Step 2: Decide on the type of agreement required for sharing data

There are different types of agreements for different data sharing scenarios.

When to choose a data sharing agreement

In the health sector, there are some common scenarios in which setting up a data sharing agreement is required:

1. When sharing sensitive or personal data. When data is sensitive or can identify individuals, a data sharing agreement can ensure people or communities are protected from harmful impacts through specific clauses that set out requirements for how the data can be accessed, used, shared and deleted. See Box 1 for an example of sharing data in this way.

2. When sharing data for research. Researchers often access, use and share data from a variety of public and private sources via secure platforms, for example electronic health records databases. See Box 2 for an example of sharing data in this way.

3. When sharing data with alliances or professional networks. A data sharing agreement can help members to be clear on their rights and limitations to accessing, using and sharing data. For example, primary care providers often work together in a network or alliance model to provide continuity of care for individuals. See Box 3 for an example of sharing data in this way.

What to include in a data sharing agreement

A data sharing agreement should be clear about what, when and how data will be supplied, what it can be used for, and who is responsible for maintaining it.

Contracts can be drawn up each time, or be adapted from a template.

A data sharing agreement should include:

• The context – the reasons for sharing data and the parties involved.

• The data – a description of the data itself.

• Sharing – how the data is going to be shared between different parties, where the data can be accessed or transferred, identification of any potential cross-border issues that could affect access (such as geographic location) where the data will be stored, which party is responsible for hosting the data, and the duration the data will be shared for.

• Use – what the data can be used for.

• Derived data – who has rights to products that might be produced that incorporate data that has been shared.

• Personal data – specific clauses that set out how personal data will be stored, transferred and any limitations in use of personal data. Any clauses should be compliant with the relevant data protection legislation.

Box 1: Sharing personal or sensitive data

Vodafone Ghana, Flowminder and Office of National Statistics

Vodafone Ghana agreed to share data on movements of local populations, gathered from mobile phones, in order to allow non-profit organisation Flowminder to analyse and map data for the Ghana Statistics Service.

Originally, a non-binding agreement was planned by the parties involved, but the national data privacy regulator requested that a formal agreement be put in place to address risks and avoid harmful impacts. This case study describes the conditions and clauses that made up the agreement and the health impact that has been generated from sharing data. As this was the first of its kind for this type of data, it took 13 months for all parties to formalise the agreement.

Key terms of the agreement include how to anonymise the data, the specific uses of data permitted, and clauses to confirm that all parties will delete any copies of the data they make at the completion of the project.

Box 2: Sharing data for research

Denmark's research service platform and ongoing data use agreement

The Danish Health Data Authority, a government agency, oversees the availability of healthcare data for research purposes. Research institutions can enter into an ongoing agreement and request access to personal healthcare data, one task at a time, for analysis.

In these cases, research institutions are granted log in to a secure software platform that enables them to analyse data for their research. The data is pseudonymised and remains on the software platform to prevent risks of re-identification or use beyond the terms agreed by patients when sharing their data. Under Denmark's data privacy regulations, health data may be used for secondary use research purposes.

The data sharing agreement specifies that research institutions must be based in Denmark and meet regulatory and ethical requirements. In addition to the ongoing agreement, an individual application for each research use case must be submitted.

Box 3: Sharing data with alliances or professional networks

Penistone Locality Primary Care Network

This data sharing agreement covers all members of the Penistone primary care network in the UK.

It includes clauses that establish how data can be shared for delivery of primary care for patients who may be accessing multiple providers during their healthcare journey. It outlines the conditions where aggregated data may be used, sets out the regulatory context under which data sharing may occur, and stipulates the duration that shared data can be held by each member of the network, and the processes for reporting security incidents.

When to choose a data licence

When data is non-sensitive or there is no risk of identifying individuals (for example aggregated data about the health of a population), the data may be suitable for sharing more widely, or even publishing online. In this scenario, a data licence can help users to understand their rights to access, use and share data in the form of standard conditions. See Box 4 for an example of sharing data in this way.

An open licence is one that places very few restrictions on what anyone can do with the content or data that is being licensed. You can choose to make your content or data available under one of three levels of licence:

• A public domain licence which has no restrictions (technically, you waive your rights to the content or data).

• An attribution licence that says that reusers must give attribution to you.

• An attribution and share-alike licence which says that reusers must give attribution and share any derived content or data under the same licence.

A good licence must be clear on three aspects:

• What the user can do.

• What the user must do.

• What the user cannot do.

There are a number of templates available with standard terms included, for example:

• Creative Commons – templates and standard wording for open and non open licences for creative content and data.

• Open Data Commons – templates and standard wording for open database licences

• Also see further examples of standard licenses.

Box 4: Sharing data through a data licence

FAIRsharing.org

The non-profit FAIRsharing data platform and repository publishes data standards, data policies and datasets across a range of domains, including health sciences. Data is made available under the FAIR Framework principles. Data publishers can share their data on the platform. Except where data publishers have noted otherwise, content on the site is licensed under an open licence (Creative Commons Attribution and Share-alike (CC-BY-SA) International 4.0), which requires users to give attribution and share any derived content or data under the same licence.