Legal instruments and agreements

In this reading guide, you will find a list of instruments and agreements to consider before collecting or sharing your data.  

An overview

During your research, you will have to deal with distinct parties that may have an interest in your data. Before you start your research, it is wise to think about drawing up the necessary documents which will make the conditions under which your data may be collected, used, processed and shared clear to all parties involved.   

An overview of possible instruments and agreements which apply during and after your research is presented in the image below. Pick the instrument or agreement you need and scroll down for a more elaborate description. 

Image with an overview of legal instruments and agreements for data management.

1. Instruments to assess the risks of data collection

Data Protection Impact Assesment (DPIA)
Icon of a fingerprint

When: If you plan to collect or handle personal (privacy-sensitive) data.
What: During a Data Protection Impact Assessment (DPIA) you fill in a form which helps you to assess privacy issues and resulting measures to fix possible privacy problems in an early stage. 

Before you start a DPIA, you can check if you are obliged to do so (in Dutch). You can also start with the Privacy Checklist that Utrecht University has issued. Following the steps will ensure that you are mostly prepared.

More information: See the guide 'Handling personal data', step 1.  

Data classification
Icon of a classification

When: If your data needs extra security measures. For instance if it needs to be available for the long term after research, concerns privacy sensitive data, or intellectual property rights are involved.
What: By filling in a form you will be able to assess what security measures your research data needs to ensure its Availability, Integrity and Confidentiality (AIC).
Example: Classification scheme by ITS, Utrecht University (login with SolisID required)

More information on data classification

Research data (personal or not) must be carefully secured against loss, theft and tampering. As part of Utrecht University's Information Security Policy, you are asked to classify your data. Classifying data is a practical means by which to apply neither too little nor too much protection. Based on a set of questions, you determine the value of your data as well as the security risks this data is exposed to. This allows you to reach a conclusion about the impact a data breach of your data could have. More information on data classification can be found on the intranet. You can go through the classification process yourself. If you need help, contact the data classification contact person from your faculty. This is generally the Local Information Security Manager (LISM), but you can also get help from the University's Corporate Information Security Officer (CISO) via

The extensive data classification procedure involves three security aspects of the data:

  1. Availability
    concerns whether authorised users have timely access to the data at the right times
  2. Integrity
    refers to whether the data is correct and complete and whether only authorised users can make changes to the data
  3. Confidentiality
    relates to whether the data is only accessible for authorised users.

You can then consult a matrix to find the corresponding measures you should take in order to properly protect your data. This could entail data encryption, two-factor access control, the need for an additional backup, auditing or detection of unauthorised changes.

2. Instruments to determine the way data may be processed and accessed

Consortium agreement
Icon of a puzzle

When: If you are starting a research project with partners.
What: In a Consortium Agreement the intellectual property (ownership) of produced or gathered data is agreed upon, and agreement is reached on how these data are shared and used amongst partners during and after the project.
More information: How to draw up your consortium agreement (European commission, February 2015).

Confidentiality agreement or Non-disclosure agreement (NDA)
Icon of a person holding a finger to his mouth

When: If data is disclosed to a third party or person, such as student assistants that help collect data, and the information should not be used or spread at all.
What:  It is a legally binding contract with topics such as scope (who), length of the non-disclosure and possibly penalties for breaches and should be signed before sharing any data.
More information: Aandachtspunten geheimhoudings overeenkomst (NDA) van ICTRecht (Dutch).

Informed consent
Icon of two hands shaking

When: If you collect personal data from participants. By law, informed consent from these participants is needed to process and further spread the data.
What: Typically, written consent documentation includes an information sheet which explains the consent process and a shorter consent form which is signed by the participant. It is important to describe the goal of the data collection and envisaged use of the personal data, also in the future. Consent is limited to such descriptions and no use outside those areas is permitted. 

More information: See our guide on 'Informed consent for data sharing'.

Data transfer agreement
Icon with arrows

When: When (personal) data is transferred between two legal entities and the other party will reuse the data for its own causes. A data transfer agreement is recorded in situations where a risk exists that the data is inappropriately accessed or used. 
What: In a data transfer agreement statements are made on how data may be handled, who has access, for what exact goal it can be used, etc. It doesn't necessarily differ much from a processor agreement (see below). 
ExampleData Transfer Agreement as used by the YOUth Cohort study of Utrecht University.

Processor agreement
Icon with arrows

When: When you ask a third party to process (including storing) your (personal) data and data is transferred between two legal entities.
What: In a processor agreement statements are made on how data may be handled, who has access and for what exact goal it can be used.

Note: please contact Legal Affairs for finalising the agreement.

Icon with two C's in a circle

When: When data is made available for use to the general public.
What: A license states the conditions under which reuse is allowed. For instance the recommended licence by RDM support for non-sensitive data is Creative Commons BY (CC BY). This license states it is allowed to reuse the data, under the restriction that there is attribution to the creators of the data. Other options are public domain (CC0), share alike (CC SA), non-commercial (CC NC) or no derivatives (CC ND).
Example: Creative Commons Licensing types.
More information: Read more about data licensing in our guide on  'Publishing and sharing data'.

User agreement
Icon with an arrow pointing to a sentence in a box which reads I agree

When: When data is made available for use to specific others (other than your collaborators), criteria for this use should be clear. The user usually has to agree (‘I agree’) with the terms and consequently gains access.
What: In a user agreement statements are made on the terms and conditions of use. Very strict usage terms can be set up for access to data for verification purposes only.

More information: See the Data use agreement FAQs of Stanford University.