New NHSX Template Data Sharing Agreement for Healthcare Providers
On 18 December 2020, NHSX released a template Data Sharing Agreement (“DSA”) for healthcare providers to use when sharing patient data with third party data controllers. The template DSA is designed to help healthcare providers demonstrate compliance with GDPR, confidentiality obligations and patients’ privacy rights.
Whilst data sharing agreements (“DSAs”) are not mandatory, the Information Commissioner’s Office (“ICO”) considers it to be good practice for data controllers to enter into DSAs with third parties with whom they share personal data. The rationale is that DSAs can help the parties to understand and demonstrate compliance with their legal obligations in relation to that data.
NHSX have produced a useful template DSA which healthcare providers may wish to use before sharing personal data with third parties. The template allows the parties to select the relevant grounds in Article 6 GDPR for lawfully processing personal data as well as the relevant conditions in Article 9 GDPR for lawfully processing special category data such as medical records. The template also encourages data controllers to consider and document how they intend to comply with their common law duty of confidentiality to patients and what, if any, effect there will be on patients’ privacy rights. As such, DSAs are likely to help data controllers satisfy the accountability principle in Article 5 GDPR.
It should be noted that DSAs do not contain legally enforceable rights and actions. If healthcare providers are sharing data with a third party for the third party to process the data on their behalf, the personal data will not be crossing a controllership boundary and is not being shared. However, controllers are legally required under Article 28(3) GDPR to enter a written contract with their data processors, often referred to as a Data Processing Agreement. Amongst other things Article 28 requires that such contracts address the nature and purpose of the processing, the type of personal data being processed and the parties’ rights and obligations.
This briefing is for guidance purposes only. RadcliffesLeBrasseur LLP accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.