Policies, codes of conduct and laws

This reading guide offers an overview of relevant data policies, codes of conduct, laws and protocols regarding research data management.


Guide on policies, codes of conduct and laws


  1. Codes of conduct, policies and guidelines
  2. Utrecht University faculty data protocols
  3. Sharing privacy-sensitive data
  4. Data ownership and reuse rights 



1. Codes of conduct, policies and guidelines

Important points from relevant frameworks, codes of conduct and guidelines are highlighted below. Between brackets, the issuing organisation is noted. UU means Utrecht University. 

Code for Scrupulous Academic Practice and Integrity (UU)

The 'Code of Conduct for Scrupulous Academic Practice and Integrity at Utrecht University' was adopted at the beginning of July 2014. By signing their appointment letter, new employees promise to adhere to the code. The following point is relevant for research data management:

6. Researchers at Utrecht University are transparent in the way in which data is stored and research results are achieved.

University Policy Framework for Research Data (UU)

At Utrecht University, it is important that all researchers honour scientific standards, including the meticulous and ethical treatment of research data. Utrecht University's requirements and expectations in this regard have been established by an administrative order in the University Policy Framework for Research Data which took effect as of 1 January 2016. 

This policy is intended to set out parameters to safeguard the quality, availability and accessibility of research data within Utrecht University and to provide a basis for evaluating compliance with laws, regulations and codes of conduct. The policy also clarifies the various roles and responsibilities of university staff in managing research data. 

Section 4: 'Basic premises and principles' and Section 5: 'Roles and responsibilities' are relevant to read. Some striking points: 

  • Archived research data are to be made available for access and reuse at and outside Utrecht University insofar as is reasonably possible and subject to the proper precautionary measures;
  • Archived research data are to be stored in a structure that is suitable for long-term preservation and later consultation;
  • The full set of research data connected with a research project are to be retained upon its conclusion insofar as relevant for the verifiability of the research;
  • Archived research data are to be retained for a minimum of ten years, commencing from the date that the research results are published;
  • The research data will be provided with metadata to describe the data with sufficient clarity to ensure they are findable for further research;
  • Exclusive rights to reuse or publish research data are not to be transferred to commercial publishers or their representatives without retention of the right to provide open access to the data for the purpose of reuse, except where such transfer is a condition for awarding funds;
  • It is the responsibility of each individual researcher (or, in the case of a group of researchers, the research leader) to draw up a Data Management Plan (DMP) at the start of the research project and to follow up the agreements made in this plan.
  • Researchers are obliged to factor in the costs for the preservation and management of the research data in research proposals and grant applications.


Information Security Policy (UU)

How the university handles the protection of information, is recorded in the University Information Security Policy (dating from November 2015). This policy is available on the university's intranet.

The Information Security Policy is described in four parts. One of the parts considers data classification (in the classes public, basic, sensitive or critical). On page 3 of that part it says:

"Not all information and information systems need an equal level of security. Some information may simply be publicly available, while other information is (privacy-)sensitive. For the latter category, depending on the nature of this information, stricter security measures apply."

"By classifying information and information systems, measures to ensure optimal availability, integrity and confidentiality can be determined in a relatively quick way. These measures are not only necessary because of University requirements and interests in these areas, but are sometimes also required to meet legal obligations. Consider, for example, the Wet Bescherming Persoonsgegevens (Wbp, Personal Data Protection Act) or its future replacement,the General Data Protection Regulation."

The Netherlands Code of Conduct for Research Integrity (VSNU, 2018)

When a researcher is appointed at the university, he or she must declare that they know 'The Netherlands Code of Conduct for Research Integrity' (VSNU, 2018) and will act accordingly. With regard to research data the following points are relevant:

2 Principles

2.3 Transparency

Transparency means, among other things, ensuring that it is clear to others what data the research was based on, how the data were obtained, what and how results were achieved and what role was played by external stakeholders. If parts of the research or data are not to be made public, the researcher must provide a good account of why this is not possible. It must be evident, at least to peers, how the research was conducted and what the various phases of the research process were. At the very least, this means that the line of reasoning must be clear and that the steps in the research process must be verifiable.

3 Standards for good research practices

3.2       Design

10. As necessary, describe how the collected research data are organized and classified so that they can be verified and reused.

13. Ensure that the required permissions are obtained and that, where necessary, an ethical review is conducted.

3.3       Conduct

23. Describe the data collected for and/or used in your research honestly, scrupulously and as transparently as possible.

24. Manage the collected data carefully and store both the raw and processed versions for a period appropriate for the discipline and methodology at issue.

