Third Party Data Sharing Agreements with Government Entities
Government entities at the federal, state, and local level routinely exchange data with outside organizations — contractors, research institutions, nonprofit service providers, and commercial vendors — under formal data sharing agreements that govern what information moves, how it is protected, and who bears legal responsibility when something goes wrong. These instruments sit at the intersection of administrative law, privacy statute, and information security policy, making them among the most legally complex instruments in public-sector contracting. This page covers the definition, structure, legal drivers, classification logic, inherent tensions, common misconceptions, and a reference matrix for practitioners and researchers working in this space.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory framing)
- Reference table or matrix
Definition and scope
A third party data sharing agreement with a government entity is a formal legal instrument through which a government agency authorizes the transfer, access, or use of government-held data by an entity that is neither the originating agency nor the primary subject of the data. The "third party" in this context is the outside recipient — a university conducting federally funded research, a managed care organization administering Medicaid claims, a background-check vendor processing law enforcement records, or a state agency receiving federal program data.
Scope is defined by three axes: the category of data transferred (personally identifiable information, aggregate statistics, classified information, protected health information), the legal authority under which the transfer occurs, and the institutional relationship between the sharing agency and the recipient. The Privacy Act of 1974 (5 U.S.C. § 552a) establishes the foundational federal framework, permitting disclosure of records outside an agency only under 12 enumerated conditions — a "routine use" published in the Federal Register being the most commonly invoked. Outside the Privacy Act's direct scope, sector-specific statutes impose additional constraints: the Health Insurance Portability and Accountability Act (HIPAA, 45 C.F.R. Parts 160 and 164) governs health data held by covered entities contracting with agencies, and the Family Educational Rights and Privacy Act (FERPA, 20 U.S.C. § 1232g) restricts how education agencies share student records even when reporting to federal sponsors.
For a broader treatment of how third-party relationships are categorized across civic and governmental contexts, the key dimensions and scopes of third-party relationships framework provides the underlying taxonomy.
Core mechanics or structure
Every operative data sharing agreement contains a defined set of structural components. The components vary in naming convention by agency, but the functional content is largely standardized across federal guidance issued by the Office of Management and Budget and NIST.
Data inventory and data dictionary. The agreement specifies exactly which data elements are transferred — field names, formats, and sensitivity classifications. Vague descriptions such as "enrollment records" are insufficient under Office of Personnel Management and HHS data governance guidance.
Legal authority clause. The instrument cites the specific statute, regulation, or routine use that authorizes the disclosure. A missing or incorrectly cited authority clause renders the agreement legally deficient and may expose the sharing agency to Privacy Act civil liability (5 U.S.C. § 552a(g)).
Purpose limitation. Recipient use of the data is restricted to the stated purpose. Secondary use — applying health records shared for a disease surveillance study to an unrelated commercial analysis, for example — is prohibited absent a separate authorization. NIST SP 800-188 addresses purpose limitation enforcement in federal data de-identification programs.
Security controls schedule. The agreement incorporates or references a security plan aligned to NIST SP 800-53 (Rev. 5) control families. For federal data, recipients must meet Federal Information Processing Standards (FIPS) Publication 199 categorization requirements before access is granted.
Incident response and breach notification obligations. The agreement specifies timelines for breach reporting back to the originating agency. OMB Memorandum M-17-12 established a 1-hour notification window for federal agency-to-agency breach reporting, a standard that typically flows down to third-party recipients through contract clauses.
Audit and inspection rights. The originating agency retains the right to audit the recipient's data handling practices. This clause is the enforcement backbone of the agreement.
Termination and data destruction. Upon agreement expiration or termination, the recipient must certify destruction or return of all transferred data and derivatives.
Causal relationships or drivers
The proliferation of formal data sharing agreements in the public sector is driven by four identifiable forces.
Statutory mandate and federal grant conditions. Federal grant programs frequently condition funding on data reporting that requires sharing arrangements. The Medicaid Analytic eXtract (MAX) program, administered by CMS, requires states to transmit claims data to federal systems under formal agreements as a condition of federal financial participation. The expansion of condition-based data mandates from roughly 12 major programs in the 1980s to well over 100 discrete federal data systems by the early 2000s (documented in GAO-14-44) directly accelerated agreement volume.
Court-ordered disclosure. Consent decrees and settlement agreements in civil rights or civil liberties litigation have compelled agencies to share data with court-appointed monitors or plaintiff organizations. These judicially mandated agreements follow standard structural elements but carry additional oversight terms.
