Tag: FAIR Data Principles

  • What Is a Data Trust? Research Data Governance

    A data trust is a legal and technical framework in which an independent trustee, bound by fiduciary duty, makes decisions about a pool of data on behalf of the people or organisations who contributed it. For research data, this offers a genuine alternative to depositing datasets individually in a repository: instead of each contributor negotiating access terms alone, a trustee stewards shared data collectively, with accountability built into the governance structure itself.

    A data trust can be defined precisely: it is an independent steward, holding data under a formal duty of impartiality, prudence, transparency and undivided loyalty to the beneficiaries whose data it manages, according to the Open Data Institute (ODI), which coined and refined the term from 2018.

    What is a data trust?

    A data trust is a legal structure in which one party authorises an independent trustee to make decisions about data on their behalf, for the benefit of a defined group of stakeholders. The ODI, which published its first explainer on the concept in July 2018 and adopted a working definition later that year, models the idea on established asset trusts such as land trusts, transposing the same fiduciary logic onto data.

    The clearest working example is UK Biobank, established in 2006 as a charitable company with trustees to steward genetic data and biological samples from around 500,000 participants. The ODI itself trialled the concept in practice with the UK Government’s Office for AI in April 2019, testing whether fiduciary stewardship could work as applied governance rather than theory alone. Separately, the University of Cambridge’s Data Trusts Initiative has examined data trusts as a mechanism for pooling individuals’ legal data rights into a single negotiating and stewardship entity.

    How does a data trust govern research data differently from repository deposit?

    Under the standard deposit model, a researcher or institution submits a dataset to a repository, which applies institutional policy and a licence to govern reuse — the repository itself owes no fiduciary duty to depositors. Under a data trust, an independent trustee holds ongoing decision-making authority over the pooled data and is legally obliged to act in the beneficiaries’ interests, not merely to apply a static licence at the point of deposit.

    This distinction matters most for sensitive, re-identifiable, or commercially valuable research data, where a one-off licence cannot anticipate every future access request. A trust structure allows collective, ongoing renegotiation of terms as new uses arise, rather than requiring each depositor to individually vet every downstream request.

    Feature Data trust Repository deposit
    Legal basis Formal trust or fiduciary agreement Institutional policy plus a data licence
    Decision-maker Independent trustee(s) with ongoing authority Depositor sets terms once, at submission
    Fiduciary duty Yes — legally binding to beneficiaries No — repository is a custodian, not a fiduciary
    Best suited to Sensitive, re-identifiable, or contested data Open, low-risk, citation-ready datasets

    Data sharing agreement vs data processing agreement: where does a data trust fit?

    A data sharing agreement sets out the terms under which two or more parties exchange data they each control, while a data processing agreement — required under UK GDPR Article 28 wherever a processor handles data on a controller’s behalf — fixes the narrower, instructed relationship between a data controller and a processor acting only on its instructions.

    A data trust does not replace either instrument; it changes who holds the authority to agree them. Rather than each institution separately negotiating a data sharing agreement for every new research collaboration, the trustee negotiates and monitors compliance centrally, on behalf of all contributors, reducing duplicated legal effort across a research consortium.

    What does a data trust mean for FAIR data stewardship?

    The FAIR Principles — Findable, Accessible, Interoperable, Reusable, formalised by Wilkinson and colleagues in Scientific Data in 2016 — govern how research data should be described and made available, but they do not specify who decides access terms. A data trust supplies exactly that missing governance layer.

    • Findability and interoperability metadata can still be maintained in a conventional repository even where the trust governs access rights.
    • Accessibility becomes a trustee decision rather than a fixed licence, allowing tiered or conditional access for sensitive datasets that would otherwise be withheld entirely.
    • Reusability is strengthened where beneficiaries trust the stewardship arrangement enough to contribute richer, less redacted data in the first place.

    Institutions bound by research data management policy obligations — including UKRI’s Common Principles on Data Policy — can treat a data trust as a compliance mechanism that satisfies funder access requirements without forcing full open deposit of sensitive material.

    Indigenous data sovereignty and the CARE Principles

    The Global Indigenous Data Alliance published the CARE Principles — Collective Benefit, Authority to Control, Responsibility, and Ethics — in 2019, explicitly to complement FAIR by centring people and purpose rather than data alone. CARE was developed in direct response to concerns that FAIR-only stewardship could enable extraction of Indigenous data without consent or benefit-sharing.

    A data trust structure is one of the few governance mechanisms that can operationalise CARE’s “Authority to Control” principle in practice: it gives a defined community, rather than a repository operator, the standing to appoint trustees and set binding terms. This is a genuinely distinct information-gain point rarely covered in generic data-trust explainers, most of which address corporate or civic data rather than research data sovereignty.

    Answer-first Q&A

    What is a data trust?

    A data trust is a legal and technical structure that manages data on behalf of contributors through an independent trustee. The trustee holds a fiduciary duty — impartiality, prudence, transparency, and undivided loyalty — to the people or organisations whose data is pooled, rather than to any single commercial interest.

    What is the data trust structure?

    The structure places data under the control of a board of trustees who owe a fiduciary responsibility to the beneficiaries. Terms of access, use, and onward sharing are set collectively and can be renegotiated over time, unlike a fixed licence attached to a single dataset at deposit.

    What is a public data trust?

    A public data trust is governed by community, government, or non-profit board members committed to widening access to data affecting a defined population. In a research setting, this model supports population studies, public-health cohorts, and civic datasets where public benefit and consent are central governance concerns.

    What is the role of a data trustee?

    A data trustee manages, protects, and ensures the integrity and appropriate use of pooled data. Trustees identify sensitivity and risk, approve or decline access requests, and enforce the trust’s terms — a standing, ongoing role rather than a one-time licensing decision made at the point of deposit.

    Implications and outlook for research administrators

    For research administrators, the practical implication is that data trusts are not a substitute for repository infrastructure — findability, persistent identifiers, and metadata still depend on conventional deposit systems. What a trust adds is a governance layer above the infrastructure, suited to consortium data, population cohorts, and datasets involving Indigenous or otherwise sovereignty-sensitive communities.

    Institutions weighing a data trust model should expect higher upfront legal cost than a standard repository licence, offset against lower recurring negotiation cost across a multi-year, multi-partner project. As FAIR-compliant infrastructure matures and CARE-aligned governance expectations grow, data trusts are likely to remain a minority but increasingly cited option for exactly the categories of research data — sensitive, collectively owned, or community-governed — that pure open deposit handles least well.

  • Materials Data Repository: NIST’s FAIR Approach

    The NIST Materials Data Repository is a US federal, open-access archive that lets materials scientists deposit, describe and reuse research data files under the Materials Genome Initiative (MGI). It matters for research data management (RDM) because materials science has lagged biomedical and social-science fields in adopting FAIR data principles, and NIST’s infrastructure — built on the open-source DSpace platform — offers a concrete, working template for what FAIR looks like in a physical-science discipline.

