Search for:

In brief

NHSX has published a new data sharing agreement (DSA) template. The template is a great tool for companies collaborating with NHS organizations to access and use data for R&D, and for companies who access and use data as part of their provision of services to the NHS.


We’ve set out our top five takeaways below:

  1. What’s in a name? The DSA is a misnomer — this is not an agreement at all, but more of a compliance checklist for NHS organizations sharing personal data with third parties. The DSA does not actually convey any enforceable rights or actions on the parties to the agreement. Where enforceable rights are required, parties should still agree to a data processing agreement.
  2. So what’s the purpose? Organizations involved in data collaborations with NHS organizations will know that one of the key risks is the basis (or lack of a basis) on which NHS organizations share data with third parties. The DSA is aimed at addressing that risk and can help demonstrate compliance with the GDPR and the common law duty of confidentiality.
  3. What will I need to do? The DSA requires parties to expressly set out the legal bases for processing and sharing data under the GDPR. The template even takes the step of setting out each potential legal basis for processing under articles 6 and 9 of the GDPR. This leaves less room for error and encourages organizations to consider grounds other than GDPR consent.
  4. Other GDPR risks addressed? The DSA requires parties to address how data subjects’ rights will be managed, the process for breach management and how data subjects will be provided with privacy notices.
  5. And not forgetting confidentiality…. UK laws on confidentiality can sometimes be overlooked in data sharing arrangements with the NHS (often with negative consequences down the road). The DSA takes a more holistic approach to compliance and requires the parties to set out the basis on which confidential patient information is disclosed outside the direct patient care context.

Do get in touch if you are seeking advice on your data collaborations with the NHS.

For more information please contact Jaspreet Takhar of our London office.

Author

Jaspreet advises market-leading tech and healthcare companies on issues at the cutting-edge of digital health. She focuses on the development and regulation of healthcare technology and data solutions. This includes assessing how digital health solutions can comply with the legal framework for data privacy, medical research and medical devices / pharmaceuticals.