skip to primary navigationskip to content

Data Sharing and Data Processing Agreements

The ICO updates its guidance on General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA) regularly. It also offers a range of resources and support that can be accessed here.

The duties and responsibilities of organisations in relation to the GDPR depends on the legal definition of the role under which they carry out the processing activities. The GDPR identifies these roles as:

  • Data Controller
  • Joint Data Controller
  • Data Processor

For more information, see the ICO’s guidance on these roles. As some of the relationships above require contracts, the ICO has also produced guidance on contracts and liabilities between Data Controllers and Data Processors.

Depending on the College’s relationship with other organisations, you may find that the College occupies more than one of the above roles. The Office of Intercollegiate Services has produced a range of data sharing agreement templates which the Colleges can amend and adapt as required to meet their specific scenarios.




Colleges are advised to review these statements regularly to ensure they remain up-to-date. Version controls should be maintained and previous versions stored for auditing purposes.