Tag: international research collaboration

  • Data Sharing Agreement Template UK: Research Collaboration Guide

    A data sharing agreement is legally required under UK GDPR when two or more institutions act as joint controllers of personal data in a research collaboration — Article 26 makes this a binding obligation, not a discretionary policy choice. It is a legal contract, distinct from a data management plan, with no equivalent status in data protection law. Searching for a generic data sharing agreement template UK institutions can copy is the wrong starting point: the correct document depends on your controller status, not a fill-in-the-blank form.

    A data sharing agreement is a written contract between two or more organisations that sets out the purpose, scope, lawful basis, security standards, and responsibilities governing an exchange of personal data. For research administrators coordinating multi-institution studies, knowing exactly when one is mandatory — and how it differs from a data management plan or a data processing agreement — determines whether a project is compliant before the first dataset moves.

    Data sharing agreement vs data management plan: what’s the difference?

    These two documents are frequently conflated in research administration, but they serve different functions. A data sharing agreement is a legally binding contract between institutions. A data management plan (DMP) is a research-planning document, usually required by a funder as a grant condition, describing how data will be collected, stored, and archived over a project’s life.

    • Legal status — a data sharing agreement can be a binding contract; a DMP is a funder deliverable with no contractual force.
    • Trigger — a data sharing agreement responds to UK GDPR obligations; a DMP responds to funder grant terms.
    • Audience — a data sharing agreement binds the named institutions; a DMP is submitted to and reviewed by the funder.
    • Content focus — a data sharing agreement covers lawful basis, security, and liability; a DMP covers data formats, repositories, and preservation.

    UKRI’s data policy expects funded researchers to produce a DMP, and Horizon Europe’s Model Grant Agreement requires one as part of its open science obligations. Neither substitutes for a data sharing agreement where personal data crosses institutional boundaries — the two are complementary, not interchangeable.

    When does UK GDPR require a data sharing agreement?

    UK GDPR does not impose a blanket legal requirement to have a written data sharing agreement for every instance of data sharing. Whether one is mandatory depends on the legal relationship between the parties, not on the existence of a research project alone.

    Under Article 26 of UK GDPR, organisations that jointly determine the purposes and means of processing personal data — for example, two universities co-designing a study and jointly deciding what data to collect and how to use it — are joint controllers. The law requires them to set out their respective responsibilities in an arrangement, including who handles privacy notices, subject access requests, and the primary contact point for data subjects.

    Where institutions instead act as independent controllers — each using the shared data for its own separate purpose, such as one university passing anonymised cohort data to a partner for an unrelated secondary analysis — UK GDPR does not legally mandate a written agreement. The Information Commissioner’s Office (ICO) nonetheless recommends one as good practice, since it helps demonstrate the UK GDPR accountability principle.

    The regulatory landscape shifted further with the Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025 and amends both UK GDPR and the Privacy and Electronic Communications Regulations — institutions should check DSIT’s commencement timetable before assuming legacy practices remain unchanged.

    What must a data sharing agreement contain?

    The ICO’s statutory Data Sharing Code of Practice sets out what a data sharing agreement should cover, regardless of whether it is legally mandatory in a given case. A research-focused agreement should address:

    • The identity of every party, including a named Data Protection Officer contact.
    • The specific research purpose and why the sharing is necessary to achieve it.
    • A precise description of the data items shared, flagging any special category or criminal offence data.
    • The lawful basis each party relies on, which may differ between institutions.
    • The designated point of contact for data subjects — mandatory for joint controllers under Article 26.
    • Security, retention, and end-of-project deletion or return arrangements.
    • Breach-notification procedures and safeguards for any international data transfer.

    The table below distinguishes the three documents most often confused.

    Document Legally mandatory? Governs Typical owner
    Data sharing agreement Only for joint controllers (Article 26) Lawful basis, roles, security, liability Data Protection Officer / legal team
    Data processing agreement Yes, always (Article 28) Processor’s instructions from the controller Data Protection Officer / procurement
    Data management plan Only if the funder requires it Data formats, storage, archiving over project lifecycle Principal investigator / research office

    Data sharing agreement vs data processing agreement

    A data sharing agreement and a data processing agreement address opposite relationships. A data sharing agreement applies between two or more controllers who each decide, jointly or independently, how personal data will be used. A data processing agreement applies when a controller instructs a processor — an organisation handling data solely on the controller’s instructions, such as a cloud storage provider — to process personal data on its behalf. Article 28 of UK GDPR makes the processing agreement mandatory in every controller-to-processor relationship, with terms prescribed by law; no equivalent blanket rule exists for controller-to-controller sharing.

    Common questions on data sharing agreements

    Is a data sharing agreement legally required?

