Legal instruments and agreements

During your research, you will have to deal with distinct parties that may have an interest in your data. Before you start your research, it is wise to think about drawing up the necessary documents which will make the conditions under which your data may be collected, used, processed and shared clear to all parties involved.

1. Privacy and security assessment

Privacy scan

When: Before you collect or handle personal (privacy-sensitive) data.

What: A privacy scan helps you plan all the privacy-related aspects of your project. For example, you describe which personal data you collect, which legal basis you use, with whom you will share the data, and how you will protect the data throughout your project. A privacy scan serves as a 鈥渓ight鈥 version of a Data Protection Impact Assessment (see below), plan your research in line with the General Data Protection Regulation (GDPR), and fulfill the Accountability requirement of the GDPR by documenting your workflow.

More information:

  • You can find more information about privacy scans in the .
  • The Faculty of Geosciences has created a .
  • If you have questions about your privacy scan or how it is implemented in your faculty, please contact your . 

Data Protection Impact Assessment (DPIA)

Icon of a fingerprint

When: If your use of personal data poses a high privacy risk for data subjects (e.g., participants), or when you are unsure about the privacy risks in your project. In the Data Privacy Handbook you can find .

What: A Data Protection Impact Assessment (DPIA) is always done together with the . It helps you identify the severity of privacy risks and specify measures to mitigate those risks. A DPIA is similar to a privacy scan, but more in-depth, and an official GDPR document that requires consultation with the university鈥檚 .

More information:

  • You can find more information about DPIAs in the .
  • Example templates for DPIAs are that of and of the .
  • If you are unsure whether a DPIA is necessary, or you want to start conducting a DPIA, please first contact your .

Data classification

Icon of a classification

When: To determine how secure the IT solutions should be that you want to use for your data (e.g., for storage, analysis, sharing), and which measures you should take to ensure proper data security.

What: In a data classification, you determine how important it is to keep data Confidential, correct (Integrity) and Available (CIA, in Dutch: BIV). Any of these three aspects is classified as low, basic, sensitive, or critical. The more impact a data breach would have, the higher the classification, and the more tight the security measures should be (e.g., a more secure storage platform, encryption, two-factor authentication, etc.).

More information:

  • You can find more detailed information about Data classification levels in the .
  • Get started with data classification via from information security.
  • For questions about data classification, please contact .

2. Collaborating with others

For any type of agreement listed below, please contact your or to ascertain that its contents are complete and correct, and to make sure that the correct person signs the agreement on behalf of the UU. You can also use the to help you determine which agreement you may need.

Confidentiality agreement or Non-disclosure agreement (NDA)

Icon of a person holding a finger to his mouth

When: If data is disclosed to a third party or person, such as student assistants who help to collect data, and any data or information should not be used or spread at all.

What: An NDA is a legally binding contract with topics such as scope (who), length of the non disclosure and possibly penalties for breaches, and should be signed before sharing any data. An NDA will make sure that the person stated on record that they have access to the data and have agreed not to share the data with others.

More information: You can find example NDA templates in the , or contact your for help drafting an NDA.

Consortium agreement

Icon of a puzzle

When: If you are starting a research project with partners outside of UU.

What: In a Consortium agreement, all parties agree on the intellectual property (ownership) of produced or gathered data, and on how these data are shared and used amongst partners during and after the project. Usually, a consortium agreement will also need to contain information on how personal data are handled and by which party.

More information: 

  •  (European commission, 2020).
  • Information about the privacy part of the consortium is usually included in a . Ask your for help drafting this.

Processing agreement

Icon with arrows

When: When a third party is going to process (e.g., store, analyse, share, transcribe) personal data on your behalf, without having their own research question and methods. This is often the case when you use tools, such as survey or storage platforms.

What: A processing agreement contains statements on how data may be handled and for how long, who has access and for what exact goal it can be used.

Examples:

  • UU has processing agreements in place for a number of tools, see the UU . If the tool you want to use is not listed, please contact .
  • There are on the intranet. Please always consult with your before using them.

3. Sharing data 

Informed consent

Icon of two hands shaking

When: If you collect personal data from participants and you cannot, or do not want to, rely on the .

What: Typically, written consent documentation includes an information sheet which explains the consent process and a shorter consent form which is signed by the participant. It is important to describe the goal of the data collection and envisaged use of the personal data, also in the future. Consent is limited to such descriptions and no use outside those areas is permitted.

More information:

Data transfer agreement

Icon with arrows

When: When (personal) data is transferred between two legal entities and the other party will reuse the data for its own purposes. A data transfer agreement is used in situations where a risk exists that the data is inappropriately accessed or used.

What: In a data transfer agreement, statements are made on how data may be handled, who has access, for what exact goal it can be used, etc. This way, it ensures that both parties are aware of their responsibilities and are bound to do what the agreement says.

Example:

Data License

Icon with two C's in a circle

When: When (meta)data is made available through publication in a (data) repository or archive, and there are no custom restrictions to reuse (see User agreement below). Without a license, the copyright of a dataset remains with the data creators and reuse is legally severely limited.

What: A license states the conditions under which reuse is allowed in a standard, structured way. For non-sensitive research datasets, the most commonly used licenses are Creative Commons 鈥 Zero (CC0) and Creative Commons - BY (CC-BY). CC0 means that there are no restrictions on reuse of the data whatsoever, whereas CC-BY means that any reuse is allowed, provided that there is attribution to the creators of the data. Creative Commons also has more restrictive options, such as share alike (CC-SA), non-commercial (CC-NC) or no derivatives (CC-ND). Recently, the Open Knowledge Foundation has formulated For example, OpenStreetMap uses the Open Database License. In practice, however, these licenses are not yet much used in many existing data repositories.

More information:

  • Guide to choosing a
  • for data or software
  • Do you want to read more about licenses for research software? Check the blog here.
  • Information about publishing code and software is available here.

User agreement

Icon with an arrow pointing to a sentence in a box which reads I agree

When: When data is made available under specific conditions, that are not (sufficiently) described in standard licenses (a 鈥渃ustom license鈥). The user usually has to agree with the terms of the user agreement and consequently gains access.

What: A user agreement specifies the terms and conditions under which data can be (re)used. For example, it can have statements on attribution, use, and protection of personal data. User agreements are often used in data repositories (e.g., custom terms of use in DataverseNL) or as part of a Data Transfer Agreement.

Example:

  • by the Donders Institute, Radboud 木瓜福利影视.