25. Contribute, where appropriate, towards making data findable, accessible, interoperable and reusable in accordance with the FAIR principles.

3.4       Reporting Results

35. Be transparent about the method and working procedure followed and record them where relevant in research protocols, logs, lab journals or reports. The line of reasoning must be clear and the steps in the research process must be verifiable. This usually means that the research must be described in sufficient detail for it to be possible to replicate the data collection and its analysis.

45. As far as possible, make research findings and research data public subsequent to completion of the research. If this is not possible, establish the valid reasons for this.

Standard Evaluation Protocol, 2015-2021 (KNAW)

The Standard Evaluation Protocol (SEP) of the KNAW describes goals and the methods of research assessment at Dutch universities, NWO and Academy institutes. The following points are relevant with regard to research data management:

2.4. Research integrity
The assessment committee considers the research unit’s policy on research integrity and the way in which violations of such integrity are prevented. It is interested in how the unit deals with research data, data management and integrity, and in the extent to which an independent and critical pursuit of science is made possible within the unit. The assessment committee bases its assessment on how the research unit itself describes its internal research culture. The research unit undergoing assessment responds to a number of questions in the self-assessment, described in the format provided in Appendix D. The unit should use these questions to reflect on its own data management practices, the level of internal research integrity, and the transparency of its research culture. The assessment committee discusses these points during the site visit, comments on this in its report, and makes recommendations for improvement.

Appendix D
This is a self-assessment format for a research unit. The section on research integrity includes the following relevant aspects:

a. the degree of attention given to integrity, ethics, and self-reflection on actions (including in the supervision of PhD candidates);
b. the prevailing research culture and manner of interaction;
c. how the unit deals with and stores raw and processed data;
d. the unit’s policy on research results that deviate flagrantly from the prevailing scientific context;
e. any dilemmas (for example of an ethical nature) that have arisen and how the unit has dealt with them.

Collective labour agreement (CAO) of Dutch Universities (VSNU)

'The Collective labour agreement (CAO) of Dutch Universities' is a collective agreement about employment conditions. In the individual employment contracts there may be a referral to the CAO. A number of articles from the CAO is (indirectly) important for research data.
Articles 1.20 to 1.23 deal with (patentable) inventions. There is a duty to report and the rights must be transferred to the UU on request. This also applies in case the employee produces another copyrighted work. Do note that research data are only protected by copyright in specific cases (see 'The legal status of raw data: a guide for research practice' (SURF)).

Article 1.17 Liability and compensation
1. An employee who, in the performance of his duties, causes damage to the institution or to a third party to whom the institution is obliged to pay compensation for that damage shall not be held liable for this, unless the damage was caused deliberately or was a result of conscious recklessness.

A 'leak' of privacy-sensitive data may be considered as damage in such cases.

Article 1.19 Employees’ obligations pursuant to third-party agreements
If rules have been set up pertaining to agreements between the university and third parties, an employee who participates in the implementation of such an agreement is obliged to behave in accordance with both the rules and the substance of the agreement in question.

Contracts with financiers or companies that make demands on the use of the research data may applicable here. 

Criminal code, article 225 (Dutch governement)

It is (of course) forbidden to forge or misrepresent data and then share it with others. The Criminal code (Wetboek van Strafrecht), article 225 says: 

"He who falsely prepares or falsifies a document intended to serve as proof of any fact, with the intent to use real and unadulterated or to make others use, is punished as guilty of forgery, with a term of imprisonment not exceeding six years or a fine of the fifth category."

2. Utrecht University faculty data protocols

According to the 'University Policy Framework for Research Data', deans have to draw up faculty guidelines and ensure that research institute directors implement both the University Policy Framework and the faculty guidelines.

Below, currently available faculty data protocols are presented. 

Data protocol, Faculty of social and behavioural sciences

The Faculty of Social and Behavioural Sciences has two protocols.

Protocol for handling research data before and during research
Ethical review is requested at the start of a new research project, but in any case, before the data collection takes place. Every research project has to be registered in PRIDE, the online registration tool for ethics, privacy and data management. To submit a research protocol to the Faculty Ethics Review Board (FERB), researchers fill out the questionnaire in PRIDE.

Protocol for archiving data for after research
The Research Data Storage (Archiving) Protocol 2016 regulates the storage of data that forms the basis for a publication. With the protocol, the faculty strives to adopt a more systematic approach to carefully and transparently storing research data during the process of collection and processing. 

Queries regarding the protocols should be addressed to research.support.fsw@uu.nl.