    A materials data repository is a structured digital archive purpose-built for storing, describing and sharing datasets specific to materials science: crystal structures, mechanical-property measurements, spectroscopy files, simulation outputs and processing metadata. Unlike a general-purpose institutional repository, it is organised around domain metadata schemas that make heterogeneous, often binary, materials data searchable and machine-actionable.

    What is the NIST Materials Data Repository?

    The NIST Materials Data Repository, hosted at materialsdata.nist.gov, is a file repository maintained by the US National Institute of Standards and Technology’s Material Measurement Laboratory. It accepts data in any format and pairs each deposit with descriptive metadata — title, author, ownership and, where available, richer domain fields — specifically to counter the “opacity” of binary materials files that would otherwise be unsearchable.

    NIST states the repository was created to give the research community “a concrete mechanism for the interchange and re-use of research data on materials systems,” in direct support of the Materials Genome Initiative, the 2011 US federal effort to accelerate materials discovery through better data infrastructure. Content is organised into communities and collections, which groups related datasets and improves browsability for specific research teams or projects.

    Technically, the repository runs on DSpace, an open-source repository platform widely used across academic libraries, which gives it three RDM-relevant capabilities out of the box: persistent identifiers for deposited files, a web-accessible API for machine-to-machine access, and federation with other repositories. NIST has used that API to feed repository references into the Materials Data Facility and a “root and rules” search algorithm, extending the data’s reach beyond the repository’s own interface.

    How does the repository support FAIR data principles?

    The FAIR data principles — Findable, Accessible, Interoperable, Reusable — were formalised in 2016 in Scientific Data by Wilkinson et al. as a shared standard for making research data machine-actionable, not just human-readable. NIST’s repository operationalises each element rather than treating FAIR as an abstract aspiration.

    • Findable: rich, mandatory metadata plus persistent identifiers make each dataset discoverable independent of where its underlying file happens to live.
    • Accessible: the majority of holdings are public and retrievable through a standard web browser or the repository’s API, with limited invitation-only collections reserved for pre-publication analysis.
    • Interoperable: structured metadata and DSpace’s federation capability let the repository exchange records with external systems such as the Materials Data Facility, rather than functioning as an isolated silo.
    • Reusable: depositor-selected licensing terms and descriptive context give downstream users the information they need to judge whether a dataset is fit for reuse in new research.

    This matters because FAIR compliance in materials science carries a different technical burden than it does in genomics or clinical trials data. A single alloy characterisation dataset can combine imaging files, spectroscopy outputs and tabular composition data in incompatible native formats — which is precisely the interoperability problem a domain-specific repository, rather than a generic institutional one, is built to solve.

    How does it compare with other materials data infrastructure?

    NIST’s repository is one node in a small but growing international ecosystem of materials-specific data infrastructure. Research administrators advising physical-science departments should understand where each fits, since “materials data repository” covers genuinely different data types — deposited raw files versus computed, simulation-derived properties.

    Repository Steward Data type Notable FAIR feature
    NIST Materials Data Repository NIST (US federal) Deposited experimental/research files, any format Persistent IDs, API, DSpace federation
    MDR (DICE) National Institute for Materials Science, Japan Data and publications, domain-tailored metadata Metadata schemas tuned to materials disciplines
    Materials Project Lawrence Berkeley National Laboratory Computed structure/property data Open API for bulk computed-data queries
    NOMAD FAIRmat / open-source community Simulation and computational materials data Explicitly FAIR-by-design, free and open source

    UK institutions have a domestic reference point too: the Henry Royce Institute, the UK’s national institute for advanced materials research, maintains a Digital Materials Foundry that curates links to major computational materials databases for UK researchers, positioning FAIR materials data as institutional infrastructure rather than a project-by-project afterthought.

    Registries such as re3data.org — the DataCite-affiliated global registry of research data repositories — independently list the NIST repository, which gives it discoverability outside its own domain and is itself a small but real Findability signal under the FAIR framework.

    What does this mean for RDM programmes?

    Materials science RDM guidance remains thin relative to biomedical and social-science fields, where funder mandates, data-sharing plans and repository certification (CoreTrustSeal, for example) are comparatively mature. Research administrators supporting engineering and physical-science faculties can draw three practical lessons from NIST’s model.

    1. Domain-specific metadata schemas matter more than generic institutional-repository templates for high-heterogeneity data such as materials characterisation files.
    2. Persistent identifiers and API access are not optional extras — they are what converts a file dump into FAIR-compliant infrastructure.
    3. Federation with discipline hubs (the Materials Data Facility, re3data.org) extends a dataset’s reach far beyond a single institutional URL.

    For research administrators building data management plans that reference physical-science outputs, pointing PIs toward an established domain repository — rather than a generic institutional one — materially improves the odds that FAIR criteria in funder compliance reviews are actually met.

    Answer-first Q&A

    What is the purpose of a materials data repository?

    A materials data repository exists to make heterogeneous, often binary materials science data — spectroscopy, imaging, composition and mechanical-property files — searchable, citable and reusable. It solves the specific problem that raw materials files are otherwise opaque to search engines and incompatible with generic institutional repository metadata schemas.

    What are examples of materials data repositories besides NIST’s?

    Beyond the NIST Materials Data Repository, notable examples include Japan’s NIMS MDR (via the DICE platform), the US Materials Project for computed structure data, and NOMAD, a European open-source repository explicitly built to FAIR specifications for computational materials science.

    Is it costly to deposit data in a repository like NIST’s?

    NIST’s Materials Data Repository is a federally funded, open-access service with no publicly advertised deposit fee, unlike some generalist commercial repositories that charge per gigabyte above a free tier. Costs for materials-specific deposit are therefore typically absorbed by the institution’s existing RDM infrastructure rather than billed per dataset.

    What is the best materials data repository for FAIR compliance?

    There is no single “best” repository — the right choice depends on data type. NOMAD and the Materials Project suit computed/simulation data, while NIST’s and NIMS’ MDR suit deposited experimental datasets; all four implement the core FAIR pillars but through different metadata and access mechanisms.

    Where materials science RDM is heading

    Materials science FAIR infrastructure is converging on the same architecture that biomedical and social-science RDM adopted earlier: persistent identifiers, API-level machine access, domain-tuned metadata and cross-repository federation. NIST’s Materials Data Repository, updated as recently as March 2025 according to its own programme page, demonstrates that a federal physical-science agency can build FAIR-compliant infrastructure without waiting for a universal cross-discipline standard to arrive first. For research administrators, the practical task now is steering physical-science principal investigators toward these domain repositories in data management plans, rather than defaulting to generalist options that were never built for materials data’s particular complexity.

  • Research Data Management Policy: €10.2bn Case

    A research data management policy that treats FAIR compliance as a line-item cost, rather than a reuse and reputation asset, is the wrong accounting model. PwC estimated in a 2018 study for the European Commission that the absence of FAIR (Findable, Accessible, Interoperable, Reusable) research data costs the European economy at least €10.2 billion a year, largely through duplicated data collection and wasted researcher time. That figure is the strongest evidence available that under-investment in research data management (RDM) infrastructure is a false economy, not a saving.

