The NHSX is recommending companies collaborating with NHS organisations to enter into a controller-to-controller Data Sharing Agreement

As of July 2019, the National Health Service in the Great Britain has founded the NHSX by combining teams from the UK Department of Health and Social Care, NHS England and the NHS Improvement. The NHSX is a digital health and social care transformation program designed to improve the UK’s long-term plans with regard to digital transformation. The NHSX published a Data Sharing Agreement Template on December 18th 2020 which will be discussed below.

What does the NHSX understand as a Data Sharing Agreement (DSA) Template?

The NHSX created a DSA template in addition to the UK’s data protection authority’s template for a data processing agreement (you can download it here: https://www.nhsx.nhs.uk/documents/57/Template_Data_Sharing_Agreement_-_MASTER_1.docx). It aims to provide stakeholders in the health and care businesses with a guidance for complex relationships which include the sharing of (special) categories of personal data within a project or program. The NHSX understands that the purpose is to cover relationships between companies acting as separate controllers and where same processors are determined. For example, two hospitals acting as separate controllers are using the same processor to collect and analyze personal data on their behalf. It is explained that it should be used in addition to a Data Privacy Impact Assessment if required for the project or program.

What is included within the Template?

The DSA requests parties to provide details on the following aspects:

• Contact details of the parties involved and Information Governance and Caldicott Guardian;
• Purposes andobjectives of the information sharing;
• Processors involved;
• Data items including a justification for using them;
• Legal basis of processing (special) categories of personal data in accordance with the UK GDPR;
• Determination of the management of rights of the data subjects such as rectification, retention and disposal requirements and how complaints/breaches are managed;
• Whether the National Data Opt-Out (XXX) applies to the proposed purpose for sharing;
• Compliance with duty of confidentiality and how proportionality assessments of human right interferences are documented;
• Information relating to transparency towards the data subject’s whose data would be processed;
• A description on how personal data would be shared including the mechanisms, outputs/analysis and frequency of sharing including safeguards to transfer data outside the UK; and
• Commencement, review of agreement and corresponding periods, variations, process of ending the agreement and end data.

The DSA seems to function as an umbrella document for different relationships which stakeholders might have. However, some wording is not clearly defined such as data items which seem to deviate from the UK GDPR’s definition of (special) categories of personal data. In addition, the level of detail necessary to be included in the DSA also remains unclear as no further guidance has been published and/no formal opinion form the UK Data Protection Authority is currently available.

Has it been reviewed by the UK’s Data Protection Authority?

No, there is no information available if the DSA has been reviewed by the UK data protection authority. Considering the three different roles in the data protection environment, it seems that the scope of this document is not completely accurate. The NHSX recommends this document for relationships where control may be separate. However, it seems as if the figure of joint controllership has not been considered even though it is an essential data protection role which is foreseen by the UK GDPR. Joint control in the meaning of Art. 26 (1) of the UK GDPR is a situation where “two or more controllers jointly determine the purposes and means of processing”. The NHSX is considering the document not to function between joint controllers but between separate controllers in accordance with the information published on their website (https://www.nhsx.nhs.uk/information-governance/guidance/data-sharing-agreement-template/?utm_source=twitter&utm_medium=social&utm_campaign=ig_staff), even though the essence of the document seems to relate more to a situation where different parties jointly decide to enter into a project and program to jointly determine means and purposes of processing. Could it be the case that this DSA might just have received a not completely accurate name? Yes, this could be the reason, however, it might be interesting to learn how the ICO will assess this NHSX initiative and use their advisory powers to make some improvements for this underlying and beneficial initiative. From an organizational point of view, this template might serve as a first reference to ask the ICO for a more detailed guidance to cover complex relationships between controllers jointly determining means and purposes.