Contract and agreements

All organisations that gain approval to receive data from NHS England are subject to the terms set out within a Data Sharing Framework Contract (DSFC) and a Data Sharing Agreement (DSA) specific to each instance of approved data access.

Some services to access data may also have agreements in place for using the service.  

You are encouraged to identify the signatories for the DSFC, DSA and any service agreements which apply to you as early as possible within the DARS process.  This helps to avoid delays to your access to data.  Please ensure that the signatories you identify are aligned with any delegated arrangements your organisation has in place.  

The different types of agreements explained below are: 

• Data Sharing Framework Contract (DSFC)
• Data Sharing Agreement (DSA)
• service agreements 

A DSFC is an overarching document that specifies the basis for data to be shared. It explains the terms and conditions of how data must be managed once it has been released to the controller.  

All data controllers that request data from NHS England are required to have a DSFC.   

Learn more about the role which organisations play in data access, including data controllers. 

A DSFC ensures that data sharing controls are in place, and grants NHS England the right to carry out audits to check that data is processed in line with the terms of the DSFC and DSA.  

The DSFC sets out: 

• the responsibilities of the recipient organisation 
• restrictions on data use 
• the security to be provided by the recipient 
• how to keep information confidential 
• how to meet the requirements of the Data Protection Act 
• how to ensure the destruction of information at the end of a contract 

The individual that approves the DSFC is usually a senior staff member such as a Senior Information Risk Officer (SIRO) or equivalent.

A Data Sharing Agreement (DSA) is created for each specific approved data access request.  

An organisation will only have one DSFC but may have many DSA’s covering their access to data.  

A DSA describes

• the specific data being shared 

• the purpose of the data use 

• security and confidentiality measures 

• legal basis for processing 

• services to access data

The DARS process ensures that no data flows without a signed and approved DSA.  

Audits

NHS England carry out independent audits and post audit reviews to check that our customers are meeting the obligations of their DSFC and DSA’s.  

These audits help us to ensure the data is kept safe and secure and our customers are abiding by the terms and conditions set by the agreement.  

NHS England carries out reviews annually with all customers with a Data Sharing Framework Contract (DSFC) and Data Sharing Agreements (DSA).  

This review ensures that the DSFC remains up to date, that data controllers continue to comply with DSA’s, and that DSA’s are being properly managed.  

NHS England check that any data shared under DSA’s is used lawfully and in line with agreed terms, with no breaches of the data sharing arrangements. 

If an organisation believes they have not acted in accordance with the terms of their DSFC or DSA, they must act immediately.   

The first action is to control/stop the activity and then to contact the Data Access Request Service. NHS England will provide a confirmation receipt of this contact, so if you do not receive one, please contact DARS directly (as per section 4.1.8 of the DSFC). You may also be required to undertake additional actions as outlined within the Data Security Protection Toolkit (DSPT).

In such circumstances NHS England will look to establish the details of what has happened, whether this constitutes a breach of agreement, the level of seriousness and what actions should be taken. 

Ultimately a breach of the agreement(s) could result in the need to destroy the data held and the termination of the DSA and the DSFC. This is clearly a position that all would wish to avoid, and DARS are keen to work with organisations to ensure they fully understand and meet their obligations.

An organisation also has obligations to notify the Information Commissioners Office (ICO) in specific circumstances. 

Notifying NHS England does not remove those obligations which exist separately and must be complied with.

Some services to access data have service agreements. 

Service agreements enable you to use the data access service, meeting the terms of use required for specific services to access data.  During the DARS process you will be advised of the service agreements which are applicable to your request to access data.