This article is written by Nidhi Mishra, pursuing Diploma in Advanced Contract Drafting, Negotiation, and Dispute Resolution from LawSikho. The article has been edited by Ruchika Mohapatra (Associate, LawSikho) and Dipshi Swara (Senior Associate, LawSikho).
What is a Data Sharing Agreement?
Data Sharing Agreement, as the name suggests is an agreement that is entered into by the parties to regulate the terms and conditions of their data sharing activity.
In the digital era, data has become the new oil, data privacy is a prime concern. In these times when an individual’s digital data is being tracked, they should at least have control over what data is being stored, who is storing their personal data and the authority and means to be able to delete them at any time they wish. The right to privacy is at maximum risk on the internet by theft of personal data and its use for monetary gains, etc.
Purpose of a Data Sharing Agreement
Data Sharing Agreement is necessary as it governs what data would be shared between the parties, for what purpose, its collection, storage, use, transmission, re-use and destruction. It also covers what is to happen to the data at each stage, sets standards and helps all the parties to be clear about their respective roles along with detailing what data is to be shared between the parties.
Properly documented and a well-drafted data sharing agreement prevents any sort of miscommunication between the parties and also prevents the misuse of data by the parties involved.
The amount of detail that is to be mentioned in the agreement should be commensurate with the nature of the data to be collected, the likelihood of a privacy breach, and the possible magnitude of harm that may occur to participants if their privacy rights were violated.
Applicability of a Data Sharing Agreement
This type of agreement is most common between governmental or private organizations involved in the area of research and policymaking. The agreement can or cannot be for consideration and generally are entered in the nature of MOU when these are without consideration. Lack of consideration itself does not implicate the non-binding nature of an MOU. It is the intention of the Parties that is inferred from the terms of the MOU that makes it binding or not binding and a binding MOU is as enforceable before the court of law as is any other agreement. Government departments and other public bodies like regulators, law enforcement bodies may enter into a memorandum of understanding with each other that includes data sharing provisions and fulfils the role of a data-sharing agreement. Some recent examples would include CBDT and CBIC entering into one such agreement and SEBI entering into Data Sharing Agreement with CBDT.
How is a Data Sharing Agreement different from a Non-Disclosure Agreement?
Data Sharing Agreements as opposed to the Non-Disclosure Agreement are the primary contract between the parties to govern their activity of sharing data. This data sharing act can be for any purpose like research activities, marketing activities or merely for record-keeping.
Non-Disclosure Agreements on the other hand are more of an incidental contract to some main contract that defines the relationship of the parties. These are entered into to prevent any unauthorized use or transmission of any confidential information that parties might share as part of their business or any other relationship. Here parties first enter into a business contract like software agreement, staffing services agreement, a business collaboration agreement or any agreement governing their business relationship. To protect the data that parties may disclose to each other in furtherance of these aforementioned agreements, parties enter into a Non-Disclosure Agreement.
In both Agreements, Parties are bound by the confidentiality of the Data that is being shared between them, but in the former, Data Sharing is the primary act whereas in the latter data sharing is consequential to some business dealing or act.
Points to remember while drafting a Data Sharing Agreement
In addition to the other boilerplate clauses, one should keep the following pointers handy while drafting a Data Sharing Agreement:
- The Agreement should clearly and specifically state what data is being shared and for what purpose and whether the data is public data or personal data. Public data is available for the public at large and anyone can have access to it therefore security and protection of such data would be negligible whereas on the other hand private data is personal to the subject and cannot be shared without the subject’s prior permission and therefore would require stricter data protection and data security clauses.
The purpose of this Agreement is to facilitate the submission of data to Company X for the creation, use, and maintenance of a system of integrated social, health, and educational data concerning citizens of Country Z, in order to obtain a more complete understanding of the service needs, service gaps, and impact of services. The data will be used for the following purposes:
a. For inclusion in the case management system, to coordinate, manage, track, and report on the services provided to individuals and families. [Subject] agrees to allow the disclosure of personally identifiable information to the entities shown in Exhibit A to this Agreement provided that (i) appropriate consent or authorization if required for use, has been obtained from the individual or the individual’s parent or guardian; and (ii) role-based access control is assigned as specified in Exhibit A.
b. For research and evaluation purposes to study and report on the impact of services provided by organizations contributing data and to study and report on factors related to service provision, assessment of need, and topics relevant to innovating new approaches to benefit the citizens of Country Z.
