Data Sharing Agreement Template NZ: Protect Data Rights And Privacy Compliance

If your business shares information with another organisation (or receives it from one), you’re already dealing with legal risk - even if it feels like “just a spreadsheet” or “just a system integration”.

In New Zealand, a well-drafted data sharing agreement can help you stay compliant with the Privacy Act 2020, clarify who can do what with the data, and reduce the chance of costly disputes or privacy breaches.

This guide walks you through what a data sharing agreement template typically includes, when you need one, and how to make sure it actually protects your business (instead of giving you a false sense of security).

What Is A Data Sharing Agreement (And Why A Template Often Isn’t Enough)?

A data sharing agreement is a contract between two (or more) parties that sets out:

• what data is being shared,
• why it’s being shared,
• how it can be used, stored, accessed and disclosed, and
• what happens if something goes wrong (like a data breach or misuse).

Most small businesses start by searching for a data sharing agreement template because it feels like the fastest way to “tick the box”. That’s understandable - but it’s also where businesses get caught out.

Here’s the issue: a generic template usually can’t reflect your specific situation, such as:

• whether you’re sharing customer data, employee data, health information, or business contact lists,
• whether the data is going offshore (even just into cloud storage),
• whether you’re allowed to share the data at all under your privacy statements and customer terms,
• what security controls are actually in place (and who is responsible for them), and
• what your real operational process is when something goes wrong.

A good agreement is practical. It should match how your business actually works, while also setting clear legal standards your partner must follow.

As a related point, if you collect personal information from customers (even just names and emails), it’s important your outward-facing documents align too - like having a Privacy Policy that accurately describes what you collect and who you share it with.

When Do Small Businesses Need A Data Sharing Agreement?

You’ll usually want a data sharing agreement any time your business shares data with another organisation and you need rules around use, access, security, and accountability.

Common scenarios for NZ small businesses include:

• Marketing partnerships (sharing lead lists, customer segments, or campaign analytics)
• Software integrations (your app or website sending customer info to another tool)
• Outsourcing (a contractor or provider accessing your CRM, accounting system, or helpdesk)
• Joint ventures (two businesses collaborating and using shared customer or user data)
• Group structures (sharing data between related companies or brands)
• Referral arrangements (one business passing customer details to another)

“We’re Not Selling Data - We’re Just Sharing It”

Even if no money changes hands for the data, you can still have real legal exposure. For example, if you give another business access to your client list and they use it for their own marketing, you could face:

• customer complaints,
• investigations or enforcement action under privacy law (including by the Office of the Privacy Commissioner), and
• commercial fallout and reputational damage.

Data Sharing Vs Data Processing: Which Agreement Do You Need?

This is where many templates fall short, because the legal and commercial intent differs. “Sharing” and “processing” aren’t strict legal labels under the Privacy Act 2020, but they’re a useful way to think about risk and contract terms.

• Data sharing often means both parties will use the data for their own purposes (within agreed limits).
• Data processing is where one party handles data on behalf of the other (for example, hosting, analytics, customer support tools, payroll processing).

If you’re primarily engaging a service provider to handle personal information for you, a Data processing agreement may be more appropriate (or you may need both documents working together, depending on the relationship).

What Should A Data Sharing Agreement Template Include?

Every business arrangement is different, but a strong data sharing agreement in NZ commonly covers the following building blocks.

1. The Purpose Of Sharing (And Limits On Use)

This sounds obvious, but it’s one of the most important clauses.

Your agreement should clearly state:

• the permitted purpose(s) for using the data,
• what is not permitted (for example, marketing to the individuals, training AI models, creating lookalike audiences, on-selling, or merging into another database), and
• whether the recipient can combine the data with other datasets.

Without this, you might find the other party says, “You didn’t tell us we couldn’t.”

2. Exactly What Data Is Being Shared

Be specific. If you’re attaching a dataset, describe it. If it’s ongoing access (like API access), describe the categories of data.

You might list things like:

• names and contact details,
• purchase history,
• support tickets and correspondence,
• device identifiers and online identifiers,
• payment data (usually heavily restricted), and
• sensitive data (for example health information) which needs extra care.

It’s also smart to address whether the dataset includes children’s information, employee information, or information collected from third parties.

3. Roles And Responsibilities (Who Does What?)

A practical agreement makes it clear:

• who is responsible for collecting the data lawfully,
• who is responsible for responding to requests from individuals (like access or correction requests),
• who is responsible for security controls, and
• who pays the costs if there’s a breach or investigation.

In many arrangements, your data sharing agreement will sit alongside broader commercial terms - for example, if one party is providing technology or ongoing services, you may also need a tailored Service Agreement to cover fees, warranties, liability, and deliverables.

4. Security Standards And Access Controls

This section is often too vague in generic templates. “Each party will keep data secure” isn’t enough in real life.

Your agreement should cover security expectations such as:

• access controls (least privilege, role-based access, MFA),
• encryption (in transit and at rest, where relevant),
• secure transfer methods (and prohibiting personal email/USB storage),
• logging and monitoring,
• staff training and confidentiality obligations,
• subcontractor controls, and
• secure deletion processes.

If the data sharing happens through software systems or an integration, it may make sense to align this with your IT Service Agreement so your security and support obligations don’t conflict across documents.

5. Breach Notification And Incident Response

If there’s a data breach, time matters. Confusion about who does what can make the damage worse.

Your agreement should clearly state:

• what counts as a “breach” or “security incident”,
• how quickly the other party must notify you,
• what information they must provide (scope, affected individuals, steps taken),
• who leads communications (including to customers), and
• who decides whether notifications are made to regulators and affected individuals.

Many businesses also build this into an internal playbook so you’re not scrambling under pressure - a Data breach response plan can be a useful companion document.

