What legal teams need to know about data sharing agreements

As 2020 looms, the consensus view among business leaders, politicians and policymakers is that any organisation that isn’t leveraging the data it has access to is doomed to irrelevancy. That means a lot of lawyers who graduated long before anybody uttered the words Big Data will likely soon be called upon to create, or at least audit, data-sharing agreements. That’s a job that’s become increasingly high-stakes now many nations, and supranational entities such as the EU, have tightened up their privacy laws.

Tom Griffin is Head of Legal at Data Republic. Below, he explains why your organisation’s current arrangements are probably inadequate and the steps you can take to rectify that situation.

The 0km/h or 100km/h status quo  

“It’s been my experience that organisations either have no proper data-sharing contract in place or one that is ridiculously restrictive,” Griffin says. “The metaphor I use is that the car is either stationary or going at 100 kilometres an hour. Sometimes, in-house legal counsel is acutely aware of the potentially dire reputational and financial consequences of their organisation not treating data correctly. So, they create heavy-handed data-sharing agreements that don’t much benefit either party. That’s the equivalent of buying a car but keeping it parked in the driveway.

“More commonly, in-house legal counsel hopes that pre-existing contracts, usually ones that don’t specifically address data sharing, will suffice. Or that data sharing can be somehow shoehorned into existing provisions around confidential information and intellectual property. That’s the equivalent of buying a car then driving everywhere at 100 kilometres an hour.”

What an effective data-sharing agreement looks like

Griffin says data-sharing agreements should be crystal clear about:

  • What data is being shared
  • The conditions in which that data can and can’t be used
  • The purposes the data will be used for
  • How the data is stored. (For instance, does it need to be encrypted or deidentified?)
  • What happens to the data when it is no longer required
  • How requests from individuals to have their data amended or deleted will be handled

Griffin also makes the point that before they can think about shopping it around, organisations need to know what data they possess and whether they have the right to share it.

“Some organisations are hazy about what data they have and where it was sourced from,” he says. “If an organisation is collecting data from its customers, it needs to have a privacy policy in place. One that sets out the conditions in which customers’ data will be collected, used, stored, secured and disclosed. The organisation’s legal counsel is responsible for ensuring there is a clear line of sight and chain of consent all the way from the consumer the data came from through to the third party it is being shared with.”

Don’t keep reinventing the wheel

As the open-data tsunami picks up speed, the number of data-sharing arrangements your organisations will enter into is likely to multiply. That being the case, you’ll want a repeatable, interoperable legal framework in place.

“You want to know what the data set is, to have established what permitted use means, and to have put standards in place around storage and security,” Griffin says. “That way, when new data-sharing opportunities arise, the legal side of things can be sorted out quickly and easily.”

A handy workaround

Just because drawing up or auditing a data-sharing agreement isn’t rocket science, that doesn’t necessarily make it a good use of a legal department’s time. Especially if there is an affordable alternative readily available.

“As I know from personal experience, in-house legal teams almost always have a lot on their plate,” Griffin says. “As well as providing the technological infrastructure to make data sharing as frictionless as possible, Data Republic also has a template – the Data Republic Legal Framework – organisations can sign up to.

“If Organisation A and Organisation B want to share data, their legal teams will still need to work out the details. Such as what data is going to be shared, and for how long, and at what price. But the legal framework Data Republic provides means the broad rights and responsibilities of each party are laid out. This framework also makes it easy for organisations to negotiate and agree to licensing terms for inter-organisational data-collaboration projects.”