- The time period of data sharing should be clearly mentioned. The Agreement should clearly state the duration for which the data can be used by the other party and what will happen post-termination, whether the shared data shall be returned to the disclosing party or destroyed by the receiving party.
Term- This Agreement shall be in effect for a period of five years from the Effective Date unless terminated before in accordance with the Termination clause. Parties shall have the option to renew the Agreement by mutual decision post completion of the Term of this Agreement.
Termination– This Agreement may be terminated by either party by giving thirty (30) days written notice to the other party. In the event of the termination of the Agreement, the Parties shall, upon request, (1) delete all data containing individually identifying information obtained under this Agreement; and (2) certify in writing within ten (10) business days that all copies of the data stored on cloud-based or local servers, backup servers, backup media, or other media have been permanently erased or destroyed.
- The provision should be made for its limited or unlimited use and its storage, protection and transmission. It should clearly be pointed out in the agreement if the receiving party can use the data only for a single purpose and object or if it can be used repetitively as and when the need arises. Further, the contract should also mention if the receiving party is allowed to disseminate the aforementioned data to other third parties or its own subsidiaries and affiliates and to what extent.
a. Company X and Organization Y will be joint custodians of the raw and linked data sets and will be responsible for the observance of all conditions for use and for establishment and maintenance of security arrangements as specified in this Agreement to prevent unauthorized use.
b. Unless otherwise stated or modified in this Agreement, Company X and Organization Y shall manage, link, and store data as specified in Exhibit C to this Agreement.
c. Company X will not use Confidential Information for any purpose other than the purposes specified in this agreement. The Company X and Organization Y will fully cooperate with [Subject] in the event that an adult individual or the parent or guardian of a minor under 18 years old requests the opportunity to review his/her personally identifiable information disclosed to Company X and/or Organization Y by [Subject] or wishes to revoke their consent to data sharing with the Company X and/or Organization Y. [Subject] will notify the Camden Coalition and CFS in the event it obtains written consent for data sharing with the Company X and Organization Y, a revocation of consent to share data with the Company X and Organization Y, or a request to review personally identifiable information stored by the Camden Company X and Organization Y from an adult or parent/guardian of a minor under 18 years old.
d. [Subject] will not release any data it receives as a result of its participation in this Agreement to any third parties not specifically authorized to have access to such data under this Agreement.
- The nature of the information that is shared sets the mood of the entire agreement. For example; if the data shared is of the nature which is personally identifying and highly restricted then it should be subject to intense scrutiny and safeguards while on the other hand anonymous information will require limited safeguards.
Data shall be provided by Provider in a sufficiently secure manner and Parties shall handle all Data in accordance with the applicable data protection law and shall keep such data confidential.
- With respect to the data, the Recipient shall be considered to be a separate data controller under the applicable data protection law for the processing of the data for the Recipient’s research plan.
- The Recipient shall implement appropriate technical and organizational measures to meet the requirements for data controllers of the applicable data protection law.
- If the Recipient becomes aware of a personal data breach, Recipient shall promptly notify the provider. In such a case Parties will fully cooperate with each other to remedy the personal data breach, fulfil the statutory notification obligations timely and cure any damages. The term ‘personal data breach’ refers to Articles 33 and 34 of GDPR.
- In the event that the Subject withdraws his/her permission for the use thereof, Provider shall supply Recipient with sufficient information and Recipient shall immediately cease all use of the relevant data and shall delete all copies of the relevant data. Upon request from Provider, Recipient shall confirm in writing the complete deletion of such data.
Provider shall be the data controller of the data under the GDPR up until the moment the data is provided to the Recipient.
- Provisions regarding Data Protection should be bi-fold i.e. firstly the data protection and security needs to be taken care of by putting in place relevant clauses regarding storage and transmission and secondly, efforts should be made to protect the trade secrets and other related IP rights and a separate clause is also be required for the same and should clearly mention with whom the IP Rights of the data belong and with whom the ownership remains during and after the contract. The on which the receiving party is entitled to use the IP rights of the disclosing party also needs to be a part of the data-sharing agreement.
All rights, titles, and interests in Subject Data will remain the property of Subject. The Provider has no intellectual property rights or other claims to Subject Data that is hosted, stored, or transferred to and from the products or the cloud services platform provided by Provider, or to Subject’s Confidential Information. The Provider will cooperate with the Subject to protect the Subject’s intellectual property rights and Subject Data. The Provider will promptly notify the Subject if the Provider becomes aware of any potential infringement of those rights in accordance with the provisions of this Agreement.