    A research data management policy is an institutional document setting out the responsibilities of researchers and the institution for planning, storing, securing, sharing and preserving research data across its lifecycle. Most UK universities — Southampton, Birmingham, Manchester, Edinburgh and others — already publish one. The argument here is narrower and more contentious: most are drafted, funded and governed as compliance paperwork, when the evidence says they should be funded as reuse and reputation infrastructure.

    Why RDM policy gets treated as a cost centre

    Institutional budgets typically classify research data management as overhead: storage costs, repository subscriptions, a data steward’s salary, training time. Each appears as a debit with no offsetting credit line, because savings from avoided duplication and faster reuse accrue diffusely, across future researchers and grants, not to the budget holder who paid for the infrastructure.

    This accounting mismatch is compounded by how the data management plan (DMP) requirement is handled in practice. Most funders now mandate one, but research offices frequently treat it as a box-ticking exercise completed at proposal stage and never revisited, rather than a live operational document. That framing under-serves the researcher, who gets no practical reuse benefit, and the institution, which under-recovers the true cost of good RDM from grants that would pay for it.

    UK Research and Innovation (UKRI) explicitly states that costs associated with research data management — storage, curation, repository deposit — are eligible for recovery under its funding. Institutions treating RDM as unfunded overhead are frequently leaving recoverable grant money unclaimed rather than avoiding a cost.

    What the evidence actually says about FAIR and avoided cost

    The FAIR data principles were formalised in 2016 by Wilkinson et al. in Scientific Data as a guide for making digital assets Findable, Accessible, Interoperable and Reusable by both humans and machines. FAIR data is not a compliance checkbox; it is a design standard for making data usable by someone who was not present when it was collected.

    The clearest attributed cost estimate comes from PwC’s 2018 cost-benefit analysis for the European Commission, which put the annual cost of non-FAIR research data to the European economy at €10.2 billion, driven by researcher time lost searching for data, recreation of data that already exists, and lost interdisciplinary reuse. A separate, frequently cited illustration is the University of Minnesota’s decades-long diet study, whose original data nearly disappeared into storage before being recovered and reanalysed — a reminder that data loss is a recurring, avoidable event when retention and documentation are afterthoughts.

    Three mechanisms explain where the savings actually come from:

    • Avoided duplication. Findable, well-described data lets a second researcher build on an existing dataset instead of re-running a costly collection exercise.
    • Faster reuse cycles. Interoperable data in standard formats with persistent identifiers can be integrated into new analyses without reformatting or re-negotiating access.
    • Preserved institutional memory. Deposit in a certified repository protects data against the single most common loss vector: staff turnover and undocumented local storage.

    None of this shows up as a saving on a university’s annual accounts, which is precisely why RDM investment is chronically under-prioritised relative to its documented return.

    How funder compliance requirements are changing the calculus

    Funder mandates are steadily converting FAIR data from voluntary good practice into a hard compliance gate, which changes the institutional risk calculus even for leaders unconvinced by the reuse argument. UKRI’s Common Principles on Research Data, and the underlying Concordat on Open Research Data, require a data management plan for funded research and state that data should be made openly available with as few restrictions as necessary. Horizon Europe applies comparable requirements, and cOAlition S’s Plan S pushes the same expectations into journal-level open-access policy.

    A comparison of how three major funders frame the requirement illustrates the convergence:

    Funder / framework Core RDM requirement FAIR reference
    UKRI Data management plan for funded research; RDM costs eligible for recovery Endorses FAIR via the Concordat on Open Research Data
    Horizon Europe DMP required within six months of project start, updated across lifecycle “As open as possible, as closed as necessary,” explicitly FAIR-aligned
    cOAlition S (Plan S) Underlying data should accompany open-access publications References FAIR principles for supporting data

    Institutions that fund RDM only to the minimum needed for a single grant’s DMP template are exposed twice: to duplicated administrative cost when infrastructure is rebuilt project by project, and to compliance risk as funders move toward auditing DMP adherence rather than merely requiring its submission.

    The case for investing in data stewardship, not just policy text

    A policy document alone does not create FAIR data. That requires people: a data steward function — a dedicated role, a network of disciplinary data champions, or a research data service embedded in the library — able to advise researchers on repository choice, metadata standards and licensing at the point where those decisions are actually made, not after the fact.

    Institutions that fund this role tend to route researchers toward standards-based infrastructure rather than ad hoc local storage: a research data repository registered in re3data.org, ideally holding Core Trust Seal certification, with persistent identifiers (DOIs) and standard metadata attached to every deposit. This is the practical, unglamorous mechanism by which the €10.2 billion estimate above is actually avoided — not through a policy PDF, but through a person and a repository that make FAIR operational.

    CASRAI’s relevance here is provenance and interoperability, not ownership. CASRAI originated the CRediT contributor role taxonomy in 2014, now stewarded by NISO as ANSI/NISO Z39.104-2022 — the same underlying argument in a different domain: standardising who-did-what reduces duplicated verification effort just as standardising data description reduces duplicated data collection. Institutions weighing their research administration infrastructure should treat RDM policy, contributor attribution and open data reuse as one reputational and efficiency system, not separate obligations.

    Answer-first Q&A

    What is a research data management policy?

    A research data management policy is an institutional document defining responsibilities for planning, storing, securing, sharing, and archiving research data across its lifecycle. UK universities including Edinburgh and Manchester publish theirs publicly, typically requiring a data management plan at proposal stage and deposit in an approved repository after project completion.

    What are the FAIR data principles?

    The FAIR data principles — Findable, Accessible, Interoperable, Reusable — were published by Wilkinson et al. in 2016 in Scientific Data as guidance for making digital research assets usable by both humans and machines, through persistent identifiers, standard metadata, and clear licensing.

    Do UK and EU funders require a data management plan?

    Yes. UKRI requires a data management plan for funded research and treats RDM costs as eligible for recovery, while Horizon Europe requires a DMP within six months of project start under its “as open as possible, as closed as necessary” principle.

    How much does poor research data management actually cost?

    PwC’s 2018 analysis for the European Commission put the annual cost of non-FAIR research data to the European economy at €10.2 billion, driven primarily by duplicated data collection and researcher time lost searching for data that already exists elsewhere.

    Implications for institutional leaders

    The practical implication is a reframing exercise, not necessarily a large new budget line. Research offices should cost RDM infrastructure — repositories, data steward time, metadata training — against the funder-eligible recovery already available through DMP-linked grants, rather than absorbing it as unfunded overhead. Leaders reviewing their research data management policy should ask whether it funds a data steward with real authority over repository choice and metadata quality, or whether it is a document that satisfies a compliance checklist and stops there.

    The evidence — a €10.2 billion EU-wide cost estimate, UKRI’s funding eligibility for RDM costs, and Horizon Europe’s escalating DMP requirements — points one direction: institutions that keep treating FAIR compliance as a cost centre are choosing to keep paying the duplication tax FAIR data was designed to eliminate.

