Best Practices Checklist for Drafting a Data Sharing Agreement

With the rapid advancements in technology and the breadth of data available, public bodies, organizations, and agencies are increasingly sharing information to increase knowledge, conduct research, and inform policies and procedures about public issues.

In Ontario, data sharing between organizations is governed by privacy legislation such as the Personal Health Information and Protection Act (“PHIPA”) and Freedom of Information and Protection of Privacy Act (“FIPPA”). In some cases, it is a statutory requirement that a written data sharing agreement (“DSA”) be established between the parties to set out the terms and conditions under which information is shared:

  • to ensure compliance with applicable laws
  • to ensure the proper safeguards are implemented to prevent unauthorized use, collection and disclosure.

In any event, it is considered best practice that data partners develop a written DSA when sharing information to protect data.

What is in a DSA?

Data sharing can be complex depending on the data partners, type of information, and the flow of information. This is why a DSA must be carefully drafted to ensure that your organization is compliant with applicable privacy laws and that proper safeguards are in place to protect your information. If your organization is involved in the collection, use, and disclosure of information you should consider the following ten questions when drafting a DSA:

  1. Who are the parties that will be collecting, using, and disclosing data?
    • Who will be disclosing or receiving the data?
    • If governed under PHIPA, identify if the party is a:
      1. Health Information Custodian (“HIC”)
      2. Health Information Network Provider (“HINP”)
      3. Electronic Service Provider
      4. Prescribed Entity
      5. Prescribed Registry
      6. Agent
    • Under PHIPA, a party can wear multiple hats (i.e. a party can be both a HIC and a HINP and would have to comply with the obligations as set out in the Act).
    • Will there be a secondary use or disclosure of the data by the recipient?
  1. What is the purpose of data sharing between the parties?
    • If you are disclosing data, you must consider how the receiving party is going to use your data, and for what purpose.
    • Data cannot be collected any more than reasonably necessary to serve the purpose. It is important that DSAs make it clear as to why a party is collecting or using the data.
    • For example, some common purposes under PHIPA include:
      1. Research
      2. Planning, management and analysis of the health system
  1. What information is being shared?
    • Is it personal health information?
    • Is it personal information?
    • Is it de-identified data?
    • Is it other information that is not governed by privacy legislation?
    • Is the information going to be linked to other data sets?
  2. What is the legal authority for collection, use and disclosure of the data? What is the governing legislation?
    • Under what legislation are the parties able to collect, use, and disclose data? This is often dependent on who the party is, and what type of information is being shared.
  3. How will the data be shared between the parties?
    • Will the data be disclosed only from one party to another? Or will it be disclosed both ways?
    • Will there be third party disclosures?
    • It is often helpful to include a flow chart to illustrate how the data is being shared especially in complex situations where there are multiple parties, and uses.
  4. What are the data elements, data sets, time frame, and collection rationale?

  5. How will the data be transferred?
    • What secure method of transfer will be used? Will it be electronic or hard copies?
  6. What is the frequency of data transfer?
    • Is it a one-time disclosure or on-going disclosure (i.e. annual disclosure of information)?
  7. How will the data be retained or destroyed?
    1. In some cases, the data is either returned to the originating party or destroyed after the DSA is terminated or expired. This should be clearly stated in the DSA.
  8. What privacy and security safeguards are in place by the receiving party to ensure your data is protected against unauthorized use?
    • For example:
      1. Administrative Safeguards: Have in place robust policies and procedures governing authorized users collection, use and disclosure of data; establish privacy breach protocols; provide on-going privacy and security training; and monitoring compliance.
      2. Technical Safeguards: Encryption for portable devices; strong passwords; firewalls; and anti-malware scanners.
      3. Physical Safeguards: Use alarm systems and lock rooms where equipment is used to send or receive information; keep portable devices in a secure location, such as a locked drawer or cabinet.

Note that this blog does not constitute legal advice – seek assistance from legal counsel. For assistance in drafting a data sharing agreement, please contact Pamela Seto at


Procuring through a distributor: Set expectations early!