Administrative modernization and interoperability policy. The Federal Data Strategy, launched under OMB's 2019 action plan, and the Foundations for Evidence-Based Policymaking Act of 2018 (Pub. L. 115-435) both incentivize cross-agency and agency-to-researcher data sharing, increasing the number of agreements in the federal portfolio.
Risk transfer and liability management. Agencies formalize agreements partly to document the legal chain of custody for data. When a breach occurs at a third-party recipient, the agreement's security schedule and liability clause determine whether the agency or the contractor bears remediation costs, which can exceed $4.45 million per incident on average (IBM Cost of a Data Breach Report 2023).
Classification boundaries
Not all instruments that move government data are data sharing agreements in the formal sense. Recognizing classification boundaries prevents confusion and mislabeling.
Data sharing agreement vs. data use agreement (DUA). A DUA is typically narrower — it governs use of a specific, already de-identified dataset and does not authorize raw record transfer. HHS's Office for Civil Rights distinguishes DUAs under the HIPAA Limited Data Set provision (45 C.F.R. § 164.514(e)) from broader Business Associate Agreements.
Data sharing agreement vs. memorandum of understanding (MOU). An MOU establishes intent and operating procedures between agencies. It is not a legally binding contract absent explicit consideration and authority. When an MOU contains specific data transfer provisions, those provisions must independently satisfy applicable privacy statutes.
Data sharing agreement vs. government contract data rights clause. Federal Acquisition Regulation (FAR) clauses such as FAR 52.227-14 govern intellectual property and data rights in procurement contracts. These clauses operate separately from Privacy Act authorities and do not substitute for a formal data sharing instrument when personally identifiable information is involved.
Inter-agency vs. extra-agency agreements. Intra-government agreements between federal agencies follow Computer Matching and Privacy Protection Act (5 U.S.C. § 552a(o)) requirements when matching personally identifiable records for benefit or compliance determinations. Agreements with non-governmental third parties — universities, nonprofits, commercial vendors — do not trigger the Computer Matching Act but are subject to routine use publication requirements.
For comparison of how first-party, second-party, and third-party data relationships differ in legal standing, see third party vs. first party vs. second party.
Tradeoffs and tensions
Data utility vs. privacy protection. De-identification reduces re-identification risk but degrades analytical value. Researchers requiring individual-level longitudinal records press for minimal de-identification; privacy advocates and agency counsel push for full anonymization. NIST SP 800-188 and the HHS Expert Determination standard under 45 C.F.R. § 164.514(b) represent competing technical thresholds that are difficult to reconcile across agency programs.
Interoperability mandates vs. statutory disclosure restrictions. The Foundations for Evidence-Based Policymaking Act's Title III (the OPEN Government Data Act) directs agencies to make data available for evidence-building. That directive conflicts with disclosure restrictions in 26 U.S.C. § 6103 (IRS return information), 13 U.S.C. § 9 (Census Bureau data), and 38 U.S.C. § 5701 (veterans' records). Agencies must resolve these conflicts statute by statute, creating inconsistent interoperability across the federal enterprise.
Speed of administrative modernization vs. legal risk tolerance. Cloud-based data platforms, API-driven data access, and automated matching engines outpace the legal review cycles required to execute formal agreements. Agencies piloting real-time data pipelines with third parties frequently find that agreement infrastructure — legal review, privacy impact assessments, system of records notice publication — takes 6 to 18 months to complete, while technical deployment takes weeks.
State sovereignty and federal data conditions. States receiving federal program data through third-party administrators in public benefits programs must comply with federal data governance requirements as a condition of participation, even when those requirements conflict with state privacy statutes. This creates a layered compliance burden that smaller state agencies struggle to manage.
Common misconceptions
Misconception: A non-disclosure agreement is equivalent to a data sharing agreement.
An NDA restricts disclosure of confidential information but does not constitute authorization under the Privacy Act or HIPAA. Agencies that rely on NDAs alone without a compliant data sharing instrument are operating outside statutory authority.
Misconception: Publicly available government data requires no agreement.
Data that is technically available through a public records portal may still carry re-use restrictions. Bureau of Labor Statistics data, for example, is published under terms that prohibit certain commercial re-licensing arrangements. The Freedom of Information Act (5 U.S.C. § 552) creates a right of access but does not preempt downstream restrictions on use or combination.
Misconception: De-identified data carries no legal obligations.