6. Data Retention, Return, And Deletion

A common gap in a template is what happens at the end of the relationship.

Your data sharing agreement should address:

• how long the recipient can keep the data,
• whether they must return it, destroy it, or both,
• what happens to backups, logs, and archived copies, and
• whether they can keep de-identified or aggregated data (and under what conditions).

7. Confidentiality And IP (Yes, Data Can Be Commercially Sensitive)

Even where data isn’t “personal information”, it can still be valuable business information - pricing, supplier details, customer behaviour trends, and internal reporting.

That’s why data sharing agreements often include confidentiality provisions or sit alongside an Non-disclosure agreement, particularly where you’re sharing information during negotiations or early-stage collaboration.

You’ll also want to clarify:

• who owns the original data,
• who owns any new datasets created from it,
• who owns insights, outputs, reports, or analytics, and
• whether either party can use the data to develop competing products or services.

8. Liability, Indemnities, And Practical Remedies

This is where a data sharing agreement becomes a real risk-management tool.

Depending on the deal, you might include:

• limits of liability (and what types of loss are excluded),
• indemnities for privacy breaches caused by the other party’s acts or omissions,
• rights to suspend sharing if there’s a security concern, and
• audit rights (reasonable checks that the other party is complying).

This part needs careful drafting because it can significantly shift risk between the parties - and the “market standard” position varies depending on bargaining power and what’s actually being shared.

How Does The Privacy Act 2020 Affect Data Sharing In NZ?

If the information being shared is personal information (information about an identifiable individual), the Privacy Act 2020 is likely in play.

From a small business perspective, the key takeaway is simple: you can’t treat personal information like a free-flowing business asset. You need a lawful reason to collect it, use it, and disclose it - and you need to protect it.

Key Privacy Act Issues Your Agreement Should Support

While your data sharing agreement doesn’t replace compliance, it should help you put practical controls in place around key privacy obligations, including:

• Transparency: People should understand what’s happening with their information (often through your privacy statements and collection notices).
• Purpose limitation: Use and disclosure should connect to the reason the information was collected.
• Security safeguards: You must take reasonable steps to prevent loss, misuse, or unauthorised disclosure.
• Access and correction: Individuals have rights to request access to and correction of personal information.
• Overseas disclosures: If the other party (or their subcontractors) stores or accesses personal information outside NZ - including via cloud hosting - you may need to take additional steps to ensure the overseas recipient is subject to comparable privacy safeguards or contractual obligations, and that your disclosures align with what you’ve told individuals.

It can feel overwhelming, especially if you’re moving fast and trying to grow. But the goal isn’t perfection - it’s building a system that’s reasonable, well-documented, and consistent with what you tell your customers.

A Quick Reality Check: Are You Allowed To Share The Data?

Before signing anything, it’s worth stepping back and asking:

• Did you collect this information in a way that allowed you to share it?
• Have you told people (in plain language) that sharing could occur?
• Are you sharing only what’s necessary (data minimisation)?

If the answer is unclear, it’s a sign you should get advice early rather than trying to fix it after the fact.

How To Use A Data Sharing Agreement Template Safely (Without Creating More Risk)

A template can be a helpful starting point to understand what a data sharing agreement should cover. The risk is using it as a “set and forget” document.

If you’re going to start with a data sharing agreement template, here’s a safer way to approach it.

Step 1: Map Your Data Flow

Write down (even in a simple table):

• what data you will share,
• where it comes from (website form, POS, CRM, email list),
• who will access it,
• where it will be stored, and
• why it’s being shared.

This exercise usually exposes gaps quickly - for example, “We thought we were only sharing names and emails, but actually the integration sends purchase history too.”

Step 2: Decide Whether This Is Sharing Or Processing

If the other party is only acting on your instructions, you’ll likely need stronger “processor style” obligations.

If both parties want to use the data (even within limits), you’ll need a clearer framework around permitted uses, ownership and restrictions.

Step 3: Align Your Agreement With Your Customer-Facing Documents

If your agreement says the other party can use the data for marketing, but your customer-facing terms imply you won’t share it (or don’t mention sharing), you’ve created a compliance and trust issue.

This is where updating your privacy documentation and website terms often goes hand-in-hand with the contract.

Step 4: Don’t Leave Liability Clauses To Chance

Many templates are either:

• too harsh (so the other party won’t sign), or
• too soft (so you carry the risk if something goes wrong).

This is also where a quick legal review can save you money long term - a Contract review can help ensure your agreement matches the deal you’re actually doing, and that the risk sits where it should.

Step 5: Treat It As A Working Document

Data sharing arrangements change over time. New integrations get added, staff change, vendors change, and businesses grow.

Build in a process for reviewing the agreement periodically - especially if:

• the dataset expands,
• the data becomes more sensitive,
• you start storing data offshore, or
• your business model changes (for example, new products or new marketing channels).

Key Takeaways

• A data sharing agreement sets clear rules for how data is shared, used, stored, protected, and managed if something goes wrong.
• A data sharing agreement template can be a useful starting point, but it usually needs tailoring to reflect your actual data flows, security controls, and commercial deal.
• If personal information is involved, you need to think about Privacy Act 2020 compliance - including purpose limits, security safeguards, and transparency about disclosures.
• Strong agreements cover practical details like permitted use, security standards, breach notification, retention and deletion, and liability.
• Make sure your agreement aligns with your broader documents, like your Privacy Policy and any service or tech contracts connected to the relationship.
• If the arrangement is important (or the data is sensitive), getting a lawyer to review the document can reduce risk and prevent disputes later.

If you’d like help putting the right data sharing agreement in place (or reviewing a template you’ve been given), you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.