When procuring goods our clients are sometimes faced with purchasing a good through a third party distributor rather than directly from the manufacturer of the good. An indirect purchase through a distributor can be problematic from a contractual perspective if the distributor is not willing to take full responsibility for all aspects of providing the relevant good (e.g., the delivery, performance, installation, and maintenance of the good, as applicable). Distributors sometimes attempt to avoid providing all of the product representations and warranties that would routinely be provided by a manufacturer of goods. A distributor may be hesitant to provide warranties on a good that it has neither manufactured nor tested itself.

In some such situations, a distributor may seek to share the risks related to the supply of a good by requesting that the purchaser enter into separate agreements with each of the distributor and manufacturer. The agreement with the distributor would identify such things as the products being purchased, pricing, and delivery terms, while the agreement with the manufacturer would address such things as product warranties, specifications, and service or maintenance terms. In our experience one of the primary difficulties of a two contract approach in this type of arrangement is that, unless the risk allocation terms of the two contracts are very carefully drafted and responsibilities are clearly delineated, the result could be that the purchaser is unclear as to which party is responsible for which obligations and risks. If something goes wrong, a purchaser could find itself in a situation in which all parties are pointing fingers at each other because the relevant contracts do not provide sufficient clarity as to which party bears responsibility for a particular type of damage.

The best case scenario from a purchaser’s perspective is for the purchaser to enter into only an agreement with the distributor, rather than agreements with both the distributor and manufacturer. This agreement with the distributor will require the distributor to take full responsibility for all risks related to the good and its supply to the purchaser. If the distributor wants the manufacturer to share responsibility for the good, then the distributor can enter into a separate agreement with the manufacturer to allocate risk between the distributor and manufacturer. This agreement would be separate and apart from the purchase agreement between the purchaser and distributor.

One solution that DDO has used to help avoid debate about what contractual arrangements will be utilized when purchasing through a distributor is to address this issue at the request stage of a procurement. If a purchaser requires, as a condition of participation in its RFP (or other requesting document, as applicable), the distributor to agree that it will be directly accountable to the purchaser for all risks and obligations related to the provision of the required good, then the purchaser can avoid having to negotiate this aspect of the contractual arrangements at a later stage in the procurement process. In this way we find that we can avoid some headaches related to a purchase through a distributor.

Drafting Research Funding Agreements

Innovations in health care are often the result of research and development initiatives. Such initiatives cannot be carried out without funding. Many broader public sector organizations that carry on health-related research in Ontario rely heavily on:

  • partnerships with private sector corporations; and
  • charitable donations from philanthropic individuals and organizations,

to fund their research activities.

If your broader public sector organization receives funds from corporate partners or charitable donors, then you should ensure that the agreements, through which your organization receives such funds, are properly drafted. If not drafted with some forethought, your organization could agree to contractual obligations that conflict with its legislative or regulatory requirements.

For example, a corporate partner that is providing funding to a public hospital for a research initiative may expect that the hospital will utilize the funder’s brand of equipment to carry out the research. However, the purchase of equipment by a public hospital in Ontario must be carried out in compliance with the Broader Public Sector Procurement Directive. A hospital cannot purchase a significant piece of equipment without abiding by fair and transparent procurement processes, unless the procurement falls within an exemption or circumstance of non-application under applicable procurement regulations.

If created with care, a funding agreement could be drafted in a manner that allows a purchasing organization to satisfy conditions imposed on the funds by a funder, while still allowing the purchasing organization to be in compliance with its procurement (and other regulatory) obligations. DDO would be happy to provide advice on options for drafting your organization’s funding agreements.

Ontario’s Fairness in Procurement Act, 2018

In response to the “Buy American” policies enacted in the United States, the Ontario government has responded with the Fairness in Procurement Act, 2018 to protect Ontario-based businesses and suppliers.

The Act came into force on April 1, 2018. This Act reduces procurement opportunities for suppliers from “Offending American Jurisdictions”, which means a jurisdiction of the United States of America that has been designated by a regulation (“OAJ”). Ontario has the power to enact regulations to target those states that have adopted or enacted legislation that is discriminatory or prevents Ontario suppliers from participating or succeeding in procurement processes.

This Act applies to broader public sector entities such as hospitals, colleges, universities, and children’s aid societies, and any other entity prescribed by the regulation (“BPS Entities”), as well as government entities such as the Crown, public bodies, the Independent Electricity System Operator, and the Ontario Power Generation (“Government Entities”).

Broad Powers by the Government of Ontario under the Act

The objective of the Act is to defend the province’s economic interest and protect the interests of Ontarians and Ontario businesses. The Act provides broad powers to the Government of Ontario to respond proportionally to discriminatory procurement practices enacted by the United States.

If a supplier from an OAJ participates in an Ontario procurement process initiated by BPS Entities or Government Entities, that foreign supplier si subject to policies, sanctions, or requirements as set out in the regulations, such as:

  • Exclusion from participating or being awarded procurement contracts
  • Providing additional information to Government Entities or BPS Entities
  • Meeting additional requirements when participating in procurement processes
  • Proposals being subject to additional or more stringent evaluation criteria than applies to other proposals.

Such regulations would require Government Entities or BPS Entities to impose such measures on suppliers from OAJs. However, BPS Entities and Government Entities may obtain exemptions from the Act and its regulations.

The Act also grants broad powers to void a procurement contract if such contract or the procurement process contravenes the Act or a regulation made under the Act. It also stipulates that if there are any conflicts with any other legislation, the Act would prevail.

Under the Act, every regulation made under the Act must be reviewed at least once every four years after it is made until it is revoked.

If the OAJ removes offending policies and legislation, the responding regulation will be revoked by the Ontario government. For example, the Ontario government had initially sought public consultations for a proposed regulation responding to the policies enacted by Texas, restricting the use of iron and steel from Texas, related to any construction, remodeling, or altering of any building, structure, or infrastructure, or supply of material. However, the province has decided to not move forward with the proposed regulation in response to the positive advocacy efforts in Texas, which illustrates that the province will only take retaliatory actions against discriminatory procurement practices from OAJs.

O.REG 117/18: Suppliers from New York

Currently, O.REG 117/18 is the only regulation enacted under the Act. The regulation designates New York as an OAJ, which governs the procurement contracts related to structural iron entered into by suppliers from that state. This is in response to the New York Buy American Act, which prevents Ontario iron suppliers participating in procurement for public works contracts for surface roads or bridges.

O.REG 117/18 does not apply to the BPS Entities. It applies only to Government Entities’ procurement processes for construction, reconstruction, alteration, repair, maintenance, or improvement of a surface road or bridge where the value of the contract is expected to be greater than $US1 million. The regulation prevents the procurement of any structural iron in the performance of a procurement contract and incorporation into any surface road or bridge from a supplier from New York.

What should Procuring Entities in Ontario Do?

Government Entities must review how O.REG 117/18 will impact their procurement policies and procedures. It is unclear as to how many more regulations will be passed under this Act, but if more American states enact “Buy American” policies, it can be expected that Province of Ontario will respond proportionally by creating regulations to protect Ontario suppliers and businesses.

Procuring entities in Ontario must be diligent in keeping abreast of any current and proposed regulations to determine how it will affect their organization’s procurement policies and practices to ensure its compliance with the Act.

If you require assistance regarding your organization’s procurement policies and procedures or further information, please contact: Pamela Seto at

The FHT/FHO Relationship: Put it in Writing

The relationship between a Family Health Team (“FHT”) and a Family Health Organization (“FHO”) is often difficult to understand and to navigate.

  • In theory, FHTs and FHOs operate and provide services to shared patients harmoniously while maintaining separate streams of business (e.g., each has separate employees, separate expenditures, separate lease agreements, etc.).
  • In practice, the division between the operation of a FHT and a FHO is complicated and entangled; often the two organizations share employees, expenditures, premises, policies, equipment, supplies, and leadership (e.g., Board of Directors).

With so much overlap, a clear and proper allocation of resources and expenses between the parties can be difficult, and many FHTs and FHOs choose to operate based on a verbal agreement as opposed to reducing their expectations to writing.  The problem with verbal agreements is that they are unwritten and subject to each party’s recollection. Therefore, they lack clarity and certainty. They can change as personnel within the organizations change. And should a disagreement arise, they are worth very little in the midst of a dispute.