  • Australian Research Data Commons: FAIR Model

    The Australian Research Data Commons (ARDC) is Australia’s national research data infrastructure body: formed in 2018 by merging three earlier programmes, it gives researchers shared, FAIR-aligned access to data discovery, compute, and identifier services so individual universities do not have to build this capability alone.

    The ARDC is a public company limited by guarantee that operates Australia’s national research data commons, formed on 1 July 2018 from the merger of the Australian National Data Service (ANDS), Nectar, and Research Data Services (RDS). For research administrators and institutional leaders comparing centralised national investment against distributed, institution-by-institution research data management (RDM), the ARDC is the clearest working example of the centralised model operating at national scale.

    What is the Australian Research Data Commons?

    The Australian Research Data Commons consolidates three predecessor national programmes into a single body responsible for research data infrastructure across all disciplines. Before 2018, the Australian National Data Service (ANDS, established 2008), Nectar (established 2009), and Research Data Services (RDS) each managed a separate piece of the national e-research landscape: discovery, compute, and storage respectively.

    Merging them removed the seams between discovery, storage, and compute that researchers previously had to navigate across three separately governed programmes. The ARDC’s stated aim, per its own site, is to enable Australian researchers and industry to access “nationally significant” digital research infrastructure, skills, and data collections rather than each institution replicating this from scratch.

    How is the ARDC funded and governed?

    The ARDC is funded primarily through the Australian Government’s National Collaborative Research Infrastructure Strategy (NCRIS), the same mechanism that underwrote its predecessor programmes. ANDS was originally funded via a 2008 agreement between the (then) Department of Innovation, Industry, Science and Research and Monash University, with further funding arriving through the Education Investment Fund under the government’s Super Science Initiative.

    Governance sits with a board overseeing a public company limited by guarantee, headquartered in Melbourne with staff across Canberra, Adelaide, Perth, Ballarat, Brisbane, and Sydney. This is a materially different governance shape from a distributed RDM model, where each university’s research office, library, and IT division independently funds and governs its own data services against the institution’s own budget cycle.

    What infrastructure does the ARDC actually operate?

    The ARDC’s core, user-facing service is Research Data Australia, a discovery portal giving access to metadata records from over 100 Australian research organisations, cultural institutions, and government agencies. It also runs the Nectar Research Cloud, a shared national compute facility, and coordinates three Thematic Research Data Commons that target long-term, discipline-specific infrastructure needs, including health and medical research and the humanities, arts, social sciences and Indigenous research (HASS) domain.

    Beyond discovery and compute, the ARDC’s remit extends to standards and skills work that a single institution would struggle to justify funding alone:

    • Coordinating Australia’s national persistent identifier (PID) strategy, encouraging consistent use of identifiers for people, organisations, and datasets
    • Publishing FAIR data guides and running structured training such as “FAIR Data 101”
    • Requiring FAIR-aligned practice from its own co-investment projects as a condition of funding
    • Operating the Nectar Research Cloud (roughly 50,000 compute cores serving around 20,000 users, per historical ARDC/Nectar reporting) alongside virtual laboratories for specific research communities

    Centralised vs distributed: what does the ARDC model mean for institutions?

    A centralised national commons like the ARDC amortises the cost of discovery infrastructure, identifier strategy, and large-scale compute across an entire research system rather than each institution paying separately. The trade-off is that institutions cede some control over roadmap priorities and must align local practice with a national standard rather than an internally chosen one.

    Dimension Centralised national model (ARDC) Distributed institutional model
    Funding source National programme (NCRIS) Individual institutional budgets
    Discovery layer One shared portal (Research Data Australia) Separate institutional repositories
    Compute/storage Shared national cloud (Nectar) Institution-specific procurement
    Standards consistency Single national PID and FAIR policy Varies by institution
    Duplication risk Low — infrastructure built once Higher — each institution rebuilds similar tooling
    Local control Lower — national roadmap governs priorities Higher — institution sets its own priorities

    Institutions weighing this trade-off are not choosing between “good” and “bad” infrastructure; they are choosing where duplication cost and local autonomy sit on a single spectrum. The ARDC demonstrates that a national commons can deliver FAIR-aligned discovery and compute without every institution independently re-solving the same identifier and storage problems.

    Answer-first questions on the ARDC

    What is Research Data Australia?

    Research Data Australia is the ARDC’s national discovery portal, giving researchers a single point of access to metadata describing datasets held across more than 100 Australian research organisations, cultural institutions, and government agencies. It descends from the earlier ANDS Collections Registry and remains the ARDC’s principal public-facing discovery service.

    How is the ARDC funded?

    The ARDC is funded chiefly through the Australian Government’s National Collaborative Research Infrastructure Strategy (NCRIS), following on from funding arrangements that originally supported its predecessor programmes, ANDS and Nectar, including money from the Education Investment Fund under the Super Science Initiative.

    What did the ARDC replace?

    The ARDC replaced three separately governed programmes on 1 July 2018: the Australian National Data Service (ANDS), Nectar (National eResearch Collaboration Tools and Resources), and Research Data Services (RDS), consolidating discovery, compute, and storage under one national body.

    What this means for institutions and funders

    For institutions and funders outside Australia, the ARDC is a working case study rather than a template to copy wholesale — national research systems differ in scale, federal structure, and existing infrastructure maturity. What generalises is the underlying logic: discovery metadata, persistent identifiers, and baseline compute are commodity infrastructure that gains value from being shared rather than re-procured by every institution.

    Institutions currently investing in distributed RDM should ask which of their own services are genuinely differentiating (subject-specific curation, disciplinary expertise) versus which are commodity infrastructure better funded once, nationally or consortially, than dozens of times over.

    Outlook

    The ARDC’s roadmap continues to run through Australia’s National Research Infrastructure planning cycle, with persistent identifiers and FAIR-by-default practice as recurring priorities. As more national and regional funders assess where to draw the line between centralised and distributed research administration infrastructure, the ARDC’s decade-long consolidation experience — and the FAIR principles it operationalises via its data terminology and standards resources — offers a concrete reference point rather than an abstract framework.

  • Five Safes Framework: FAIR Access vs Privacy

    The Five Safes framework is a governance model — Safe People, Safe Projects, Safe Settings, Safe Data and Safe Outputs — that lets trusted research environments grant researchers FAIR access to sensitive data while keeping disclosure risk under continuous, auditable control. Rather than treating openness and privacy as opposing goals, it turns each into a checkable dimension, so a dataset can be findable and reusable in principle while remaining tightly access-controlled in practice.

    The five safes framework is a risk-management taxonomy, originated by the UK’s Office for National Statistics (ONS) and formalised in the 2010s, that decomposes data-access decisions into five independent dimensions of risk rather than a single accept/reject gate. It is the governance logic underneath most UK trusted research environments (TREs), including the UK Data Service SecureLab, ONS’s Secure Research Service, Research Data Scotland, and the network of TREs coordinated by Health Data Research UK (HDR UK).

    What is the Five Safes framework?

    The Five Safes framework was set out formally by ONS statisticians Felix Ritchie and Tanvi Desai, whose 2016 working paper “Five Safes: designing data access for research” is the primary methodological source most secondary explainers omit. It reframes data access as five separable risk dimensions rather than a binary “share or withhold” decision.

