Establish the legal and technical terms of sharing
“There was a lot of discussion over issues like the jurisdiction or the length of the intellectual property rights. Occasionally you would go back and forward for weeks on end, and then realise that it was just a language barrier.”
(Data Provider Liaison Lead, Data Pitch)
The risk assessment, the purpose and selection of the data feed into the terms that are set down in the contract(s) governing the data sharing relationship. Beyond general terms, such as the jurisdiction for resolution of any disputes, the contract might include terms around licenses for the data, data protection obligations, and intellectual property rights in the results.
Depending on the stakeholders involved, especially whether an intermediary is involved or not, the signatories to the agreement may be different. If the data sharing relationship is set up directly between a data holder and a data user, a simple bilateral contract will suffice. An intermediary may broker a relationship between data holders and data users so that they can sign a bilateral agreement; or they may be involved in the contractual relationship itself. While this adds complexity to the relationship, it also has benefits, such as the option to select data holders and data users at different points in time (as was the case with Data Pitch), or the intermediary acting as an arbiter, ensuring both data holder and data user gain sufficient benefit from the relationship.
Data sharing arrangements can be one:one, one:many, many:many and, conceivably, many:one. Beyond the general due diligence checks to ensure the data is shared between legitimate parties, the exact terms of this relationship need to be negotiated. The main concern for data users as well as data holders will typically be the terms under which the data that is shared (its purpose of use, length of time, etc.), and ownership of any outcomes. A data sharing agreement can set out what the shared data includes and which anonymisation or pseudonymisation it has been subjected to, how and when the data will be shared, and the obligations and liabilities of all parties, especially with regards to data protection, and what happens with the data upon completion of the contract.
Data holders should decide what terms they can accept to share data. Considerations could include:
- Who owns the intellectual property rights in the outcome of a data sharing process?
- What outcome is required in order to justify the required resources?
- What data do data users get access to, and for how long?
- How will any disputes get resolved?
This negotiation will be an iterative process, where the data, purpose of use, and implications, are revised in context; this requires expertise that may have to be brought in, especially since GDPR is not yet well understood in many organisations. Data users may need support in identifying and mitigating risks related to the use of personal data. It is in the interest of both data holders and intermediaries to ensure that this is provided, as all stakeholders may be liable in case of a data protection breach. All parties to a data sharing agreement need to be aware of the data protection implications of the shared data, to ensure they follow procedures and minimise the risk of breaches when the data is used.
As well as the legal framework for sharing, the technical framework must be addressed. How will data users access the data? Where can they work on it? What processes must be undergone at the end of the data sharing period (as defined in the legal agreement)? As shown earlier in this toolkit, there are a number of data sharing spaces emerging that offer platforms and tools for data sharing. However, successful data sharing has also taken place through more commoditised routes such as via Amazon Redshift or the Google Cloud.
Key resources:
Data legality reports: These reports reflect on the process and considerations in setting up two of the most crucial contract templates for use in Data Pitch.
https://datapitch.eu/data-legality-report/
Data sharing agreements: As part of the Data Pitch programme, asynchronous bilateral data sharing contracts were created. These are the SME Contract which sets out the terms and conditions of how the Data Pitch consortium engages with SMEs for the duration of the programme, as well as the data provider (data holder) agreement which sets out the terms and conditions for those organisations that are sharing data. All of these are available for information and inspiration:
- For data holders: https://datapitch.eu/DSA-data-holders/
- For data users with data shared by a Data Pitch data holder: https://datapitch.eu/DSA-dp-data/
- For data users who recruited their own data holder: https://datapitch.eu/DSA-own-data