Why a written agreement is not only advisable but essential …

Consider implementing a written agreement as between your FHT and its affiliated FHO(s) for the following reasons:

  1. FHT Funding Agreement

Although it is not an express requirement of the FHT – Ministry of Health and Long-Term Care funding agreement (“Funding Agreement”) that the relationship between the FHT and the FHO be reduced to writing, in our opinion the expectation is that this is the case. The Funding Agreement requires:

  • FHTs to be “affiliated with” a FHO, and that each physician member of the FHO agrees to such affiliation. Without a written agreement in place, evidencing this requirement can be difficult.
  • Funds provided to the FHT via the Funding Agreement to be spent exclusively as budgeted and in carrying out the FHT’s service plan, with the implication being that such funds are not to be expended on FHO operations. A written agreement with clear mechanisms for reimbursement and division of expenditures as between the FHT and the FHO is highly recommended to evidence the FHT’s compliance with this funding requirement.
  1. Privacy Obligations

As health care providers, the FHT and the FHO are subject to privacy and security requirements under the Personal Health Information Protection Act (“PHIPA”). A source of confusion for many FHTs and FHOs is the designation of either or both as the “health information custodians” – being the party or individual who effectively “owns” the patient and the patient’s records. Unfortunately, the question usually arises following a privacy breach, and therefore, under the watchful eye of the Information and Privacy Commissioner of Ontario (“IPC”).  The IPC in its decisions has made it clear that in multi-party health care settings (such as a clinic run by a FHT and a FHO), the parties need to formally and clearly document their relationship from a privacy perspective in order to establish roles and responsibilities for each. In the unfortunate occurrence of a privacy breach, you do not want to be in a position of finger-pointing as to who is responsible for your patient’s personal health information. The IPC is unlikely to entertain any such finger pointing, and you can expect that there will be disagreement between the parties as to the terms of any purported verbal agreement.

  1. Clarity

As we have previously alluded to, clarity as between the rights and obligations of the FHT and the FHO is essential. Especially in times of conflict, the parties will need a clearly written agreement to govern their relationship and settle any disputes. A verbal agreement offers little certainty and often becomes the source of disagreement between the parties.

Next Steps

We have assisted many FHTs and FHOs in putting in place a written agreement to govern their unique relationship – from a services perspective and a privacy perspective. We would be happy to learn about your current verbal agreement and assist you in putting together a written agreement that is aligned with your legal obligations and your current practices. If you have a written agreement in place, consider whether it requires any updates in order to align it with your current practices.

If you have not turned your minds to who exactly is the health information custodian, as between the FHO, the physicians and the FHT – please call us immediately. This is dangerous and untenable:

Conducting Supplier Debriefings

The Broader Public Sector Procurement Directive entitles unsuccessful proponents participating in a procurement valued at $100,000 or more to a supplier debriefing. A debriefing is an opportunity for a proponent to:

  • discuss with the purchaser the strengths and weaknesses of the proponent’s submission in relation to the evaluation criteria of the procurement;
  • ask questions related to the procurement process; and
  • provide feedback on how the procurement process and the purchaser’s practices could be changed or improved.

A purchaser must include in the documents that initiate a procurement details about supplier debriefings, including the process by which a proponent can request a debriefing. A purchaser must provide proponents with at least 60 days following contract award notification to request a debriefing.

A debriefing should be a process that allows both the purchaser and a proponent to gain valuable input from the other. However, if not conducted properly, a debriefing could lead to additional questions or process-related challenges from a proponent, which would likely mean greater costs being incurred by the purchaser for staff time and legal fees.

To ensure that your organization carries out debriefings efficiently, effectively, and in keeping with applicable regulatory and contractual obligations, your debriefing processes should be formalized to ensure consistency and your staff should be educated on restrictions imposed by applicable procurement requirements and contractual obligations.

DDO is experienced in helping our clients to:

  • establish straight-forward and effective processes for addressing debriefing requests;
  • ensure that their staff are up-to-date on current legislative and regulatory requirements related to debriefings;
  • create an agenda for debriefings that will allow for consistency across debriefings and contribute to the (a) equitable treatment of proponents and (b) transparency of the process;
  • formalize document management and record-keeping procedures for debriefings;
  • train procurement staff on leading a debriefing and on identifying questions that are out of scope of a debriefing; and
  • educate staff on the confidentiality obligations that a purchaser owes to the proponents in a procurement process.

If you are interested in DDO providing your organization with advice on debriefings, or if you have any specific questions related to debriefings, please do not hesitate to reach out to me: