Contracts and data sharing
Why is this important?
It is good practice for you to have written data sharing agreements when controllers share personal data. This helps everyone to understand the purpose for the sharing, what will happen at each stage and what responsibilities they have. It also helps you to demonstrate compliance in a clear and formal way. Similarly, written contracts help controllers and processors to demonstrate compliance and understand their obligations, responsibilities and liabilities.
At a glance – what we expect from you
- Data sharing policies and procedures
- Data sharing agreements
- Restricted transfers
- Processors
- Controller-processor contract requirements
- Processor due diligence checks
- Processor compliance reviews
- Third-party products and services
- Purpose limitation
Data sharing policies and procedures
Your organisation's policies and procedures make sure that you appropriately manage data sharing decisions.
Ways to meet our expectations:
- You have a review process, through a DPIA or a similar exercise, to assess the legality, benefits and risks of the data sharing.
- You document all sharing decisions for audit, monitoring and investigation purposes and regularly review them.
- Your organisation has clear policies, procedures and guidance about data sharing, including who has the authority to make decisions about systematic data sharing or one-off disclosures, and when it is appropriate to do so.
- Your organisation adequately trains all staff likely to make decisions about data sharing, and makes them aware of their responsibilities. You refresh this training appropriately.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of their responsibilities and how to carry them out effectively?
- Would staff say they have a clear process to follow?
- Is your organisation meeting their training needs?
Data sharing agreements
You arrange and regularly review data sharing agreements with parties with whom you regularly share personal data
Ways to meet our expectations:
- You agree data sharing agreements with all the relevant parties and senior management sign them off.
- The data sharing agreement includes details about:
- the parties' roles;
- the purpose of the data sharing;
- what is going to happen to the data at each stage; and
- the standards set (with a high privacy default for children).
- Where necessary, procedures and guidance covering each organisation’s day-to-day operations support the agreements..
- If your organisation is acting as a joint controller (within the meaning of Article 26 of the UK GDPR), you set out responsibilities under an arrangement or a data sharing agreement and you provide appropriate privacy information to individuals.
- You have a regular review process to make sure that the information remains accurate and up to date, and to examine how the agreement is working.
- You keep a central log of the current sharing agreements.
Have you considered the effectiveness of your accountability measures?
- Are staff with sharing responsibilities aware of the process?
- Is there contingency built into the process if something goes wrong or if people aren’t available to perform their role?
- Would staff say the decision-making is maintained or appropriately delegated?
Restricted transfers
Your organisation has procedures in place to make sure that restricted transfers are made appropriately.
Ways to meet our expectations:
- You consider whether the restricted transfer is covered by an adequacy decision or by 'appropriate safeguards' listed in data protection law, such as contracts incorporating standard contractual data protection clauses adopted by the Commission or Binding Corporate Rules (BCRs).
- If a restricted transfer is not covered by an adequacy decision nor an appropriate safeguard, you consider whether it is covered by an exemption set out in Article 49 of the UK GDPR.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of the process and their responsibilities?
- Are you meeting their training needs?
- Do staff adhere to the policies and procedures?
Processors
You have appropriate procedures in place regarding the work that processors do on your behalf.
Ways to meet our expectations:
- You have written contracts with all processors.
- If using a processor, you assess the risk to individuals and make sure that these risks are mitigated effectively.
- An appropriate level of management approves the contracts and both parties sign. The level of management required for approval is proportionate to the value and risk of the contract.
- Each contract (or other legal act) sets out details of the processing, including the:
- subject matter of the processing;
- duration of the processing;
- nature and purpose of the processing;
- type of personal data involved;
- categories of data subject; and
- controller’s obligations and rights, in accordance with the list set out in Article 28(3) of the UK GDPR.
- You keep a record or log of all current processor contracts, which you update when processors change.
- You review contracts periodically to make sure they remain up to date.
- If a processor uses a sub-processor to help with the processing it is doing on your behalf, they have written authorisation from your organisation and a written contract with that sub-processor.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of the need for a written contract when using a processor?
- How do they make sure the contracts are kept up to date?
- Are the risks of using a processor mitigated effectively?
- Do you have an appropriate approval process for contracts?
- Is it easy for staff to find existing contracts where appropriate?
Controller-processor contract requirements
All of your controller-processor contracts cover the terms and clauses necessary to comply with data protection law.
Ways to meet our expectations:
- The contract or other legal act includes terms or clauses stating that the processor must:
- only act on the controller’s documented instructions, unless required by law to act without such instructions;
- ensure that people processing the data are subject to a duty of confidence;
- help the controller respond to requests from individuals to exercise their rights; and
- submit to audits and inspections.
- Contracts include the technical and organisational security measures that the processor must adopt (including encryption, pseudonymisation, resilience of processing systems and backing up personal data in order to be able to reinstate the system).
- The contract includes clauses to make sure that the processor either deletes or returns all personal data to the controller at the end of the contract. The processor must also delete existing personal data unless the law requires its storage.
- The contract includes clauses to make sure that the processor assists the controller in meeting its UK GDPR obligations regarding the security of processing, the notification of personal data breaches and DPIAs.
Have you considered the effectiveness of your accountability measures?
- Was the International Organisation for Standardization (ISO) consulted on the appropriateness of security measures detailed within contracts?
Processor due diligence checks
You carry out due diligence checks to guarantee that processors will implement appropriate technical and organisational measures to meet UK GDPR requirements.
Ways to meet our expectations:
- The procurement process builds in due diligence checks proportionate to the risk of the processing before you agree a contract with a processor.
- The due diligence process includes data security checks, eg site visits, system testing and audit requests.
- The due diligence process includes checks to confirm a potential processor will protect data subjects’ rights.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of what they need to do?
- Is there a clear and effective process?
- Are due diligence checks proportionate to the risks?
Processor compliance reviews
Your organisation reviews data processors’ compliance with their contracts.
Ways to meet our expectations:
- Contracts include clauses to allow your organisation to conduct audits or checks, to confirm the processor is complying with all contractual terms and conditions.
- You carry out routine compliance checks, proportionate to the processing risks, to test that processors are complying with contractual agreements.
Have you considered the effectiveness of your accountability measures?
- Is there any follow-up where you identify non-compliance to contract terms or a Service Level Agreement?
- Are the checks proportionate to the risks?
Third-party products and services
Your organisation considers ‘data protection by design’ when selecting services and products to use in data processing activities.
Ways to meet our expectations:
- When third parties supply products or services to process personal data, you choose suppliers that design their products or services with data protection in mind.
Have you considered the effectiveness of your accountability measures?
- Do staff consider suppliers’ approach to data protection when using third-party products or services to process personal data?
- Is there a clear way for them to do this?
Purpose limitation
Your organisation proactively takes steps to only share necessary personal data with processors or other third parties.
Ways to meet our expectations:
- Your organisation only shares the personal data necessary to achieve its specific purpose.
- When information is shared, it is pseudonymised or minimised wherever possible. You also consider anonymisation so that the information is no longer personal data.
Have you considered the effectiveness of your accountability measures?
- Do staff understand what they should consider when sharing data to make sure it is limited appropriately?
Further reading
ICO guidance:
- International transfers
- Contracts
- Data sharing: a code of practice | ICO
- Data protection at the end of the transition period
- Data protection by design and by default
- Principles – purpose limitation
- Principles – data minimisation
- ICO template: Controller to controller contract and Controller to processor contract
External guidance: