Data is the lifeblood of the digital age, powering everything from social media platforms to entire organisations. However, as the amount of data we generate, store, share and destroy grows, so does the need for effective data agreements.

In this post, we explore the different data agreements and their uses, so you can confidently navigate the world of data. As a bonus, we offer tips to decide which agreement is right for you.

Data sharing agreements

Outline the terms and conditions for data sharing.

For example, a hospital might share patient data with a medical research institution, provided certain conditions are met. These conditions might include:

  • anonymising the data,
  • restricting access to certain parts of the data, or
  • limiting data use to specific research purposes.

Information exchange agreement

NIST defines an information exchange agreement as “a document specifying protection requirements and responsibilities for information being exchanged outside of system authorization boundaries. Similar to the interconnection security agreement but does not include technical details associated with an interconnection.” NIST defines and interconnection security agreement as “a document specifying information security requirements for system interconnections, including the security requirements expected for the impact level of the information being exchanged for all participating systems”. You can also find examples in NIST SP 800-47 Rev. 1.

Note that these agreements normally apply to different types of information, including personal information (in which case you’d need to include aspects of a data processing agreement.

Data use agreements

Focus on how you can use rather than share data.

For example, a social media platform like TikTok might have a data use agreement specifying how to use user data for advertising. And your obligations would include limiting data use to certain types of advertisements or requiring users to opt in to data sharing for specific purposes.

Data processing agreements (DPAs)

Capture the relationship between a data controller (the party that decides why and how to process data) and a data processor (the party that processes the data on the controller’s behalf).

The law often requires DPAs if you process personal data. And they outline the responsibilities of each party and specify the terms and conditions of personal data processing.

Data-as-a-Service (DaaS) agreements

An agreement between a data provider and data user.

DaaS is a cloud-based service that provides access to large amounts of data on demand without requiring users to manage the underlying infrastructure or technology.

It’s often used in industries such as finance, where companies might use data from third-party providers to inform their investment decisions. Further, the agreement outlines the terms and conditions of data usage, including any limitations or restrictions on data access.

Data services agreements

Set out the terms and conditions for providing data-related services.

Data services can encompass various activities, including data analytics, processing, warehousing, and management. And the agreement typically defines the scope of services, the obligations and responsibilities of each party, and the payment terms.

Data ownership agreements

Specify data ownership and associated intellectual property rights.

It’s particularly relevant when multiple parties contribute to creating or generating the data. For example, in a joint research project, the data ownership agreement might specify how data ownership is divided among the different parties.

Data purchase agreements

Outline the terms and conditions for the purchase and sale of data. They’re also known as data supply agreements.

You can use this agreement to acquire data from another company or a third-party provider.

It typically includes the following clauses:

  • the data being purchased, such as the type of data, format, and quantity of data;
  • the purpose for which the data will be used; and
  • any restrictions on the use or disclosure of the data.

You would commonly use these agreements in marketing, advertising, and market research industries, where you may need access to large amounts of data for analysis and insights. Ultimately, they ensure you acquire the data legally and that both parties understand the terms of the transaction.

Proprietary information and inventions agreements (PIIAs)

A contract between the company (typically a startup) and its employees, consultants, or other individuals who access to the company’s confidential information or create intellectual property while working for the company.

A PIIA aims to ensure that any confidential information, trade secrets, or inventions created by employees or contractors while working for the company are owned by the company. It also helps to prevent the unauthorised use, disclosure, or theft of the company’s proprietary information.

How to decide which data agreement you need

Determining which data agreement is suitable for specific data transactions can be challenging. Why? Each agreement has its own unique terms and conditions. However, you can follow these steps to determine which agreement is right for you:

  1. Identify the purpose of the data transaction: Is it data sharing, data processing, data transfer, or any other purpose? This line of questioning helps narrow down the types of data agreements that may apply.
  2. Assess the type of data involved: Is it personal, sensitive, or another kind of data? The answer assists in determining the level of protection and security required.
  3. Understand the legal and regulatory framework: Become familiar with the legal and regulatory framework governing the specific type of data transaction and the applicable data protection laws.
  4. Seek legal advice: Reach out to us to better understand each agreement’s legal and practical implications.
  5. Evaluate the terms and conditions of the agreement: Assess the contract carefully, including data ownership, confidentiality, data security, data sharing, data breach response, and termination clauses.

Actions you can take next