    A data sharing agreement is legally mandatory only when two or more organisations act as joint controllers under UK GDPR Article 26. For independent controllers sharing data for their own separate purposes, the ICO’s data sharing code recommends but does not legally require a written agreement — though skipping one weakens your accountability defence if challenged.

    What is the difference between a data sharing agreement and a data processing agreement?

    A data sharing agreement governs data moving between two controllers who each decide how it is used. A data processing agreement is legally required under UK GDPR Article 28 whenever a controller instructs a processor to handle data on its behalf. Confusing the two risks drafting entirely the wrong contractual terms for the relationship.

    What are the 7 golden rules of data sharing?

    The “seven golden rules” originate from UK government safeguarding guidance for practitioners, not from UK GDPR itself. They emphasise that data protection law is not a barrier to justified sharing, that sharing should be necessary and proportionate, and that decisions must be recorded — sound principles, but not a substitute for a formal data sharing agreement.

    What is the data sharing law in the UK?

    There is no single “data sharing law” — sharing personal data is governed by UK GDPR, the Data Protection Act 2018, and, since Royal Assent on 19 June 2025, the Data (Use and Access) Act 2025, which amends both frameworks. Research collaborations must also observe common-law confidentiality duties alongside these statutes.

    What this means for research administrators

    For institutions running multi-site studies, the practical starting point is a controller-relationship analysis, not a template download. Research offices should determine whether partners are jointly designing the research question — pointing to joint controllership and a mandatory Article 26 arrangement — or each applying the data to its own distinct purpose, pointing to independent controllership and a recommended, non-mandatory agreement. This should run alongside, not instead of, the DMP required by funders such as UKRI or Horizon Europe. Bodies like ARMA (the Association of Research Managers and Administrators) increasingly treat this controller-status check as standard due diligence, sitting alongside ethics review rather than as a legal afterthought.

    Getting the agreement right

    A data sharing agreement and a data management plan answer different questions: one sets the legal terms under which personal data moves between institutions; the other describes how research data will be handled and preserved over a project’s lifecycle. Joint decision-making about personal data requires the former as a matter of UK GDPR law; funders increasingly require the latter as a matter of grant compliance. Treating the two as interchangeable is the most common compliance gap in multi-institution research — build the controller-status check into standard research administration workflow, before data starts moving.

  • OECD AI Principles vs the EU AI Act: What Research Offices Need to Know

    Research offices coordinating international collaborations increasingly need to distinguish between two very different kinds of AI governance instrument. The OECD AI principles set out a shared, values-based standard that 47 governments have politically endorsed since 2019, while the European Union’s AI Act is a legally binding regulation carrying fines for non-compliance. For institutions running Horizon Europe consortia, UKRI-funded partnerships, or transatlantic data-sharing agreements, knowing which framework applies, and when, determines real compliance obligations rather than aspirational good practice.

    What Are the OECD AI Principles?

    The OECD AI Principles originate from a Recommendation of the OECD Council (OECD/LEGAL/0449), adopted in May 2019 as the first intergovernmental standard on artificial intelligence. As a Recommendation rather than a treaty, adherence is a political commitment, not a legal obligation. Despite that soft-law status, the framework has proved influential: its definitions of “AI system” and “AI system lifecycle” have been carried directly into the EU AI Act, US federal guidance, Council of Europe instruments and a 2024 UN General Assembly resolution on AI.

    The Principles were updated in May 2024 to account for generative AI and refine the underlying definitions, while keeping the same structure. There are now 47 adherents, spanning OECD members and partner economies including the UK, US, Japan and Korea.

    The Recommendation sets out five values-based principles for responsible AI stewardship:

    • Inclusive growth, sustainable development and well-being — AI should benefit people and the planet.
    • Human-centred values and fairness — AI actors must respect the rule of law, human rights, privacy and democratic values.
    • Transparency and explainability — AI actors should enable people to understand and, where appropriate, challenge AI-based outcomes.
    • Robustness, security and safety — AI systems must function reliably throughout their lifecycle, including under adverse conditions.
    • Accountability — organisations and individuals responsible for AI systems are accountable for their proper functioning.

    Alongside these values-based principles, the Recommendation sets out five policy recommendations for governments: invest in AI research and development, foster an inclusive AI ecosystem, shape an enabling governance environment, build human capacity for workforce transitions, and strengthen international co-operation. For research offices, this pairing matters: the values-based principles function as an ethical baseline for institutional AI policy, while the policy recommendations shape how national research funders design their own AI-in-research guidance.

    The EU AI Act: A Binding, Risk-Based Regime

    Formally Regulation (EU) 2024/1689, the EU AI Act entered into force on 1 August 2024 and is legally binding on anyone who places an AI system on the EU market, puts one into service in the EU, or whose AI system’s output is used within the EU — irrespective of where the provider is established. That last point is the crucial difference from the OECD’s soft-law approach: enforcement follows market and deployment triggers, not adherent status.

