Data sharing and processing agreement (DSPA)

This NHS England template DSPA combines the requirements of a data processing agreement (DPA), data sharing agreement (DSA), and joint controller arrangement (JCA).

The DSPA is a legal document which sets out the roles and responsibilities for two or more parties that are sending, receiving or using data.

The DSPA can be used in a number of circumstances. For example, in a scenario where you and a number of other organisations within an Integrated Care System (ICS) are setting up a new electronic patient record system (EPR), the DSPA could be used:

• between you as the controller (the organisation deciding on why and how the data is being used and shared) and the EPR system provider as the processor (the organisation who is being instructed to use or share the data) as a legally-binding document of instructions being given to the processor
• to document data sharing between you and the other controller organisations to facilitate partnership working if you are able to view each other’s patient records

In the following scenarios, completing a DSPA (or equivalent) is a legal obligation if:

• your organisation is using a processor you are legally obliged to document the instructions to the processor within the DSPA or equivalent data processing agreement such as a DPA - for example, if you are using a technology provider to deliver a virtual ward app and dashboard, or if you are using a confidential waste disposal supplier to collect and destroy paper records
• you are acting with another controller as joint controllers of personal data (two organisations who have decided to use the same data for a shared purpose and in the same way): it is a legal obligation to have a DSPA or equivalent joint controller arrangement such as a JCA to establish each organisation’s responsibilities

In other scenarios, completing a DSPA (or equivalent) is good practice and will help you demonstrate accountability:

If you are routinely sharing data with another controller organisation, it is good practice but not a legal requirement to have a DSPA or equivalent document such as a DSA in place. It will also help you demonstrate compliance with the accountability principle of data protection law, because it demonstrates that you are taking responsibility for how you use information.

For example, if you are setting up a new community service for mental health where GPs will share information about their patients to allow healthcare support workers to provide the patients with care. However, it is unlikely to be appropriate to complete a DSPA for one off or ad hoc specialist referrals between health and care organisations.

The DPSA template can be used when sharing health and care information and other types of information such as employment data. The template should not be used for research purposes. NHS organisations that are sharing information for research purposes should use the UK research template contracts and study agreements.

Whenever you share information with another organisation, you should consider whether a DSPA should be completed beforehand. Where the DSPA (or equivalent) is a legal obligation for the sharing arrangement, as in the situations outlined above, you must complete the DSPA (or equivalent) before using or sharing any data with the organisation.

If you are unsure about whether you are legally required to complete a DSPA, you should speak to your DPO, IG lead or team, or your management team. You may also want to seek legal advice, depending on the nature of the sharing arrangement.

The templates and guidance on this webpage only cover requirements from a data protection perspective, and you should speak to your contracts or legal colleagues if you are unsure if any additional contracts documents are needed.

However, if your organisation is already intending to sign a contract with the other organisation(s) to cover wider legal requirements such as payments and clinical services, it is possible to reference or embed the DSPA into the main contract. For example, if the contract is on a framework and has a section to fill in for the data processing agreement, you do not need to populate that section but can add in text such as ‘All data processing requirements and terms have been captured in the DSPA [add name or reference number]’.

As the majority of the content needed for the NHS England DSPA can be taken from the NHS England DPIA, any member of staff can transfer the information. This may be the project or service lead with input from the IG lead or team, or the IG lead or team may complete all of it, depending on your local arrangements.

The IG lead or team, DPO or management team for small organisations should review the agreement and ensure it is correct and complete.

You may wish to seek legal advice if you need support with this.

You will need to know:

• the role each organisation plays in the sharing or processing arrangement
• the aims of using or sharing the information
• the types of information being used or shared
• the lawful basis for using or sharing the information

You should mostly be able to copy over this information from your DPIA.

The DSPA must be signed by all organisations who are using or sharing the information. This must be done by an authorised signatory, in accordance with your organisation’s governance process.

The signing can be done either by:

• physically signing the DSPA with a pen
• applying an electronic signature to the electronic document
• using an online portal that allows signatories to ‘sign’ the agreement by clicking a button to accept the terms
• recording agreement by all parties over e-mail

Once all signatures are added, the document must be sent to all signatories through email or other means, or stored somewhere accessible to all parties, such as within the online portal if one has been used.

You should ensure that you have a robust process in place to allow you to comply with the review period set out in the DSPA. This must include clearly assigning responsibility for managing the review and keeping a record of when the review has taken place.