- The consent of a data subject must always be obtained before his or her personal data is shared and the extent of sharing and extent of usage ought to be agreed upon by the data subject. In case of any deviation from the pre-arranged and pre-consented sharing, the contract would be declared to have been breached.
It shall be the responsibility of the Provider to take due permissions and authorization from the Subject before using and disseminating any personal data of the Subject to the Recipient.
- Depending upon the amount of data and its availability in various forms will determine how the data will be shared and would ultimately pose a question as to which party would bear the cost of sharing the data and a very specific provision governing this issue should be the part of a data-sharing agreement. If the data is available in digital form or in hard copy format. What is the size of the data available? Which party would bear the cost of managing and procuring the devices required to store and transfer data? If it’s in hard copy format, which party would bear the cost of copying and transferring the data from one place to another?
The requisite data is available with the Provider in digital format and is of size 50 TB. It shall be the responsibility of the Recipient to procure storage devices for the transfer, storage and safekeeping of the Data.
- Even though the circumstances require data-sharing, the data should not be shared in the following cases:
- When the disclosing party does not hold intellectual property rights,
- When the subjects have expressed a preference to not have their data used or shared for other activities or other research,
- When the data is embargoed or otherwise restricted under pre-existing agreements,
- When the data is involved in litigation,
- The Liability clause should clearly establish the liability that parties would entail in case of breach of any contractual obligation, such as when one of the parties discloses the data received from the other party to another party not authorized to receive the data.
Provider agrees that it will monitor and test its Data Safeguards from time to time, and further agrees to adjust its Data Safeguards from time to time in light of relevant circumstances or the results of any relevant testing or monitoring. If Provider suspects or becomes aware of any unauthorized access to any Subject Data or Personal Data by any unauthorized person or third party, or becomes aware of any other security breach relating to Personal Data held or stored by Provider under this Agreement or in connection with the performance of services performed under this Agreement, Provider shall immediately notify Subject in writing and shall fully cooperate with Subject at Provider’s expense to prevent or stop such Data Breach. In the event of such data breach, Provider shall fully and immediately comply with applicable laws, and shall take the appropriate steps to remedy such Data Breach. The Provider will defend, indemnify and hold Subject, its Affiliates, and their respective officers, directors, employees and agents, harmless from and against any and all claims, suits, causes of action, liability, loss, costs and damages, including reasonable attorney fees, arising out of or relating to any third party claim arising from the breach by Provider of its obligations contained in this Section, except to the extent resulting from the acts or omissions of Subject.
Sample of Some Boilerplate Clauses
- Entire Agreement: This Agreement constitutes the entire agreement between the parties and supersedes all prior oral or written agreements.
- Severance: The invalidity or unenforceability of a provision shall not affect the other provisions of this Agreement and all unaffected provisions shall remain in full force and effect.
- Non-disclosure: The Recipient undertakes and agrees that the content of this Agreement (including, without limitation, the fact that this Agreement exists and the amount of the consideration payable) will not be disclosed to any third party by it other than to its professional advisers or as may be required by law or as may be agreed between the parties or to enforce the terms of this Agreement.
- Counterparts: This Agreement may be executed in any number of counterparts, which shall together constitute one Agreement.
- Costs: Each party shall incur its own costs and expenses in connection with the preparation, negotiation and implementation of this Agreement.
- Receipts: The receipt of money by either of the parties shall not prevent either of them from questioning the correctness of any statement in respect of such money.
- No Partnership: Nothing in this Agreement shall create or be deemed to create a partnership or the relationship of employer and employee between the parties.
- Authority: Each of the parties warrants that it has all necessary rights, authority and power to enter into this Agreement and that it has obtained all necessary approvals to do so.
- Third-Party Rights: Notwithstanding any provision to the contrary, a person who is not a party to this Agreement has no right under the Indian Contracts Act, 1872 to enforce any term of this Agreement.
- Assignment: This Agreement shall not be assigned, transferred, mortgaged or otherwise encumbered or dealt with in any other manner by the Recipient except with the prior written consent of the Provider.
- Waiver: The waiver by either party of any breach or default of any of the provisions of this Agreement by the other party shall not be construed as a waiver of any succeeding breach of the same or other provisions. Any delay or omission on the part of either party to exercise any right that it has shall not operate as a waiver of any breach by the other party.
