Legal instruments and agreements
In this reading guide, you will find a list of instruments and agreements to consider before collecting or sharing your data.
During your research, you will have to deal with distinct parties that may have an interest in your data. Before you start your research, it is wise to think about drawing up the necessary documents which will make the conditions under which your data may be collected, used, processed and shared clear to all parties involved.
An overview of possible instruments and agreements which apply during and after your research is presented in the image below. Pick the instrument or agreement you need and scroll down for a more elaborate description.
Data Protection Impact Assesment (DPIA)
When: If you plan to collect or handle personal (privacy-sensitive) data.
What: During a Data Protection Impact Assessment (DPIA) you fill in a form which helps you to assess privacy issues and resulting measures to fix possible privacy problems in an early stage.
The following models are recommended:
- Privacy Impact Assessement by the Rijksoverheid.
- Englisch translation of the Privacy Impact Assessement by the Rijksoverheid.
- Privacy Impact Assessment for Utrecht University (requires logging in with your Solis-id, based on an instrument by SURF).
Before you start a DPIA, you can check if you are obliged to do so (in Dutch). You can also start with the Privacy Checklist that Utrecht University has issued. Following the steps will ensure that you are mostly prepared.
More information: See the guide 'Handling personal data', step 1.
When: If your data needs extra security measures. For instance if it needs to be available for the long term after research, concerns privacy sensitive data, or intellectual property rights are involved.
What: By filling in a form you will be able to assess what security measures your research data needs to ensure its Availability, Integrity and Confidentiality (AIC).
Example: Classification scheme by ITS, Utrecht University (login with SolisID required)
When: If you are starting a research project with partners.
What: In a Consortium Agreement the intellectual property (ownership) of produced or gathered data is agreed upon, and agreement is reached on how these data are shared and used amongst partners during and after the project.
More information: How to draw up your consortium agreement (European commission, February 2015).
Confidentiality agreement or Non-disclosure agreement (NDA)
When: If data is disclosed to a third party or person, such as student assistants that help collect data, and the information should not be used or spread at all.
What: It is a legally binding contract with topics such as scope (who), length of the non-disclosure and possibly penalties for breaches and should be signed before sharing any data.
More information: Aandachtspunten geheimhoudings overeenkomst (NDA) van ICTRecht (Dutch).
When: If you collect personal data from participants. By law, informed consent from these participants is needed to process and further spread the data.
What: Typically, written consent documentation includes an information sheet which explains the consent process and a shorter consent form which is signed by the participant. It is important to describe the goal of the data collection and envisaged use of the personal data, also in the future. Consent is limited to such descriptions and no use outside those areas is permitted.
- Declaration of consent by the Ethics assessment Committee Linguistics (EtCL) of the UiL OTS, Utrecht University;
- Informed consent forms (Dutch only) of FSW Faculty Ethics Review Board, Utrecht University (requires logging in with your Solis-ID);
- Consent forms by UK Data Service.
More information: See our guide on 'Informed consent for data sharing'.
Data transfer agreement
When: When (personal) data is transferred between two legal entities and the other party will reuse the data for its own causes. A data transfer agreement is recorded in situations where a risk exists that the data is inappropriately accessed or used.
What: In a data transfer agreement statements are made on how data may be handled, who has access, for what exact goal it can be used, etc. It doesn't necessarily differ much from a processor agreement (see below).
Example: Data Transfer Agreement as used by the YOUth Cohort study of Utrecht University.
When: When you ask a third party to process (including storing) your (personal) data and data is transferred between two legal entities.
What: In a processor agreement statements are made on how data may be handled, who has access and for what exact goal it can be used.
When: When data is made available for use to the general public.
What: A license states the conditions under which reuse is allowed. For instance the recommended licence by RDM support for non-sensitive data is Creative Commons BY (CC BY). This license states it is allowed to reuse the data, under the restriction that there is attribution to the creators of the data. Other options are public domain (CC0), share alike (CC SA), non-commercial (CC NC) or no derivatives (CC ND).
Example: Creative Commons Licensing types.
More information: Read more about data licensing in our guide on 'Publishing and sharing data'.
When: When data is made available for use to specific others (other than your collaborators), criteria for this use should be clear. The user usually has to agree (‘I agree’) with the terms and consequently gains access.
What: In a user agreement statements are made on the terms and conditions of use. Very strict usage terms can be set up for access to data for verification purposes only.
- Data use agreements by Donders Institute, Radboud University
More information: See the Data use agreement FAQs of Stanford University.