    Each dimension is assessed independently, then combined. A weakness in one — for example, less rigorously screened outputs — can be offset by tightening another, such as restricting the setting to an air-gapped enclave. This modularity is what allows the same underlying dataset to support both a low-risk aggregate release and a high-risk record-level research project, governed by different combinations of the same five controls.

    The five dimensions explained

    Each “safe” answers a distinct governance question. Together they form the checklist that a trusted research environment applies before, during and after a project.

    Dimension Core question Typical TRE control
    Safe People Is the researcher trustworthy and trained? Accreditation, Safe Researcher Training, signed data-access agreements
    Safe Projects Is the proposed use ethical, lawful and in the public interest? Independent approvals panel, ethics review, public-benefit test
    Safe Settings Is the technical environment controlled? Air-gapped enclave, no local downloads, logged sessions
    Safe Data Has disclosure risk in the dataset itself been reduced? De-identification, pseudonymisation, statistical perturbation
    Safe Outputs Could anything leaving the environment re-identify someone? Manual/automated output-checking against small-cell disclosure rules

    No single safe carries the whole burden. Under the Five Safes model, a dataset that cannot be fully anonymised can still be used safely if the setting, people and outputs are controlled tightly enough to compensate — the logic that underwrites most modern TRE design.

    Five Safes in NHS secure data environments

    The 2022 Goldacre Review, Better, Broader, Safer: Using Health Data for Research and Analysis, recommended that NHS data for research move away from dissemination of pseudonymised extracts and into Five Safes-governed trusted research environments by default. NHS England’s subsequent secure data environment (SDE) policy, published as part of the Data Saves Lives strategy, requires that access to NHS health and care data for research and planning purposes take place inside approved SDEs rather than through bulk data transfers.

    This is Five Safes applied at national scale: Safe Settings replaces the old model of emailing or shipping extracts; Safe People and Safe Projects are enforced through SDE accreditation and project approval panels; Safe Outputs is enforced through statistical disclosure control before any result leaves the environment. HDR UK’s federated TRE network and NHS England’s regional sub-national secure data environments both operate on this same five-dimension logic.

    Reconciling FAIR access with disclosure control

    The FAIR principles — Findable, Accessible, Interoperable, Reusable — were published by Wilkinson et al. in Scientific Data (2016) to improve the value of research data for both humans and machines. FAIR’s “Accessible” criterion is frequently misread as “open”; the original principles explicitly state that access can require authentication and authorisation, provided the conditions are clearly documented.

    The Five Safes framework is the mechanism that satisfies that condition for sensitive data. It does not compete with FAIR — it operationalises the “A” in FAIR for data too sensitive to release openly.

    FAIR principle Five Safes dimension that operationalises it Practical mechanism
    Findable Safe Data (metadata layer) Catalogued metadata is public even when the underlying data is not
    Accessible Safe People + Safe Projects Documented accreditation and approval routes, not open download
    Interoperable Safe Settings Standardised formats and tooling inside the controlled enclave
    Reusable Safe Outputs Disclosure-checked results and code released for onward reuse

    Under GDPR Article 89, processing special-category data for research purposes is permitted subject to appropriate safeguards. In UK practice, a Five Safes-governed trusted research environment is the safeguard: it lets institutions claim the research exemption while still meeting data-protection obligations, which is why TREs — not open repositories — are now the default access route for identifiable or quasi-identifiable datasets.

    Assessing maturity: from principles to governance

    Because the five dimensions are qualitative by design, data custodians need a way to compare TREs consistently. Administrative Data Research UK (ADR UK) has developed a Five Safes maturity model that scores environments against each dimension, moving the framework from a descriptive checklist to an auditable governance standard. Many TREs also pursue ISO/IEC 27001 information-security certification to provide independent evidence for the Safe Settings dimension specifically.

    • ONS Secure Research Service — the original Five Safes implementation
    • UK Data Service SecureLab — Five Safes applied to social science and economic microdata
    • Research Data Scotland — devolved administrative-data TRE built on the same model
    • HDR UK’s TRE network and NHS England’s sub-national SDEs — Five Safes at health-data scale

    For research administrators negotiating data-sharing agreements, the maturity model matters more than the framework name: a self-declared “Five Safes-aligned” environment is not equivalent to one independently assessed against all five dimensions.

    Common questions about the Five Safes framework

    What are the five dimensions of the Five Safes framework?

    The five dimensions are Safe People, Safe Projects, Safe Settings, Safe Data and Safe Outputs. Each is assessed and controlled separately, so weaknesses in one dimension can be offset by stricter controls in another, rather than requiring every dimension to reach maximum safety independently.

    How does the Five Safes framework work in the NHS?

    NHS secure data environments apply Five Safes by requiring accredited researchers, approved projects, and controlled technical settings instead of releasing pseudonymised data extracts. Following the 2022 Goldacre Review, NHS England’s secure data environment policy makes this the default access route for NHS health and care data used in research.

    Is a trusted research environment the same as the Five Safes framework?

    No. A trusted research environment is the technical and organisational setting — the “Safe Setting” — while the Five Safes framework is the broader governance logic covering people, projects, data and outputs as well. A TRE is one implementation of the Safe Settings dimension, not the whole model.

    How does the Five Safes framework relate to the FAIR data principles?

    The Five Safes framework operationalises FAIR’s “Accessible” principle for sensitive data that cannot be openly released. It makes metadata findable and reusable outputs disclosure-checked, while authorisation and accreditation — rather than open download — satisfy the accessibility requirement.

    Implications and outlook

    The direction of UK policy is unambiguous: dissemination of raw or lightly de-identified extracts is being phased out in favour of Five Safes-governed environments, first in health data and increasingly across administrative and social datasets held by ADR UK partners. For institutions, this means data-sharing agreements, ethics approvals and researcher training pathways increasingly need to be designed around the five dimensions from the outset, not retrofitted once a TRE is chosen.

    For publishers and funders assessing data-availability statements, understanding which of the five safes underpins a stated access route — rather than treating “available in a trusted research environment” as a single undifferentiated category — is becoming a necessary part of due diligence. The framework’s real value is not that it makes data open; it is that it makes the terms of controlled access explicit, auditable and consistent across institutions, which is the precondition FAIR access needs when the data itself cannot be.

  • National Data Repository Mandates: UK, US, EU

    National data repository requirements now differ sharply by jurisdiction: the UK coordinates through UKRI’s Concordat on Open Research Data and a planned National Data Library, the US relies on agency-specific mandates such as the NIH Data Management and Sharing Policy layered on the OPEN Government Data Act, and the EU binds Horizon Europe funding to mandatory FAIR data management plans routed through the European Open Science Cloud. All three converge on the FAIR principles as the technical baseline, but they diverge sharply on enforcement, centralisation and what “as open as possible” means in practice.