- Amendments: No amendment or modification to this Agreement will be effective or binding unless it refers to this Agreement and is in writing signed by both parties. The Schedule to this Agreement may be updated from time to time by and initiated by duly authorized representatives of the Parties.
- Survival: All provisions of this Agreement intended to survive the termination shall so survive the expiry of this Agreement and remain in force and effect.
- Other Rights: No exercise by either party shall restrict or prejudice the exercise of any other right granted by or under this Agreement or otherwise available to it.
- Cumulative Remedies: Subject to the specific limitations set out in this Agreement, no remedy conferred by any provision of this Agreement is intended to be exclusive of any other remedy except as expressly provided for in this Agreement and each and every remedy shall be cumulative and shall be in addition to every other remedy given thereunder or existing at law or in equity by statute or otherwise.
- Agency: Nothing in this Agreement shall be construed as creating a joint venture of any kind or constituting any party an agent of the other for any purpose whatsoever. Parties shall not have the authority to contract in the name of the other party or create a liability against the other party in any way.
- Sub-Contractors: The Recipient shall not be entitled to perform any of its obligations under this Agreement through agents or subcontractors without the prior written consent of the Provider.
- Conflicts: In the event of a conflict between the provisions of this Agreement and any schedules or appendices, the provisions of this Agreement shall prevail.
- Set Off: The Provider shall be entitled to set off any amount of liability against any sum that would otherwise be due to the Recipient.
- Discretion: No decision, exercise of discretion, judgment or opinion or approval of any matter mentioned in this Agreement or arising from it shall be deemed to have been made by either Party except in writing.
- Further Assurance: At any time after the date of this Agreement the Recipient shall, at the request of the Provider, execute or procure the execution of such documents and do or procure the doing of such acts and things as the Recipient may require for the purpose of giving to the Recipient the full benefit of all the provisions of this Agreement.
Data Protection Law : Indian Scenario
Currently, India does not have any distinct and specific law governing the technicalities of data sharing activity. However, the Right to Privacy under Article 21 of the Constitution of India and few sections like Section 43A and Section 72A from the Information Technology Act, 2000 and rules thereunder do touch upon the issue. These laws are definitely not enough to govern the issue and certainly have loopholes. The ambit of the IT Act and its Rules are restricted. Most of the provisions only apply to sensitive personal data collected through a computer resource. These regulations are limited to corporate entities that perform automated data processing, and consumers can only take enforcement actions against a few provisions only. There are no regulations on data localization, which is the main concern and reason for India’s ban on Chinese apps. But these laws cannot be blamed as they were not primarily drafted for data protection. However, the following legislations are in the pipeline of the legislature that deals directly with the digital rights of the people.
Personal Data Protection Bill, 2019
The key features of the draft PDP Bill encompass different forms of personal data and its protection with a centralized data protection authority or regulator. It widens the rights of an individual with respect to their personal data and its protection. There are penalties outlined in the bill for non-compliance as well. The application of the draft bill is extraterritorial in its nature and would also make foreign organizations liable for any breach of personal data of the subjects if a reasonable nexus is being established between the foreign organization and the subject with respect to a breach of personal data.
Digital Information Security in Healthcare Act, 2017 (‘DISHA’)
Like every other sector, even the health sector has been digitized. With applications ranging from online consultation, medicine delivery and laboratory tests, the personal health data of the subjects are all over the internet and is prone to the risk of the privacy breach.
Digital Information Security in Healthcare Act (‘DISHA’) when enacted would be India’s first Health Data specific legislation and will come with provisions governing the storage and exchange of health data of the subjects. Stricter privacy and security programme for digital health data and with a central and a state-level regulatory authority for the enforcement and adjudication of the same.
Non-Personal Data Governance Framework (‘the NPD Framework’)
This would elaborate on the different types of Non-Personal Data that may be collected and stipulate what private and public rights are associated with it. There would be a separate regulatory body to regulate the data sharing process of such data and private entities are exempted from any such transfer.
All and all with COVID-19 hitting the world and utilization of the internet becoming a vital aspect for everyday activities, potent Data Protection Laws are the need of the hour and privacy that is delayed is the privacy that is denied. Although as much as an efficacious law is required, there is no substitute for a well-drafted Data Sharing Agreement. Good data protection law in the future but good contract law is the present and one must remember while drafting a Data Sharing Agreement that it is not the substantive data protection law that will protect your client because ignorance of the law is no excuse, rather a well-drafted liability and indemnification clause might.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: