ElyForma

Data Sharing Agreement Guide

Data Sharing Agreement Guide South Africa

A data sharing agreement is a contract or formal arrangement used when one organisation shares personal information with another organisation and both parties want clear rules about what may be shared, why it is shared, how it will be protected, and who is responsible for what. In South Africa, this is closely linked to POPIA, because POPIA regulates how personal information is processed by a responsible party, and it also distinguishes that role from an operator who processes information on behalf of a responsible party under contract or mandate. :contentReference[oaicite:0]{index=0}

This guide explains what a data sharing agreement is, when to use one in South Africa, how it differs from an operator agreement or DPA, and what clauses a South African POPIA-aware data sharing agreement should usually include.

What is a data sharing agreement?

A data sharing agreement is a document that sets out the rules for disclosing or exchanging personal information between organisations. It is often used where:

  • one responsible party shares data with another responsible party
  • two organisations cooperate on a service, programme, or project
  • personal information moves between entities for a defined lawful purpose
  • the parties want written rules on security, purpose limitation, access, retention, and breach handling

A good data sharing agreement usually explains:

  • what data is being shared
  • why it is being shared
  • the legal basis for the sharing
  • which party is responsible for which obligations
  • what security measures apply
  • whether onward sharing is allowed
  • how long the data may be kept
  • what happens if there is a security compromise

Why a data sharing agreement matters in South Africa

In South Africa, POPIA requires responsible parties to process personal information in accordance with the lawful processing conditions. Official Information Regulator guidance repeatedly refers to those eight lawful processing conditions and makes clear that responsible parties must comply with them when processing personal information. :contentReference[oaicite:1]{index=1}

A data sharing agreement helps organisations apply those rules in practice by documenting:

  • the purpose of the sharing
  • the limits on use
  • accountability between the parties
  • security measures
  • breach notification flow
  • retention and disposal expectations

That is especially important where the sharing is routine, sensitive, large-scale, or operationally important.

Data sharing agreement vs DPA vs operator contract

This is one of the biggest practical distinctions.

Data sharing agreement

A data sharing agreement is generally used where one organisation shares personal information with another organisation that will use it within its own lawful role, often as another responsible party or in a shared arrangement.

Operator agreement or DPA

Where one party processes personal information for another party, as an operator, POPIA sections 20 and 21 require a written contract between the responsible party and the operator. Section 20 says the operator must process only with the knowledge or authorisation of the responsible party and must treat personal information as confidential, while section 21 says the responsible party must ensure by written contract that the operator establishes and maintains the required security measures. :contentReference[oaicite:2]{index=2}

So a South African organisation should first ask:

  • are we sharing data with another responsible party, or
  • is the other party actually acting as our operator?

If the second case applies, a POPIA operator agreement is required.

Responsible party vs operator under POPIA

This distinction matters a lot.

The Information Regulator materials define a responsible party as the person who alone or jointly determines the purpose of and means of processing personal information. The same materials define an operator as a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that responsible party. :contentReference[oaicite:3]{index=3}

That means a data sharing agreement should not be used blindly for every transfer of data. The legal role of each party should be clear first.

When to use a data sharing agreement

A South African data sharing agreement is useful when:

  • two organisations collaborate and need to exchange personal information lawfully
  • one entity shares customer, member, student, patient-adjacent, donor, or employee-related information with another responsible party
  • a business group shares personal information between related entities for a defined operational purpose
  • a school, nonprofit, medical-adjacent service, or professional body shares data with another body for a legitimate programme purpose
  • the parties want written rules on purpose, security, access, retention, and breach escalation
  • the sharing is recurring or sensitive enough that a formal document is necessary

It is especially useful where the shared information may include identity information, contact details, account records, usage records, or other sensitive datasets.

When not to use it

A data sharing agreement may not be the right document if:

  • the receiving party is really just acting as an operator on behalf of the sender
  • the issue is internal access within one legal entity, not sharing between separate parties
  • no personal information is being shared at all
  • the arrangement is purely a website privacy notice issue rather than an inter-organisation arrangement
  • the parties need a direct marketing consent form, privacy notice, or service agreement instead
  • the data sharing is unlawful in principle and cannot be fixed by contract wording alone

A data sharing agreement is a control document, not a cure for unlawful or excessive sharing.

POPIA principles relevant to data sharing

A South African data sharing agreement should reflect the lawful processing framework under POPIA. Information Regulator materials emphasize that responsible parties must comply with the eight lawful processing conditions in Chapter 3. :contentReference[oaicite:4]{index=4}

In practical terms, data sharing should usually be checked against:

Accountability

Someone must remain responsible for lawful processing.

Purpose limitation

The data should be shared for a specific, lawful purpose related to a function or activity of the responsible party. Official Regulator materials say personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party. :contentReference[oaicite:5]{index=5}

Further processing limitation

The receiving party should not use the information for unrelated purposes unless another lawful basis exists.

Information quality

The parties should consider whether the information being shared is accurate and suitable for the purpose.

Openness and transparency

Data subjects should be informed appropriately where required.

Security safeguards

Section 19 of POPIA requires the responsible party to secure the integrity and confidentiality of personal information by taking reasonable technical and organisational measures to prevent loss, damage, unauthorised destruction, and unlawful access or processing. :contentReference[oaicite:6]{index=6}

Security and breach handling

Security is one of the most important parts of any South African data sharing agreement.