Research Data Management Guideline, Faculty of Science

The Faculty of Science has set up faculty guidelines on research data management, rather than a protocol. The guideline does not deviate from UU policy but aims to provide a comprehensive and practical overview of the most important aspects. The faculty has a dedicated page with additional information that provides more context for the Science Faculty Guideline.

Research Data Management Support has specific expertise in setting up data protocols for faculties, projects and groups and will gladly assist you.


The 'University Policy Framework for Research Data' stresses your moral obligation as a researcher to make your data available after publication. However, you should bear in mind that precautions should be taken when sharing privacy-sensitive data. The following legal obligations, restrictions and codes of conduct relating to the disclosure of personal data apply.

General Data Protection Regulation (GDPR) or AVG

The General Data Protection Regulation (GDPR) or Algemene Verordening Gegevensbescherming (AVG) came into effect in May of 2018. The GDPR replaces the 'Wet Bescherming Persoonsgegevens (WBP)'. Other laws which contain rules for processing personal data such as WGBO, Wkkgz, WMO and 'Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg' will continue to exist next to the GDPR for those parts where they have complementing rules.

The GDPR is European legislation which regulates the privacy protection of natural persons (from Europe) in the processing and transfer of personal data (in Europe). One of the principles in this is, for example, privacy by design. The right technical and organisational measures have to be taken to implement the protecting of personal data. The law has a penalty regulation for data breaches that can add up considerably. As of May 2018, everyone must comply to the GDPR. See the guide to 'Handling personal data' for more information.   

Wet Medisch wetenschappelijk Onderzoek (WMO)

The aim of the WMO (the Medial Research Act) is to offer test subjects proper legal protection. Research that falls under the scope of the WMO must first be tested by a recognised Medical Ethics Assessment Committee (METC). WMO-obligatory research satisfies the following:

  • Medical research is carried out;
  • The subjects are subjected to actions and/or they are subjected to a certain behavior.

Non-WMO-related research with persons does still fall under the General Data Protection Regulation (GDPR). It is however advised (and sometimes part of a faculty protocol) to have non-WMO-related research with persons reviewed by an Ethical Review Board. Read more in the Guide Handling Personal Data Check 2: Ethical Obligations.

Wet Geneeskundige Behandelingsovereenkomst (WGBO)

WGBO describes the rights and obligations of clients in health care. It also stipulates under which conditions data can be shared for statistics or scientific research in the field of public health (article 458).

Obligation to report personal data breaches

In the GDPR (AVG) there are rules on reporting breaches of personal data. Both private and public organisations that process personal data are required to report breaches of security that lead to theft, loss or misuse of personal data. If there is negligence to report, the 'Autoriteit persoonsgegevens' (Dutch Data Protection Authority) can impose a substantial fine. Within Utrecht University you should report a (presumable) data leak as soon as possible to cert@uu.nl.

Dutch Data Protection Authority- approved codes of conduct for researchers

With the new GDPR (AVG in Dutch), codes of conduct are being revisited for health research and personal data. As soon as they are released, they will be referred to here.

Old codes are:

While the laws are all about personal data, the codes of conduct also contain guidelines for non-personal data.

For a translation of law to practice see our guide 'Handling personal data'. 

4. Data ownership and reuse rights

As a researcher, you should clarify who the copyright holder of your datasets is, especially when you use existing data or when you collaborate with external parties. Copyright is a form of intellectual property right which arises automatically if an original work is created. Copyright will not cover the underlying facts, ideas or concepts, but only the particular way in which they have been expressed. Copyrighted output from research could include spreadsheets (and other forms of originally selected and organised data), publications, books, reports and computer programs. Consult the Copyright Information Offfice for more information on copyright on publications and books.   

Clarifying the ownership of your research data

Officially Utrecht University, as your employer, is considered the rights holder to the research data you create. You, as a researcher, have the primary responsibility for taking care of the data.

However, questions on data exploitation and reuse rights may be even more important than those of ownership. Who can use the data? Who can publish it? Who can provide it to third parties? We strongly recommend that you deal with the issues involved with data exploitation at an early stage of your research project. State all agreements between yourself, your supervisor and other interested parties in your data management plan and negotiate terms for processing, dissemination and reuse. See the guide Legal instruments and agreements for an overview of possibilities and examples.

When the time comes to share your data, the most practical solution is to put a license on the data you want to share. In this way you make clear what usage conditions apply without people having to ask permission. See 'Licensing data' for more information.

Using someone else’s research data

The use of someone else's research data is dictated by the provisions in the license which the creators apply. If such a license is not present, data may fall under copyright. Even so, you may still be able to reuse the data. SURF provides a brief guide to determining what consent is necessary to reuse someone else’s data.