    A national data repository is a government- or funder-endorsed infrastructure (or federated network of infrastructures) for depositing, curating and providing persistent access to datasets produced by publicly funded research, so that they meet the FAIR standard of being Findable, Accessible, Interoperable and Reusable. No single global rulebook defines what such a repository must look like — which is precisely why the UK, US and EU have built three structurally different systems around the same FAIR foundation.

    What counts as a national data repository?

    A national data repository is infrastructure, endorsed at government or funder level, that stores research datasets with persistent identifiers, standardised metadata and defined reuse licences. The FAIR data principles — first formalised in Scientific Data in 2016 — define the technical bar: data and metadata must be findable via persistent identifiers, accessible over open protocols, interoperable through shared vocabularies, and reusable under clear provenance and licensing.

    Crucially, FAIR does not mean unconditionally open. The dominant policy language across all three jurisdictions is some variant of “as open as possible, as closed as necessary” — datasets with legitimate privacy, security or intellectual-property constraints can remain FAIR while access to the raw data itself stays restricted, provided the metadata is still discoverable.

    How does the UK mandate research data repositories?

    The UK’s approach is coordinated centrally through UK Research and Innovation (UKRI) rather than fragmented across individual funders. The Concordat on Open Research Data, agreed by UK funders and sector bodies, sets the expectation that publicly funded research data should be made openly available with as few restrictions as possible, in a timely and responsible manner.

    UKRI has been developing a harmonised open research data policy to replace the varying requirements previously set by its individual research councils, with a more explicit alignment to FAIR principles than the original Concordat text. The UK does not run one single mandatory repository for all disciplines; instead it combines a cross-disciplinary resource — the UK Data Service, holding the country’s largest collection of economic, population and social research data — with discipline-specific data centres. A National Data Library initiative is also under development. Enforcement runs through grant conditions rather than statute.

    How does the US enforce data-sharing requirements?

    The US combines a government-wide legal baseline with agency-specific enforcement, producing a federated rather than centralised system. The OPEN Government Data Act codifies the principle that federal government data — including federally funded research outputs captured by agencies — should be open and machine-readable by default, operationalised through the Data.gov catalogue.

    The sharpest enforcement sits with individual funding agencies. Under the NIH Data Management and Sharing (DMS) Policy, effective since January 2023, NIH-funded researchers must submit a DMS Plan describing how scientific data will be managed and shared, with FAIR principles strongly encouraged. The National Science Foundation requires a Data Management Plan for all proposals and supports deposit through disciplinary repositories and its own NSF Public Access Repository (NSF-PAR). This gives communities flexibility to choose fitting repositories, at the cost of one unified national research-data repository.

    How does the EU mandate FAIR data through Horizon Europe?

    The EU operates the most centrally binding framework of the three. The Directive on open data and the re-use of public sector information requires member states to establish national policies for open access to publicly funded research data on an “open by default” basis, explicitly aligned with FAIR principles. For research funded under Horizon Europe, making data FAIR is a mandatory grant condition, not a recommendation: funded projects must produce a Data Management Plan and comply with FAIR requirements as a condition of the award, under the same “as open as possible, as closed as necessary” test used elsewhere.

    Infrastructure is built around the European Open Science Cloud (EOSC), described by the European Commission as a federated environment intended to become a “web of FAIR data and services” spanning all scientific disciplines. Within that federation, researchers commonly deposit through the general-purpose repository Zenodo — built and operated with CERN — while the Community Research and Development Information Service (CORDIS) serves as the EU’s public repository of record for funded project information.

    Where do the three approaches converge and diverge?

    All three jurisdictions treat FAIR as the technical baseline and all three qualify openness with a “necessary restriction” clause. The differences lie in enforcement mechanism, degree of centralisation, and whether a single flagship repository exists.

    Feature UK US EU
    Primary instrument UKRI Concordat on Open Research Data (evolving to a harmonised FAIR-explicit policy) OPEN Government Data Act; NIH DMS Policy; NSF Public Access Policy EU Open Data Directive; Horizon Europe grant conditions
    Legal basis Funder policy condition Federal statute plus agency policy Legally binding directive plus grant condition
    FAIR status Increasingly explicit in new UKRI policy Encouraged, embedded in agency plans Mandatory for Horizon Europe-funded projects
    Data management plan required Yes, for UKRI funding Yes, for NIH and NSF funding Yes, mandatory for Horizon Europe
    Repository model Centralised flagship (UK Data Service) plus disciplinary centres Federated (Data.gov, NSF-PAR, disciplinary repositories) Federated supranational (EOSC, Zenodo, CORDIS)

    Common questions on national data repository mandates

    What are the FAIR data principles required by UKRI?

    UKRI requires funded researchers to make outputs Findable, Accessible, Interoperable and Reusable, aligned with its Concordat on Open Research Data. UKRI councils frame this as maximising the impact, visibility and citation of research while applying the “as open as possible, as restricted as necessary” test to data with legitimate sensitivities.

    Does the NIH require a data management and sharing plan?

    Yes. Since 25 January 2023, the NIH Data Management and Sharing (DMS) Policy requires funded researchers to submit a DMS Plan describing how scientific data will be preserved and shared. NIH strongly encourages applying FAIR principles when selecting repositories and structuring metadata for that plan.

    Is FAIR data mandatory under Horizon Europe?

    Yes, unlike the UK’s evolving policy and the US’s encouraged-but-agency-specific approach, Horizon Europe makes FAIR data management a binding grant condition. Funded projects must submit a Data Management Plan and comply with FAIR requirements, subject to the same necessary-restriction exceptions used across all three jurisdictions.

    Is there one single national data repository researchers must use?

    No jurisdiction mandates a single universal repository. The UK combines a flagship service (UK Data Service) with disciplinary centres; the US runs a federated system across Data.gov and agency repositories such as NSF-PAR; the EU federates access through EOSC, Zenodo and CORDIS. Researchers typically choose the repository matching their discipline and funder requirements.

    What this means for institutions and researchers

    For research administrators managing multi-jurisdictional funding, a single data management plan template cannot satisfy all three regimes. Compliance teams must map deposit requirements per funder rather than assume FAIR-labelled data automatically meets every mandate’s specific repository, licensing and metadata conditions.

    The trend line points toward convergence. The UK’s move to a harmonised, more explicitly FAIR-aligned UKRI policy and the EU’s EOSC federation both signal a shift from fragmented rules toward unified infrastructure. The US remains the outlier: its federal open-data statute operates largely independently of agency-specific mandates from NIH and NSF.

    Institutions should treat “FAIR” and “open” as related but distinct compliance targets. A dataset can be fully FAIR — persistently identified, well-described, licensed — while remaining access-restricted for legitimate reasons in every jurisdiction covered here. Repository choice and data management plan content should be checked against the specific funder mandate, not a generic FAIR checklist.

  • Data Papers Explained: Making Datasets Citable

    A data paper is a peer-reviewed journal article whose sole purpose is to describe a dataset — its collection methods, structure, quality controls and reuse potential — so the dataset itself becomes a citable, discoverable research output. This is fundamentally different from a data availability statement (DAS), which is only a short paragraph inside a conventional research article pointing to where supporting data can be found. Understanding the distinction matters for anyone trying to get formal academic credit for data curation work, rather than a passing mention buried in someone else’s paper.