    The Act classifies AI systems by risk:

    • Unacceptable risk — practices such as social scoring and manipulative AI are banned; prohibitions applied from 2 February 2025.
    • High risk — systems used in areas such as education access, admissions or candidate evaluation face strict duties on data governance, technical documentation and human oversight; most obligations apply from 2 August 2026 (some product-safety-annex systems from 2 August 2027).
    • General-purpose AI models — providers face transparency and, for the most capable models, systemic-risk obligations that applied from 2 August 2025.
    • Limited and minimal risk — lighter transparency duties (e.g. disclosing AI-generated content) or none at all.

    Non-compliance carries real financial exposure: fines for prohibited practices can reach €35 million or 7% of global annual turnover, whichever is higher.

    Crucially for universities and research institutes, Article 2 of the Act exempts AI systems and models developed and used for the sole purpose of scientific research and development, provided they are not placed on the market or put into operational service. That exemption is narrower than it sounds: the moment a pilot admissions-scoring tool, a proctoring system or a research-evaluation model moves from an internal research exercise into operational use, including free publication as a usable tool, the exemption can lapse and the relevant risk-tier obligations apply.

    Feature OECD AI Principles EU AI Act
    Legal status Non-binding Council Recommendation Legally binding Regulation (EU) 2024/1689
    Adopted 2019, updated May 2024 Entered into force 1 August 2024; phased application to 2027
    Approach Values-based principles plus policy recommendations Risk-tiered obligations (unacceptable/high/limited/minimal)
    Enforcement Peer reporting via the OECD.AI Policy Observatory Fines up to €35m or 7% of global turnover
    Research exemption No formal exemption — applies as ethical guidance to all AI activity Article 2 exempts AI developed solely for scientific R&D, until placed on the market
    Territorial trigger Adherent governments and their institutions (47 as of 2026) Anywhere an AI system is placed on the EU market or its output used in the EU

    Frequently Asked Questions

    What are OECD principles on AI?

    The OECD AI Principles are five values-based commitments — inclusive growth, human-centred values, transparency, robustness and accountability — adopted in a 2019 OECD Council Recommendation and updated in 2024. They sit alongside five policy recommendations for national AI strategy and are non-binding: adherents commit politically, not legally.

    What is the scope of the AI Act?

    The EU AI Act applies to any provider or deployer that places an AI system or general-purpose AI model on the EU market, puts it into service in the EU, or whose AI system’s output is used within the EU, regardless of where the organisation is established. A narrow exemption covers systems developed solely for scientific research.

    What are the key features of the AI Act?

    The Act classifies AI by risk tier: unacceptable-risk practices are banned, high-risk systems face strict obligations on data governance and human oversight, limited-risk systems carry transparency duties, and minimal-risk systems remain largely unregulated. Obligations phase in between February 2025 and August 2027.

    What is the main goal of the AI Act?

    The EU AI Act aims to ensure AI systems used in the EU are safe and respect fundamental rights, while still fostering innovation and a single EU market for trustworthy AI — mirroring, in binding legal form, values the OECD Principles set out voluntarily back in 2019.

    Implications for International Research Collaborations

    For a research administration office running a Horizon Europe or multi-country consortium, the practical dividing line is not nationality but where an AI system is placed on the market or put into service. The UK’s own regulatory approach remains principles-based and sector-led rather than a single statute, which sits closer to the OECD’s soft-law model than to the EU’s binding Act. That means a consortium spanning EU and non-EU institutions typically needs to apply the OECD Principles as a governance floor everywhere, while layering EU AI Act obligations only where the EU leg of the project triggers them.

    Practical steps for research offices include:

    • Map every AI touchpoint across the consortium — admissions tools, grant-scoring assistants, participant-facing chatbots, drafting tools built on general-purpose models — to check whether the Article 2 research exemption still applies once a tool moves from pilot to operational use.
    • Treat the OECD Principles as the baseline for institutional AI ethics policy and grant conditions, since 47 governments, including most funder jurisdictions, already reference them.
    • Track the EU AI Act’s phased dates in agreements with EU partners: prohibited-practice compliance from February 2025, general-purpose AI model duties from August 2025, and most high-risk obligations from August 2026.
    • Flag any AI tool used in EU-facing admissions, proctoring or research-evaluation processes as a potential high-risk use under Annex III, requiring documentation and human oversight even where the underlying research itself remains exempt.

    The two frameworks are not on a collision course. The EU AI Act’s adoption of the OECD’s own definition of an “AI system” points toward gradual convergence in vocabulary, even as legal force diverges. Research offices that build their AI governance around the stricter of the two applicable layers, rather than the more comfortable one, will find both frameworks easier to satisfy as further OECD updates and EU implementing guidance arrive.