Legal instruments and agreements

In this reading guide, you will find a list of instruments and agreements to consider before collecting or sharing your data.  

An overview

During your research, you will have to deal with distinct parties that may have an interest in your data. Before you start your research, it is wise to think about drawing up the necessary documents which will make the conditions under which your data may be collected, used, processed and shared clear to all parties involved.   

An overview of possible instruments and agreements which apply during and after your research is presented in the image below. Pick the instrument or agreement you need and scroll down for a more elaborate description. 

Image with an overview of legal instruments and agreements for data management.

1. Instruments to assess the risks of data collection

Data Protection Impact Assesment (DPIA)

Icon of a fingerprint

When: If you plan to collect or handle personal (privacy-sensitive) data.
What: During a Data Protection Impact Assessment (DPIA) you fill in a form which helps you to assess privacy issues and resulting measures to fix possible privacy problems in an early stage. 
The following models are recommended:

Before you start a DPIA, you can check if you are obliged to do so (in Dutch). You can also start with the Privacy Checklist that Utrecht University has issued. Following the steps will ensure that you are mostly prepared.

More information: See the guide 'Handling personal data', step 1.  

Data classification

Icon of a classification

When: If your data needs extra security measures. For instance if it needs to be available for the long term after research, concerns privacy sensitive data, or intellectual property rights are involved.
What: By filling in a form you will be able to assess what security measures your research data needs to ensure its Availability, Integrity and Confidentiality (AIC).
Example: Classification scheme by ITS, Utrecht University (login with SolisID required)

2. Instruments to determine the way data may be processed and accessed

Consortium agreement

Icon of a puzzle

When: If you are starting a research project with partners.
What: In a Consortium Agreement the intellectual property (ownership) of produced or gathered data is agreed upon, and agreement is reached on how these data are shared and used amongst partners during and after the project.
More information: How to draw up your consortium agreement (European commission, February 2015).

Confidentiality agreement or Non-disclosure agreement (NDA)

Icon of a person holding a finger to his mouth

When: If data is disclosed to a third party or person, such as student assistants that help collect data, and the information should not be used or spread at all.
What:  It is a legally binding contract with topics such as scope (who), length of the non-disclosure and possibly penalties for breaches and should be signed before sharing any data.
More information: Checklist: geheimhoudingsovereenkomst (NDA) from ICTRecht (only in Dutch).

Informed consent

Icon of two hands shaking

When: If you collect personal data from participants. By law, informed consent from these participants is needed to process and further spread the data.
What: Typically, written consent documentation includes an information sheet which explains the consent process and a shorter consent form which is signed by the participant. It is important to describe the goal of the data collection and envisaged use of the personal data, also in the future. Consent is limited to such descriptions and no use outside those areas is permitted. 

More information: See our guide on 'Informed consent for data sharing'.

Data transfer agreement

Icon with arrows

When: When (personal) data is transferred between two legal entities and the other party will reuse the data for its own causes. A data transfer agreement is recorded in situations where a risk exists that the data is inappropriately accessed or used. 
What: In a data transfer agreement statements are made on how data may be handled, who has access, for what exact goal it can be used, etc. It doesn't necessarily differ much from a processor agreement (see below). 
ExampleData Transfer Agreement as used by the YOUth Cohort study of Utrecht University.

Processor agreement

Icon with arrows

When: When you ask a third party to process (including storing) your (personal) data and data is transferred between two legal entities.
What: In a processor agreement statements are made on how data may be handled, who has access and for what exact goal it can be used.


Icon with two C's in a circle

When: When data is made available for use to the general public.
What: A license states the conditions under which reuse is allowed. For instance the recommended licence by RDM support for non-sensitive data is Creative Commons BY (CC BY). This license states it is allowed to reuse the data, under the restriction that there is attribution to the creators of the data. Other options are public domain (CC0), share alike (CC SA), non-commercial (CC NC) or no derivatives (CC ND).
Example: Creative Commons Licensing types.
More information: Read more about data licensing in our guide on  'Publishing and sharing data'.

User agreement

Icon with an arrow pointing to a sentence in a box which reads I agree

When: When data is made available for use to specific others (other than your collaborators), criteria for this use should be clear. The user usually has to agree (‘I agree’) with the terms and consequently gains access.
What: In a user agreement statements are made on the terms and conditions of use. Very strict usage terms can be set up for access to data for verification purposes only.

More information: See the Data use agreement FAQs of Stanford University.