On 18 December 2020 NHSX, in their role to drive digital transformation in the health and social care sectors, published its template Data Sharing Agreement (“DSA”) which can be used by all health and care organisations to document data sharing with third party data controllers.
What is a DSA?
DSAs are written agreements used frequently across the health sector as a means of documenting key aspects of data protection compliance, including purpose and lawful basis for sharing data. Under Article 26 of the General Data Protection Regulation (“GDPR”), joint controllers (that is the individuals or companies responsible for determining the purpose and means of processing the data in question) are required to enter into an ‘arrangement’ to determine their respective responsibilities concerning their data processing activities, and a DSA is often a means of satisfying this requirement. In the case of independent controllers then a DSA is not mandatory but is recommend as good practice by the ICO Code of Practice on Data Sharing in order to evidence their compliance with the general accountability principle under Article 5 GDPR and the common law duty of confidentiality.
DSAs are to be distinguished from data processing agreements (“DPAs”) which are legally binding contracts between a data controller and data processor (that is, a third party acting on behalf of the controller in respect of the data in question) in relation to the processing of personal data. Unlike DPAs which are legally enforceable and have prescribed contents under Article 28 GDPR, DSAs can take a variety of forms and do not necessarily convey any enforceable rights or actions.
What does the template include?
The new template published by NHSX covers the basic elements of personal data sharing including:
• Legal basis – there must be a lawful basis for processing personal data and so a full list of the Article 6 GDPR grounds for this are provided, allowing the parties to tick the relevant condition(s);
• Special categories – a further condition under Article 9 GDPR must be identified for processing special category data (which includes data relating to an individual’s health and so almost always likely to be engaged in any data sharing between health bodies) and so these conditions are also listed in full for the parties to select from (five of these also require additional conditions and safeguards to be met in Schedule 1 of the Data Protection Act 2018 and so a further section is provided to account for this);
• Process and risk management – the parties are required to identify how individual rights and preferences will be managed, how the sharing will be carried out and how various associated risks with sharing personal data will be dealt with. These aspects are in line with the Information Commissioner’s Office (“ICO”) guidance and will assist in providing evidence for any ICO investigation or decision that could be brought; and
• Confidentiality/privacy – the common law duty of confidentiality and the right to privacy are often overlooked in DSAs and so the template agreement requires the parties to outline how the duty of confidentiality will be satisfied and if there is any interference with Article 8 of the European Convention on Human Rights, why this is necessary and proportionate.
What does this mean?
It is important to note that the template is not mandatory and can also be amended locally. However, many in-house DSAs contain more information and attempts to provide binding requirements than strictly necessary. The NHSX template DSA provides a clear and consistent approach to managing personal data sharing which enables healthcare organisations to account for the necessary aspects required to ensure GDPR compliance.
The template and accompanying guidance on how to complete this can be accessed here.
