Part 3 of 3: Exchange, Processing, and Disposal of Data
After establishing the definitions and applicable regulations, the agreement should establish the expectations for data exchange, processing, and disposal. Depending on the sensitivity of the data, encryption in transit or storage may be appropriate. The parties to an NDA often place restrictions on the processing of data once received, including the individuals or functions that will have access and whether the data may be reused for other activities such as testing or aggregation with other sources. Generally, business partners establish a "least privileges" model where only those with a need-to-know have access to perform only the agreed upon activities.
Confidentiality/Non-disclosure agreements (“NDAs”) discuss how and when non-public information can be shared between parties and how and when such information may be disclosed to third parties, if at all. Appropriately drafted NDAs focus on information that is valuable or protected and that is not already publicly available. The information should have commercial value (such as non-obvious technical information, confidential commercial information, or information that would be considered a trade secret); alternatively, an NDA may concern information in a party’s possession that if disclosed to others could expose the party to criminal or civil liability.