The Information Regulator’s POPIA page summarises section 19 by saying the responsible party must secure the integrity and confidentiality of personal information using reasonable technical and organisational measures. :contentReference[oaicite:7]{index=7}

If the arrangement involves an operator, POPIA section 21 requires the written contract to ensure the operator establishes and maintains the relevant security measures. Section 21 also requires the operator to notify the responsible party immediately where there are reasonable grounds to believe personal information has been accessed or acquired by an unauthorised person. :contentReference[oaicite:8]{index=8}

Section 22 then requires the responsible party to notify the Regulator and, in many cases, the data subject as soon as reasonably possible if there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person. :contentReference[oaicite:9]{index=9}

A good data sharing agreement should therefore set out:

  • required security standards
  • who investigates incidents
  • who notifies whom
  • timelines for internal escalation
  • who communicates with the Information Regulator and data subjects where required

Cross-border sharing

If personal information will be supplied outside South Africa, that should be addressed clearly. The Regulator’s PAIA manual refers to the right of data subjects to know whether personal information will be transferred outside the Republic and the recipients or categories of recipients to whom the personal information may be supplied. :contentReference[oaicite:10]{index=10}

That means a South African data sharing agreement should clearly state:

  • whether any cross-border transfer will happen
  • where the data will go
  • who will receive it
  • what safeguards apply

Key clauses in a South African data sharing agreement

A strong South African data sharing agreement should usually include the following.

Parties and roles

Identify the parties and state clearly whether each is acting as a responsible party, joint responsible party, or operator.

Purpose of sharing

Explain the specific lawful purpose for which personal information is shared.

Categories of personal information

List the types of information being shared.

Data subjects

Identify whose information is involved, such as customers, employees, students, users, donors, or members.

Lawful basis and POPIA alignment

Record the reason the sharing is allowed and how the parties will comply with POPIA.

Restrictions on use

The agreement should say that the receiving party may only use the information for the defined purpose.

Security measures

State the technical and organisational safeguards that apply.

Retention and deletion

Explain how long the receiving party may keep the information and what happens when retention is no longer justified.

Incident management

Set out security compromise notification and response responsibilities.

Onward sharing

State whether the receiving party may share the information onward and on what conditions.

Audit, assurance, or compliance cooperation

Where appropriate, require cooperation on compliance reviews, data subject requests, and incident investigations.

Common mistakes

Common mistakes in South African data sharing arrangements include:

  • confusing a data sharing agreement with an operator agreement
  • not identifying the parties’ POPIA roles correctly
  • sharing data without a clearly defined purpose
  • allowing vague reuse of data for “business purposes”
  • failing to address breach escalation and notification
  • not dealing with cross-border transfer issues
  • assuming a generic NDA is enough to regulate personal information sharing
  • ignoring retention and deletion rules
  • not aligning the agreement with actual system access and data flows

Practical questions before signing

Before using a data sharing agreement in South Africa, ask:

  • Are both parties responsible parties, or is one an operator?
  • What exact data is being shared?
  • Why is it being shared?
  • Are data subjects aware where required?
  • Will the data leave South Africa?
  • What security measures apply?
  • Who must notify the Regulator or data subjects if there is a compromise?
  • How long will the receiving party keep the information?

Example of when this guide is useful

This guide is useful for:

  • two South African organisations collaborating on a programme involving personal information
  • a group of companies sharing customer or employee-related data internally across entities
  • a nonprofit sharing beneficiary information with a delivery partner
  • an institution documenting POPIA controls around operational data exchange
  • a business formalising rules for lawful personal information sharing with another organisation

FAQ

What is a data sharing agreement in South Africa?

It is an agreement that sets the rules for sharing personal information between organisations, including the purpose of sharing, security, use limits, and responsibility allocation.

Is a data sharing agreement the same as a POPIA DPA?

Not always. If the receiving party is acting as an operator for the responsible party, POPIA sections 20 and 21 require a written operator contract. If the information is being shared with another organisation acting in its own responsible-party role, a broader data sharing agreement may be more appropriate. :contentReference[oaicite:11]{index=11}

What does POPIA say about operators?

POPIA requires a written contract with the operator, and says the operator may process only with the knowledge or authorisation of the responsible party and must treat the information as confidential. :contentReference[oaicite:12]{index=12}

Who must secure the personal information?

POPIA section 19 places the duty on the responsible party to secure the integrity and confidentiality of personal information through reasonable technical and organisational measures. :contentReference[oaicite:13]{index=13}

What happens if there is a security compromise?

Under POPIA, the operator must notify the responsible party immediately where there are reasonable grounds to believe the information has been accessed or acquired by an unauthorised person, and the responsible party may then have notification duties to the Regulator and the data subject. :contentReference[oaicite:14]{index=14}

Do I need legal advice for a South African data sharing agreement?

For important or sensitive data-sharing arrangements, yes. The key issue is making sure the agreement matches the real POPIA roles and the actual data flow.

Related guides

You may also want to read:

  • GDPR Data Processing Agreement
  • Data Processing Consent Form Guide
  • Data Retention Policy Guide
  • Privacy Policy Template
  • Cookie Policy Guide
  • Confidentiality Agreement Guide
  • Service Agreement
  • Terms and Conditions Template

A strong South African data sharing agreement should identify the parties’ POPIA roles properly, limit the sharing to a specific lawful purpose, set clear security and breach rules, and fit the real data flow instead of relying on vague generic wording.