Legal instruments and agreements

During your research, you will have to deal with distinct parties that may have an interest in your data. Before you start your research, it is wise to think about drawing up the necessary documents which will make the conditions under which your data may be collected, used, processed and shared clear to all parties involved.

1. Privacy and security assessment

Privacy scan

When: Before you collect or handle personal (privacy-sensitive) data.

What: A privacy scan helps you plan all the privacy-related aspects of your project. For example, you describe which personal data you collect, which legal basis you use, with whom you will share the data, and how you will protect the data throughout your project. A privacy scan serves as a “light” version of a Data Protection Impact Assessment (see below), plan your research in line with the General Data Protection Regulation (GDPR), and fulfill the Accountability requirement of the GDPR by documenting your workflow.

More information:

• You can find more information about privacy scans in the Data Privacy Handbook.
• The Faculty of Geosciences has created a privacy scan template here.
• If you have questions about your privacy scan or how it is implemented in your faculty, please contact your faculty privacy officer. 

Data Protection Impact Assessment (DPIA)

When: If your use of personal data poses a high privacy risk for data subjects (e.g., participants), or when you are unsure about the privacy risks in your project. In the Data Privacy Handbook you can find examples of such high-risk scenarios.

What: A Data Protection Impact Assessment (DPIA) is always done together with the faculty privacy officer. It helps you identify the severity of privacy risks and specify measures to mitigate those risks. A DPIA is similar to a privacy scan, but more in-depth, and an official GDPR document that requires consultation with the university’s Data Protection Officer.

More information:

• You can find more information about DPIAs in the Data Privacy Handbook.
• Example templates for DPIAs are that of NOREA and of the Dutch government.
• If you are unsure whether a DPIA is necessary, or you want to start conducting a DPIA, please first contact your faculty privacy officer.

Data classification

When: To determine how secure the IT solutions should be that you want to use for your data (e.g., for storage, analysis, sharing), and which measures you should take to ensure proper data security.

What: In a data classification, you determine how important it is to keep data Confidential, correct (Integrity) and Available (CIA, in Dutch: BIV). Any of these three aspects is classified as low, basic, sensitive, or critical. The more impact a data breach would have, the higher the classification, and the more tight the security measures should be (e.g., a more secure storage platform, encryption, two-factor authentication, etc.).

More information:

• You can find more detailed information about Data classification levels in the Data Privacy Handbook.
• Get started with data classification via this intranet page from information security.
• For questions about data classification, please contact Information security.

2. Collaborating with others

For any type of agreement listed below, please contact your Research Support Office or faculty privacy office to ascertain that its contents are complete and correct, and to make sure that the correct person signs the agreement on behalf of the UU. You can also use the flowchart in the Data Privacy Handbook to help you determine which agreement you may need.

Confidentiality agreement or Non-disclosure agreement (NDA)

When: If data is disclosed to a third party or person, such as student assistants who help to collect data, and any data or information should not be used or spread at all.

What: An NDA is a legally binding contract with topics such as scope (who), length of the non disclosure and possibly penalties for breaches, and should be signed before sharing any data. An NDA will make sure that the person stated on record that they have access to the data and have agreed not to share the data with others.

More information: You can find example NDA templates in the Data Privacy Handbook, or contact your faculty privacy office for help drafting an NDA.

Consortium agreement

When: If you are starting a research project with partners outside of UU.

What: In a Consortium agreement, all parties agree on the intellectual property (ownership) of produced or gathered data, and on how these data are shared and used amongst partners during and after the project. Usually, a consortium agreement will also need to contain information on how personal data are handled and by which party.

More information: 

• How to draw up your consortium agreement (European commission, 2020).
• Information about the privacy part of the consortium is usually included in a joint controllers agreement. Ask your faculty privacy office for help drafting this.

Processing agreement

When: When a third party is going to process (e.g., store, analyse, share, transcribe) personal data on your behalf, without having their own research question and methods. This is often the case when you use tools, such as survey or storage platforms.

What: A processing agreement contains statements on how data may be handled and for how long, who has access and for what exact goal it can be used.

Examples:

• UU has processing agreements in place for a number of tools, see the UU Tool finders. If the tool you want to use is not listed, please contact Information security.
• There are UU templates on the intranet. Please always consult with your faculty privacy officer before using them.

3. Sharing data 

Informed consent

When: If you collect personal data from participants and you cannot, or do not want to, rely on the legal basis of public interest.

What: Typically, written consent documentation includes an information sheet which explains the consent process and a shorter consent form which is signed by the participant. It is important to describe the goal of the data collection and envisaged use of the personal data, also in the future. Consent is limited to such descriptions and no use outside those areas is permitted.

More information:

• See our guide How to write an informed consent form.
• You can use the RDM template for an information letter to precede the consent form.
• Don’t forget to consult the guidelines of your faculty’s ethical committee.

Data transfer agreement

When: When (personal) data is transferred between two legal entities and the other party will reuse the data for its own purposes. A data transfer agreement is used in situations where a risk exists that the data is inappropriately accessed or used.

What: In a data transfer agreement, statements are made on how data may be handled, who has access, for what exact goal it can be used, etc. This way, it ensures that both parties are aware of their responsibilities and are bound to do what the agreement says.

Example: Health-RI template

Data License

When: When (meta)data is made available through publication in a (data) repository or archive, and there are no custom restrictions to reuse (see User agreement below). Without a license, the copyright of a dataset remains with the data creators and reuse is legally severely limited.

What: A license states the conditions under which reuse is allowed in a standard, structured way. For non-sensitive research datasets, the most commonly used licenses are Creative Commons – Zero (CC0) and Creative Commons - BY (CC-BY). CC0 means that there are no restrictions on reuse of the data whatsoever, whereas CC-BY means that any reuse is allowed, provided that there is attribution to the creators of the data. Creative Commons also has more restrictive options, such as share alike (CC-SA), non-commercial (CC-NC) or no derivatives (CC-ND). Recently, the Open Knowledge Foundation has formulated licenses specifically suited for data(bases). For example, OpenStreetMap uses the Open Database License. In practice, however, these licenses are not yet much used in many existing data repositories.

More information:

• Guide to choosing a Creative Commons license
• Tool to find a suitable license for data or software
• Do you want to read more about licenses for research software? Check the blog here.
• Information about publishing code and software is available here.

User agreement

When: When data is made available under specific conditions, that are not (sufficiently) described in standard licenses (a “custom license”). The user usually has to agree with the terms of the user agreement and consequently gains access.

What: A user agreement specifies the terms and conditions under which data can be (re)used. For example, it can have statements on attribution, use, and protection of personal data. User agreements are often used in data repositories (e.g., custom terms of use in DataverseNL) or as part of a Data Transfer Agreement.

Example:

• Example user agreements by the Donders Institute, Radboud University.