    A data paper is best defined this way: it is a searchable, citable metadata document, published as a standalone peer-reviewed article, whose primary content is the dataset’s provenance, structure and quality rather than a hypothesis or a set of conclusions.

    What is a data paper?

    A data paper is a peer-reviewed document describing a dataset, published in a peer-reviewed journal rather than as an appendix to a conventional study. It concentrates on the “what, why and how” of the data itself — collection methodology, processing steps, structure and known limitations — rather than on testing a hypothesis.

    The format is also known as a data article, data report, data brief or data note, but the function is consistent: it converts curation effort into an indexed, citable scholarly output that gives dataset creators formal academic credit.

    How is a data paper different from a data availability statement?

    A data availability statement is a short, mandatory paragraph within a conventional research article that tells readers where and how to access the data underpinning that paper’s findings. It exists to support transparency and reproducibility of one specific study — it is not a publication in its own right and it is not independently peer reviewed as a scholarly document.

    A data paper, by contrast, is a full standalone publication. It undergoes its own peer review, receives its own DOI, and is indexed and cited independently of any related research article. The table below sets out the practical differences.

    Feature Data paper Data availability statement
    Nature Standalone, peer-reviewed journal article A short section inside another article
    Peer review Independently peer reviewed as a scholarly work Not separately reviewed
    Citability Has its own DOI and citation record Not citable as a discrete work
    Purpose Describe and credit a dataset in depth Point readers to where data for one study lives
    Typical length Several pages, structured like a journal article One to three sentences

    Since 2018, the International Committee of Medical Journal Editors (ICMJE) has required a data sharing statement in reports of clinical trials, and many funders, including UKRI, expect a data access statement in any grant output. Neither requirement is a substitute for a data paper: a DAS satisfies a transparency mandate, while a data paper is the route to scholarly recognition and independent citation of the dataset itself.

    Which journals publish data papers?

    Dedicated data journals have grown substantially since the mid-2010s. According to the Global Biodiversity Information Facility (GBIF), which tracks outlets accepting data papers, article processing charges and impact metrics vary widely by publisher.

    • Scientific Data (Nature Portfolio) — an open-access, online-only journal dedicated to descriptions of scientifically valuable datasets, with a 2024 Journal Impact Factor of 6.9 and an article processing charge of approximately EUR 1,790, per GBIF’s June 2026 tracked figures.
    • Data in Brief (Elsevier) — a multidisciplinary, open-access journal publishing short data articles that describe and give context to datasets, with a 2024 Journal Impact Factor of 1.4 and an article processing charge of approximately USD 1,010.
    • GigaByte (BGI and Oxford University Press) — a CC BY open-access journal for “big data” descriptions across the life, biomedical and environmental sciences, with a 2024 Journal Impact Factor of 1.2, a Scopus CiteScore of 3.2, and an article processing charge of approximately USD 350 — the lowest of the three.

    Discipline-specific alternatives exist too: Earth System Science Data (Copernicus) carries a 2024 CiteScore of 20.6, and Biodiversity Data Journal (Pensoft) charges from around EUR 650. Choice of outlet should follow disciplinary norms, not price alone.

    How do you publish a data paper?

    Publishing a data paper follows a broadly consistent workflow across data journals:

    1. Deposit the dataset first. Upload the data to a recognised repository (for example Dryad, Zenodo or a domain-specific archive) so it receives a persistent identifier before the manuscript is submitted.
    2. Draft the manuscript around the metadata. Describe collection methods, instrumentation, processing pipelines, quality-control steps and known limitations — some tools, such as GBIF’s Integrated Publishing Toolkit, can auto-generate a manuscript draft directly from dataset metadata.
    3. Select a journal matched to the dataset’s discipline. Compare scope, licence terms, and article processing charge against outlets such as Scientific Data, Data in Brief or GigaByte.
    4. Submit for peer review. Reviewers assess the completeness and reusability of the description, not novel findings or conclusions.
    5. Publish and cross-link. On acceptance, the data paper’s DOI should be cross-referenced with the dataset’s own DOI in the repository record, so citation tools can connect the two.

    Why do data papers matter for FAIR data and citation?

    The FAIR Guiding Principles — Findable, Accessible, Interoperable, Reusable — were formalised by Wilkinson and colleagues in a 2016 Scientific Data paper and now underpin funder and repository policy internationally. A data paper operationalises FAIR by attaching a structured, human- and machine-readable description to a dataset that would otherwise carry only minimal repository metadata.

    Dataset citation is governed by the Joint Declaration of Data Citation Principles, published by FORCE11 in 2014, which holds that data merits the same importance, persistence and formal citation treatment as literature. Registration agencies such as DataCite assign the DOIs that make this mechanically possible; a data paper gives readers the narrative context a bare DOI record cannot.

    Frequently asked questions

    What is a data paper?

    A data paper is a peer-reviewed journal article whose primary purpose is describing a dataset’s collection, structure and quality, rather than reporting findings. It gives dataset creators an indexed, independently citable scholarly output.

    How to publish a data paper?

    Deposit the dataset in a recognised repository, draft a manuscript describing its methodology, choose a journal such as Scientific Data, Data in Brief or GigaByte, then submit for peer review that assesses completeness rather than novel conclusions.

    Do you have to pay to publish a data paper?

    Most data journals are open access and charge an article processing charge, ranging from roughly USD 350 at GigaByte to around EUR 1,790 at Scientific Data. Some outlets, including several Pensoft and Copernicus titles, waive or reduce this fee.

    Implications for institutions and funders

    For research administrators, the data paper format offers a concrete way to evidence data-curation effort in tenure, promotion and grant-reporting processes, where a bare data availability statement provides none. Recording named contributions to data creation, curation and description alongside the CRediT contributor role taxonomy gives institutions a fuller, auditable account of who did the data work, distinct from who wrote up the findings.

    Funders increasingly expect both: a data availability statement in the primary research article to satisfy transparency mandates, and — where a dataset has independent reuse value — a data paper to secure its long-term discoverability. Research administrators managing compliance across these overlapping requirements may find it useful to consult a dictionary of research administration terms when mapping funder policy language to practical author guidance.

    Conclusion

    A data paper and a data availability statement solve different problems: one creates a citable, peer-reviewed scholarly record of a dataset; the other simply discloses where supporting data for a specific study can be found. As funders tighten open-data expectations and repositories mature their DOI infrastructure, treating dataset description as a first-class, citable publication — not an afterthought bolted onto a results paper — will matter more, not less, for institutions seeking to demonstrate the full value of the research data they steward.

  • Indigenous Data Sovereignty: Why FAIR Needs CARE

    Indigenous data sovereignty is the right of Indigenous peoples and nations to govern the collection, ownership, interpretation, and application of data about their own communities, lands, and knowledge. Blanket “open by default” research-data mandates built on the FAIR Data Principles can override that right when they treat findability and accessibility as unconditional. The fix is not to abandon FAIR, but to add a CARE-informed consent layer — tiered access controls, negotiated data-sharing agreements, and governance authority held by the originating community — that sits inside FAIR’s own accessibility principle rather than outside it.

