Most data sharing agreements are copy-pasted from a template someone found in 2019 and nobody has updated since. Here are the seven clauses that actually move the needle on liability — and the common mistakes to avoid.

1. Define "data" precisely

The worst data sharing agreements say "all information exchanged under this agreement is confidential data." Courts read this down because it's too broad. A better approach is to list categories: personal information as defined in the Privacy Act, financial records, tax documents, trade secrets, and proprietary business information. Specific is better than comprehensive.

2. Specify the purpose

The purpose clause limits what the receiving party can do with the data. "For the purposes of providing tax advisory services under the engagement letter dated X" is better than "for the purposes contemplated by this agreement." Any use outside the specified purpose is a breach, so specificity gives you enforcement leverage.

3. Sub-contractor controls

Most data breaches happen at the sub-contractor layer, not the primary recipient. Your agreement should say: any sub-contractor must be bound by equivalent confidentiality obligations, the recipient remains liable for sub-contractor breaches, and you have the right to approve or reject sub-contractors (at least for sensitive work).

4. Security controls

Don't just say "reasonable security." List the minimum controls: encryption in transit and at rest, access restricted to authorised personnel on a need-to-know basis, audit trails, two-factor authentication on admin accounts, breach notification within 24 hours. If the other party can't meet these controls, you'll find out at negotiation, not after a breach.

5. Data location

Specify where data can be stored and processed. "Within Australia only" is the cleanest for Privacy Act compliance. If international processing is necessary, list the specific countries and require the recipient to maintain privacy protections substantially similar to Australian law.

6. Breach notification

Your agreement should require the recipient to notify you of any actual or suspected breach within a specific timeframe (24 hours is common, 72 hours is the maximum you should accept). Notification should include: what data was affected, when the breach occurred, when it was discovered, what the recipient is doing to contain it, and what support they'll provide for your own notification obligations.

7. Return and destruction

At the end of the engagement, what happens to the data? The clause should require: return of all original documents, deletion of all copies (including backups), written certification of deletion, and the right to audit the destruction if needed. Most agreements skip this entirely, and the result is documents sitting in ex-advisors' systems years after the engagement ended.

Common mistakes

Three patterns appear again and again in weak agreements: liability caps that render the whole agreement toothless ("maximum liability is $1,000"), mutual confidentiality when only one party actually has confidential information to protect, and indefinite duration ("forever") which most courts won't enforce beyond 5-7 years for routine commercial data.

This is general commentary, not legal advice. Run your specific agreement past a lawyer.