Similarly, written contracts help controllers and processors to demonstrate compliance and understand their obligations, responsibilities and liabilities.

At a glance – what we expect from you

• Data sharing policies and procedures
• Data sharing agreements
• Restricted transfers
• Processors
• Controller-processor contract requirements
• Processor due diligence checks
• Processor compliance reviews
• Third-party products and services
• Purpose limitation

Data sharing policies and procedures

Your organisation's policies and procedures make sure that you appropriately manage data sharing decisions.

Ways to meet our expectations:

• You have a review process, through a DPIA or a similar exercise, to assess the legality, benefits and risks of the data sharing.
• You document all sharing decisions for audit, monitoring and investigation purposes and regularly review them.
• Your organisation has clear policies, procedures and guidance about data sharing, including who has the authority to make decisions about systematic data sharing or one-off disclosures, and when it is appropriate to do so.
• Your organisation adequately trains all staff likely to make decisions about data sharing, and makes them aware of their responsibilities. You refresh this training appropriately.

Have you considered the effectiveness of your accountability measures?

• Are staff aware of their responsibilities and how to carry them out effectively?
• Would staff say they have a clear process to follow?
• Is your organisation meeting their training needs?

Data sharing agreements

You arrange and regularly review data sharing agreements with parties with whom you regularly share personal data

Ways to meet our expectations:

• You agree data sharing agreements with all the relevant parties and senior management sign them off.
• The data sharing agreement includes details about:
  • the parties' roles;
  • the purpose of the data sharing;
  • what is going to happen to the data at each stage; and
  • the standards set (with a high privacy default for children).

  Have you considered the effectiveness of your accountability measures?

  • Are staff with sharing responsibilities aware of the process?
  • Is there contingency built into the process if something goes wrong or if people aren’t available to perform their role?
  • Would staff say the decision-making is maintained or appropriately delegated?

  Restricted transfers

  Your organisation has procedures in place to make sure that restricted transfers are made appropriately.

  Ways to meet our expectations:

  • You consider whether the restricted transfer is covered by an adequacy decision or by 'appropriate safeguards' listed in data protection law, such as contracts incorporating standard contractual data protection clauses adopted by the Commission or Binding Corporate Rules (BCRs).
  • If a restricted transfer is not covered by an adequacy decision nor an appropriate safeguard, you consider whether it is covered by an exemption set out in Article 49 of the UK GDPR.

  Have you considered the effectiveness of your accountability measures?

  • Are staff aware of the process and their responsibilities?
  • Are you meeting their training needs?
  • Do staff adhere to the policies and procedures?

  Processors

  You have appropriate procedures in place regarding the work that processors do on your behalf.

  Ways to meet our expectations:

  • You have written contracts with all processors.
  • If using a processor, you assess the risk to individuals and make sure that these risks are mitigated effectively.
  • An appropriate level of management approves the contracts and both parties sign. The level of management required for approval is proportionate to the value and risk of the contract.
  • Each contract (or other legal act) sets out details of the processing, including the:
    • subject matter of the processing;
    • duration of the processing;
    • nature and purpose of the processing;
    • type of personal data involved;
    • categories of data subject; and
    • controller’s obligations and rights, in accordance with the list set out in Article 28(3) of the UK GDPR.

    Have you considered the effectiveness of your accountability measures?

    • Are staff aware of the need for a written contract when using a processor?
    • How do they make sure the contracts are kept up to date?
    • Are the risks of using a processor mitigated effectively?
    • Do you have an appropriate approval process for contracts?
    • Is it easy for staff to find existing contracts where appropriate?

    Controller-processor contract requirements

    All of your controller-processor contracts cover the terms and clauses necessary to comply with data protection law.

    Ways to meet our expectations:

    • The contract or other legal act includes terms or clauses stating that the processor must:
      • only act on the controller’s documented instructions, unless required by law to act without such instructions;
      • ensure that people processing the data are subject to a duty of confidence;
      • help the controller respond to requests from individuals to exercise their rights; and
      • submit to audits and inspections.

      Have you considered the effectiveness of your accountability measures?

      • Was the International Organisation for Standardization (ISO) consulted on the appropriateness of security measures detailed within contracts?

      Processor due diligence checks

      You carry out due diligence checks to guarantee that processors will implement appropriate technical and organisational measures to meet UK GDPR requirements.

      Ways to meet our expectations:

      • The procurement process builds in due diligence checks proportionate to the risk of the processing before you agree a contract with a processor.
      • The due diligence process includes data security checks, eg site visits, system testing and audit requests.
      • The due diligence process includes checks to confirm a potential processor will protect data subjects’ rights.

      Have you considered the effectiveness of your accountability measures?

      • Are staff aware of what they need to do?
      • Is there a clear and effective process?
      • Are due diligence checks proportionate to the risks?

      Processor compliance reviews

      Your organisation reviews data processors’ compliance with their contracts.

      Ways to meet our expectations:

      • Contracts include clauses to allow your organisation to conduct audits or checks, to confirm the processor is complying with all contractual terms and conditions.
      • You carry out routine compliance checks, proportionate to the processing risks, to test that processors are complying with contractual agreements.

      Have you considered the effectiveness of your accountability measures?

      • Is there any follow-up where you identify non-compliance to contract terms or a Service Level Agreement?
      • Are the checks proportionate to the risks?

      Third-party products and services

      Your organisation considers ‘data protection by design’ when selecting services and products to use in data processing activities.

      Ways to meet our expectations:

      • When third parties supply products or services to process personal data, you choose suppliers that design their products or services with data protection in mind.

      Have you considered the effectiveness of your accountability measures?

      • Do staff consider suppliers’ approach to data protection when using third-party products or services to process personal data?
      • Is there a clear way for them to do this?

      Purpose limitation

      Your organisation proactively takes steps to only share necessary personal data with processors or other third parties.

      Ways to meet our expectations:

      • Your organisation only shares the personal data necessary to achieve its specific purpose.
      • When information is shared, it is pseudonymised or minimised wherever possible. You also consider anonymisation so that the information is no longer personal data.

      Have you considered the effectiveness of your accountability measures?

      • Do staff understand what they should consider when sharing data to make sure it is limited appropriately?

      Further reading

      ICO guidance:

      • International transfers
      • Contracts
      • Data sharing: a code of practice | ICO
      • Data protection at the end of the transition period
      • Data protection by design and by default
      • Principles – purpose limitation
      • Principles – data minimisation
      • ICO template: Controller to controller contract and Controller to processor contract
      • ICO tool: Keep data flowing from the EEA to the UK – interactive tool

      External guidance:

      • Share this page
      • Print this page
      • RSS feeds