    As funders push open-data compliance deeper into grant conditions, research offices increasingly reconcile a mandate to publish with a community’s right to say no, say later, or say “only under these conditions.”

    What is indigenous data sovereignty?

    Indigenous data sovereignty describes the inherent right of Indigenous peoples to govern data about their own communities, resources, and lands — a right that derives from tribal and national self-determination rather than from any single data-protection statute. The Global Indigenous Data Alliance (GIDA) traces the movement’s institutional roots to country-specific networks: the Aotearoa New Zealand-based Te Mana Raraunga (Māori Data Sovereignty Network, formed 2015), Australia’s Maiam nayri Wingara Aboriginal and Torres Strait Islander Data Sovereignty Collective (2017), Canada’s First Nations Information Governance Centre, and the US Indigenous Data Sovereignty Network.

    These networks converged on a shared position: data collected about Indigenous peoples should remain subject to the governance of the nation or community it describes — including tribal law — not solely the policies of the funder, institution, or repository that hosts it. This is a governance claim, not merely a privacy preference, and it applies whether the data in question is health records, environmental monitoring, ceremonial knowledge, or genomic samples.

    How do CARE principles relate to FAIR data principles?

    The CARE Principles for Indigenous Data Governance — Collective Benefit, Authority to Control, Responsibility, and Ethics — were developed specifically to sit alongside the FAIR Data Principles (Findable, Accessible, Interoperable, Reusable), not to replace them. The Research Data Alliance’s International Indigenous Data Sovereignty Interest Group formalised CARE in 2019 to address what FAIR, on its own, does not: who benefits, who decides, and under what ethical obligations data circulates.

    Principle set Primary question it answers Governing focus
    FAIR (Findable, Accessible, Interoperable, Reusable) How usable is the data, technically? Data as an object
    CARE (Collective Benefit, Authority to Control, Responsibility, Ethics) Who benefits, and who decides? Data as a relationship

    Framing these as rivals misreads FAIR’s own text. FAIR principle A1.2 explicitly states that the accessibility protocol must “allow for an authentication and authorisation procedure, where necessary” — meaning FAIR was never a synonym for unconditional open access. Data can be fully findable, with rich metadata, a persistent identifier, and a documented access route, while the underlying content sits behind a governed permission gate. That gap between “discoverable” and “downloadable” is precisely where a CARE-informed consent layer belongs.

    Do open data mandates override indigenous data sovereignty?

    Open data mandates do not automatically override Indigenous data sovereignty, but poorly designed ones can function that way in practice. Funder policies such as UKRI’s research data policy and cOAlition S’s Plan S commitments require data to be made available with “as open as possible, as restricted as necessary” language — a formulation that already anticipates legitimate restriction, yet is frequently implemented by institutions as a default push toward maximal openness.

    PLOS’s own editorial position, published in its EveryONE blog in October 2023, states plainly that Indigenous Data Sovereignty is the right of Indigenous peoples to own and govern data about their communities, resources, and lands — and that open-access publishing policies must accommodate, not override, that right through mechanisms such as data-access statements that explain restrictions rather than force disclosure. The Australian Institute of Aboriginal and Torres Strait Islander Studies (AIATSIS) Code of Ethics for Aboriginal and Torres Strait Islander Research similarly requires researcher agreements on data ownership, access, and storage to be negotiated with communities before collection begins, not retrofitted at publication.

    • Where mandates and sovereignty align: both frameworks require documented data-management plans, clear provenance, and persistent identifiers.
    • Where friction emerges: “open by default” clauses that treat non-disclosure as an exception requiring justification, rather than a governance decision requiring respect.
    • The resolvable middle: metadata and access statements can be fully open even when the underlying dataset is access-controlled.

    A consent layer is a set of governance and technical controls — inserted between data creation and data reuse — that lets a community set the terms under which its data is discovered, accessed, and re-used, without removing that data from the research record entirely. In practice this combines four elements research administrators already have tools for:

    1. Tiered metadata: a public, FAIR-compliant record (title, abstract, provenance, persistent identifier via DataCite or Crossref) that is fully findable even when the dataset itself is restricted.
    2. Governance-holder sign-off: a named Indigenous governance body (tribal council, iwi authority, data sovereignty collective) with authority to approve, condition, or decline each reuse request — not a one-time blanket consent captured at initial collection.
    3. A trusted research environment (TRE): a controlled-access computing environment where approved researchers can analyse restricted data without exporting raw records, satisfying reusability without unconditional distribution.
    4. Biocultural or Traditional Knowledge labels: machine-readable metadata tags (the Local Contexts initiative’s TK and BC Labels) that travel with a dataset to signal provenance, cultural protocols, and permitted uses wherever it is indexed or mirrored.

    None of these four elements block findability. They condition access — which is exactly what FAIR’s accessible principle already permits.

    Data sharing agreement vs data processing agreement — which applies?

    A data sharing agreement (DSA) and a data processing agreement (DPA) serve different legal functions, and conflating them is a common source of failure in Indigenous data governance. A DSA governs the transfer of data between two parties who each have independent authority over how it is subsequently used — the correct instrument for Indigenous data sovereignty, because it lets the originating community retain and exercise ongoing authority to control, per CARE’s second principle.

    A DPA, by contrast, is used when one party (a processor) handles data strictly on behalf of another (the controller) with no independent decision-making rights — the model built into contract templates under UK GDPR. Using a DPA where a DSA is required strips the originating community of ongoing authority.

    Instrument Who holds decision authority Fit for Indigenous data sovereignty
    Data Sharing Agreement (DSA) Both parties, independently Appropriate — preserves community authority to control
    Data Processing Agreement (DPA) Controller only; processor has none Inappropriate as a standalone instrument — reduces community to data subject

    Implications for research administrators

    Research data management (RDM) policy templates written purely around funder compliance checklists will systematically under-serve Indigenous data governance unless they build in a consent layer as a standard clause, not an exception process. Institutions should require, at the data-management-plan stage, an explicit question: does this dataset describe an Indigenous community, and if so, has a governance body with authority to control been identified and consulted before collection?

    Research data repositories that host Indigenous-derived datasets should support tiered access controls and TK/BC Label metadata natively, rather than treating restricted-access as a bespoke workaround bolted onto an open-by-default platform. Institutions building or procuring a trusted research environment for sensitive data should evaluate whether it can enforce community-set reuse conditions per dataset, not merely per project.

    Conclusion: consent is compatible with findability

    Indigenous data sovereignty and the FAIR Data Principles are not opposed frameworks competing for the same ground — FAIR governs how data is described and discovered, while CARE and a CARE-informed consent layer govern who decides what happens next. A research data management policy that hard-codes this distinction, uses the right agreement type for the right relationship, and gives Indigenous governance bodies a standing role rather than a one-off consultation, satisfies funder open-data requirements and Indigenous data sovereignty at the same time. The two are compatible by design; the mandates just need to stop assuming otherwise.