The NHS’s New Data Sharing Agreement

NHSX has published a new Data Sharing Agreement (DSA) template. The template is a great tool for companies collaborating with NHS organisations to access and use data for R&D, and for companies which access and use data as part of their provision of services to the NHS.

We’ve set out our top 5 takeaways below:

  1. What’s in a name? Data Sharing Agreement is a misnomer – this is not an agreement at all, but more of a compliance checklist for NHS organisations sharing personal data with third parties. The DSA does not actually convey any enforceable rights or actions on the parties to the agreement. Where enforceable rights are required, parties should still agree to a Data Processing Agreement.
  2. So what’s the purpose? Organisations involved in data collaborations with NHS organisations will know that one of the key risks is the basis (or lack of a basis) on which NHS organisations share data with third parties. The DSA is aimed at addressing that risk, and can help demonstrate compliance with the GDPR and the common law duty of confidentiality.
  3. What will I need to do? The DSA requires parties to expressly set out the legal bases for processing and sharing data under the GDPR. The template even takes the step of setting out each potential legal basis for processing under Articles 6 and 9 of the GDPR. This leaves less room for error and encourages organisations to consider grounds other than GDPR consent.
  4. Other GDPR risks addressed? The DSA require parties to address how data subjects’ rights will be managed, the process for breach management, and how data subjects will be provided with privacy notices.
  5. And not forgetting confidentiality…. UK laws on confidentiality can sometimes be overlooked in data sharing arrangements with the NHS (often with negative consequences down the road). The DSA takes a more holistic approach to compliance, and requires the parties to set out the basis on which confidential patient information is disclosed outside the direct patient care context.

Do get in touch if you are seeking advice on your data collaborations with the NHS.


Jaspreet is a Senior Associate, and advises clients on complex issues at the intersection of healthcare, data and technology. Her practice has a particular focus on accessing and using patient data, innovative collaborations with hospitals, and the use and regulation of AI in the healthcare space.