Research in computational re-identification has demonstrated that 87 percent of the U.S. population can be uniquely identified using only ZIP code, birth date, and sex (work cited in Sweeney, L., 2000, Technology Science). Agencies and researchers who treat de-identified datasets as fully exempt from data governance obligations underestimate re-identification risk, particularly for rare disease or small geographic-area records.
Misconception: Federal data sharing rules automatically preempt state law.
Federal statute preemption is narrowly construed. HIPAA explicitly does not preempt state privacy laws that are more protective (45 C.F.R. § 160.203). State-level equivalents of the Privacy Act — California's Information Practices Act (Civil Code § 1798), for example — impose independent obligations on state agencies and their contractors that federal agreement templates do not satisfy.
The broader landscape of federal privacy protections applicable to third parties is covered at third party privacy rights under federal law.
Checklist or steps (non-advisory framing)
The following sequence reflects the standard components that federal agency guidance — including OMB Circular A-130 and NIST SP 800-188 — identifies as necessary for a compliant third-party data sharing agreement. This is a documentation and verification sequence, not legal counsel.
Step 1 — Legal authority identification
- Identify the specific statutory or regulatory authority authorizing disclosure
- Confirm that a routine use covering the intended disclosure has been published in the Federal Register, or that another enumerated exception applies
- Verify that applicable sector-specific statutes (HIPAA, FERPA, 26 U.S.C. § 6103, etc.) do not impose additional barriers
Step 2 — Data inventory and classification
- Enumerate every data element to be transferred by field name
- Assign FIPS 199 sensitivity category (Low, Moderate, High) to each element
- Document whether the dataset contains personally identifiable information, protected health information, or controlled unclassified information
Step 3 — Privacy impact assessment (PIA)
- Complete a PIA per OMB Circular A-130, Appendix II
- Confirm or update the System of Records Notice (SORN) to reflect the new sharing arrangement
- Obtain agency Privacy Officer sign-off
Step 4 — Security plan alignment
- Require recipient to submit a System Security Plan (SSP) aligned to NIST SP 800-53 Rev. 5
- Conduct or accept an independent third-party security assessment if data sensitivity is Moderate or High
- Confirm encryption standards meet FIPS 140-2 or FIPS 140-3 for data in transit and at rest
Step 5 — Agreement drafting and review
- Draft agreement with purpose limitation, permitted use, prohibited use, and retention schedule clauses
- Include breach notification timeline clause (reference OMB M-17-12 for federal standards)
- Route for legal counsel, Privacy Officer, CISO, and program office review
Step 6 — Execution and recordkeeping
- Obtain signatures from authorized signatories at both agency and recipient
- File executed agreement in agency records management system
- Schedule annual compliance review date
Step 7 — Ongoing oversight
- Conduct annual audits of recipient data handling practices
- Require annual recertification of data inventory and security controls
- Initiate agreement modification if scope, data elements, or authority basis changes
Third-party oversight and accountability frameworks address the institutional mechanisms that agencies use to enforce agreement terms after execution. The full landscape of third-party roles in the civic and governmental domain is indexed at thirdpartyauthority.com.
Reference table or matrix
Data Sharing Agreement Types by Legal Framework and Applicable Statute
| Agreement Type | Primary Legal Authority | Data Category | Key Restriction | Enforcement Body |
|---|---|---|---|---|
| Privacy Act Routine Use Agreement | 5 U.S.C. § 552a(b)(3) | Federal agency PII | Purpose must match published routine use | Agency Privacy Officer; DOJ |
| HIPAA Business Associate Agreement | 45 C.F.R. §§ 164.502(e), 164.504(e) | Protected Health Information | BAA required before any PHI disclosure to contractor | HHS Office for Civil Rights |
| HIPAA Limited Data Set / DUA | 45 C.F.R. § 164.514(e) | De-identified PHI with some direct identifiers removed | DUA required; direct identifiers stripped per standard | HHS Office for Civil Rights |
| FERPA Data Sharing Agreement | 20 U.S.C. § 1232g; 34 C.F.R. Part 99 | Student education records | Written consent or enumerated exception required | ED Student Privacy Policy Office |
| Computer Matching Agreement | 5 U.S.C. § 552a(o) | Federal PII used for benefit/compliance matching | Data Integrity Board approval required | OMB; agency Data Integrity Board |
| IRS Return Information Agreement | 26 U.S.C. § 6103 | Federal tax return data | Strict enumerated disclosure exceptions only | I |