Within Durham University, contracts and data exchange agreements are prepared by the Legal Services team upon receipt of instructions from the Budget Owner / Information Asset Owners and signed by one of our approved signatories. “[The data sharing agreement] should help you justify your data disclosure and prove that you have complied with and documented relevant compliance issues,” the OIC said in its draft code. The final version of the code will contain examples of checklists for sharing data and application and decision forms for sharing submission data. • For routine (i.e. at scheduled intervals) data exchange, different from ad hoc or single data exchange, it is necessary to define and agree in advance. • On this point, it is a good practice to have a data sharing agreement to clearly define (and limit) the purpose of the transmission (i.e. limit as much as you can the use by the recipient) to be aware of the roles of the parties (i.e. the abneciers/recipients are: independently of the controllers or joint controllers, or both, and to identify what will happen to the data at each stage. We (Eversheds Sutherland) would offer in particular to be aware of what will happen to the data when the purpose is achieved (does the recipient want to recover a copy of the data or is it simply deleted/destroyed?) All of this contributes to accountability. • Don`t forget the role of the DSB (if you have one) in data exchange agreements.

The DSB must be closely associated. The OIC has published, under the GDPR, updated guidelines for organizations regarding data processing contracts/agreements. The OIC said a data-sharing agreement “helps all parties to be aware of their respective roles; defines the purpose of the data transmission; covers what will happen to the data at each stage; and sets standards”. The agreement should not be written in a certain format, but it should be written in “clear, concise, easy-to-understand language,” he said. The OIC has also published a checklist for organizations that use data exchanges covering both systematic exchanges and ad hoc requests: • Data protection does not prevent the exchange of data. It is a question of approaching it in a judicious and proportionate way, especially when the sharing is done for commercial reasons. Information subject to a legal retention period is destroyed in accordance with the statutes. All other organizations that have a copy must also delete it in accordance with the law. These requirements must be included in the contract/sharing.

The Information Office (“ICO”) has published an updated draft Code of Conduct for Data Exchange1 (hereinafter referred to as “Draft Code”) for consultation2, which will become, upon completion, a Legal Code in accordance with Section 121 of the Data Protection Act 2018 (hereinafter referred to as the “Act”). The draft Code is an update of the OIC Code of Conduct on Data Exchange (May 2011) and aims to provide organizations with practical guidelines for the transfer of personal data in accordance with data protection rules, in particular the Law and the General Data Protection Regulation (Regulation (EU) 2016/679) (hereinafter referred to as “GDPR”). The draft code also aims to explain the law and make recommendations for good practices for private bodies, public sector bodies and those subject to the repressive system under the law. . . .