Legal instruments and agreements
During your research, you will have to deal with distinct parties that may have an interest in your data. Before you start your research, it is wise to think about drawing up the necessary documents which will make the conditions under which your data may be collected, used, processed and shared clear to all parties involved.
1. Privacy and security assessment
When: Before you collect or handle personal (privacy-sensitive) data.
What: A privacy scan helps you plan all the privacy-related aspects of your project. For example, you describe which personal data you collect, which legal basis you use, with whom you will share the data, and how you will protect the data throughout your project. A privacy scan serves as a “light” version of a Data Protection Impact Assessment (see below), plan your research in line with the General Data Protection Regulation (GDPR), and fulfill the Accountability requirement of the GDPR by documenting your workflow.
Data Protection Impact Assessment (DPIA)
When: If your use of personal data poses a high privacy risk for data subjects (e.g., participants), or when you are unsure about the privacy risks in your project. In the Data Privacy Handbook you can find examples of such high-risk scenarios.
What: A Data Protection Impact Assessment (DPIA) is always done together with the faculty privacy officer. It helps you identify the severity of privacy risks and specify measures to mitigate those risks. A DPIA is similar to a privacy scan, but more in-depth, and an official GDPR document that requires consultation with the university’s Data Protection Officer.
When: To determine how secure the IT solutions should be that you want to use for your data (e.g., for storage, analysis, sharing), and which measures you should take to ensure proper data security.
What: In a data classification, you determine how important it is to keep data Confidential, correct (Integrity) and Available (CIA, in Dutch: BIV). Any of these three aspects is classified as low, basic, sensitive, or critical. The more impact a data breach would have, the higher the classification, and the more tight the security measures should be (e.g., a more secure storage platform, encryption, two-factor authentication, etc.).
2. Collaborating with others
For any type of agreement listed below, please contact your Research Support Office to ascertain that its contents are complete and correct, and to make sure that the correct person signs the agreement on behalf of the UU. You can also use the flowchart in the Data Privacy Handbook to help you determine which agreement you may need.
Confidentiality agreement or Non-disclosure agreement (NDA)
When: If data is disclosed to a third party or person, such as student assistants who help to collect data, and any data or information should not be used or spread at all.
What: An NDA is a legally binding contract with topics such as scope (who), length of the non disclosure and possibly penalties for breaches, and should be signed before sharing any data. An NDA will make sure that the person stated on record that they have access to the data and have agreed not to share the data with others.
More information: You can find example NDA templates in the Data Privacy Handbook.
When: If you are starting a research project with partners outside of UU.
What: In a Consortium agreement, all parties agree on the intellectual property (ownership) of produced or gathered data, and on how these data are shared and used amongst partners during and after the project. Usually, a consortium agreement will also need to contain information on how personal data are handled and by which party.
When: When a third party is going to process (e.g., store, analyse, share, transcribe) personal data on your behalf, without having their own research question and methods. This is often the case when you use tools, such as survey or storage platforms.
What: A processing agreement contains statements on how data may be handled and for how long, who has access and for what exact goal it can be used.
3. Sharing data
When: If you collect personal data from participants and you cannot, or do not want to, rely on the legal basis of public interest.
What: Typically, written consent documentation includes an information sheet which explains the consent process and a shorter consent form which is signed by the participant. It is important to describe the goal of the data collection and envisaged use of the personal data, also in the future. Consent is limited to such descriptions and no use outside those areas is permitted.
Data transfer agreement
When: When (personal) data is transferred between two legal entities and the other party will reuse the data for its own purposes. A data transfer agreement is used in situations where a risk exists that the data is inappropriately accessed or used.
What: In a data transfer agreement, statements are made on how data may be handled, who has access, for what exact goal it can be used, etc. This way, it ensures that both parties are aware of their responsibilities and are bound to do what the agreement says.
When: When (meta)data is made available through publication in a (data) repository or archive, and there are no custom restrictions to reuse (see User agreement below). Without a license, the copyright of a dataset remains with the data creators and reuse is legally severely limited.
What: A license states the conditions under which reuse is allowed in a standard, structured way. For non-sensitive research datasets, the most commonly used licenses are Creative Commons – Zero (CC0) and Creative Commons - BY (CC-BY). CC0 means that there are no restrictions on reuse of the data whatsoever, whereas CC-BY means that any reuse is allowed, provided that there is attribution to the creators of the data. Creative Commons also has more restrictive options, such as share alike (CC-SA), non-commercial (CC-NC) or no derivatives (CC-ND). Recently, the Open Knowledge Foundation has formulated licenses specifically suited for data(bases). For example, OpenStreetMap uses the Open Database License. In practice, however, these licenses are not yet much used in many existing data repositories.
When: When data is made available under specific conditions, that are not (sufficiently) described in standard licenses (a “custom license”). The user usually has to agree with the terms of the user agreement and consequently gains access.
- Example user agreements by the Donders Institute, Radboud University.