When you are working on a project involving more than one organisation it is important that the project has:
When more than one organisation collaborates on a project, the shared understanding of how the project will be conducted is set down in the collaboration agreement. This may be in addition to a contract between the funder and lead organisation. If you are an investigator on a collaborative project you should ensure that the collaboration agreement addresses the basis on which the data will be collected, stored, accessed, retained and published. Typical issues addressed within the collaboration agreement are listed below.
There is more information on IP on the 'Intellectual Property' tab,
If the study is collecting personal data then the Data Controller should ideally be identified within the collaboration agreement. See the 'Who is the Data Controller' tab for more information.
There is more information on classifying research data on our 'Sensitive data' guide.
UKRI expect that 'researchers engaged in collaborative research [with commercial partners] should ensure that the governance of who will have access to data is set out in advance in the collaboration agreement'. (Guidance on best practice in the management of research data).
Intellectual Property is 'the rights relating to: literary, artistic and scientific works; the performance of performing artists, phonograms and broadcasts; inventions in all fields of human endeavour; scientific discoveries; industrial designs; trade marks; service marks and commercial names and designations; and all other rights resulting from intellectual activity in the industrial, scientific, literary and artistic fields' (World Intellectual Property Organisation 1967).
For researchers this means that IP covers your ideas, inventions, knowledge, written and artistic works, know-how, designs and data arising from your research. (University of Bath Research Commercialisation presentation). The University of Bath Intellectual Property Policy can be found here.
Background IP is the Intellectual Property that forms the background to the project. This can include Intellectual Property owned by the University of Bath, Intellectual Property owned by collaborators and Intellectual Property owned by other people ('Third-Party IP').
Foreground IP is the Intellectual Property that is generated during the course of a project. When you are negotiating your collaboration agreement bear in mind that this includes all of the data arising from the study. When you are writing your Data Management Plan the ownership of the data, according to the contracts or collaboration agreements, should be included.
If you are working with, or collecting, personal data during your collaborative project it is important to clarify which institution (as this will be an institution, not a person) is the data controller for the project. This is not always easy to do and we suggest that you discuss any queries with the Data Protection team (email@example.com) and with the Research and Commercialisation Contracts team (firstname.lastname@example.org). You should not assume that the data owner (Rights Holder / owner of the Foreground IP) is the Data Controller.
When we are discussing these terms they only relate to personal data.
The Information Commissioners Office defines the data controller as: 'a person who (either alone or jointly in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed. The data controller exercises control over 'why' and 'how' of a data processing activity.
The Information Commissioners Office defines the data processor means any person (other than an employee of the Data Controller) who processes the data on behalf of the data controller.
Processing is defined by the University, in the Data Protection Policy, as 'every possible form of action that can be taken in relation to data' including:
The Information Commissioners Office states that only the data controller can decide:
Within a collaboration agreement, a data processor, processing the data on behalf of the data controller, may decide:
(Reproduced from the Information Commissioner's guidance, accessed October 2018).
If you are sharing identifiable or pseudoanonymised (containing a participant identifier that can be used to re-identify the participant) between collaborators you may need to set up a data transfer agreement or data sharing agreement between the data controller and the institution that the data is being transferred to. If the University of Bath has been identified as data controller in a project then contact the Data Protection team to determine whether a data transfer agreement is needed.
In order to comply with the Data Protection Act you should avoid transferring personal data (such as audio files) or sensitive personal data (such as video files) to a transcription service that is based outside the European Economic Area (EEA). Be especially careful if you are transferring personal data to an online transcription service because the location of the servers might be outside the EEA. If you are transferring identifiable data you might need to set up a data transfer agreement with the transcription service, depending on their terms and conditions. If you are unsure please contact the Data Protection team for advice.
Transferring identifiable personal data outside the EEA may result in a breach of the Data Protection Act therefore personal data that has not been fully anonymised must not be transferred out of the European Economic Area (EEA) without approval by the Data Protection team (email@example.com). Transfer of personal data (securely) is permitted for the following countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lichtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.
Transfers of data to Andorra, Argentina, Guernsey, Isle of Man, Isreal, Jersey, New Zealand, Switzerland and Uruguay are considered by the EU Commission to be 'adequate' in terms of their data protection. If you are unsure about whether or not you can transfer identifiable personal data please contact the Data Protection team for advice.
The UKRI guidance on best practice in the management of research data stipulates that 'any reasonable steps should be taken to ensure that research data are not held in any jurisdiction where the available legal safeguards provide lower levels of protection than are available in the UK.
The University provides several options for sharing data with collaborators. The appropriate option to choose depends largely on the nature of the data to be shared, for example, the size and quantity of the files, how often you expect them to change, and how sensitive they are.
Internal collaborators can be granted access to specific folders on the X: Drive. Contact your local IT supporter to ask for permissions to be set up for folders on the X: Drive. External collaborators can be provided with temporary (annual) University of Bath logins that will allow them to access data on a shared folder on the X: Drive. The Digital, Data and Technology Group provide guidance on setting up external email accounts.
Data stored on the X:Drive can be accessed using the following methods:
If you set up a dedicated folder on files.bath for sharing data with collaborators this can also be used as a secure file transfer service without the need for collaborators to have a Bath account created by the Digital, Data and Technology Group. You are able to generate a link to the folder within files.bath that is live for seven days and is password protected. You should ensure that you send the link to the folder and password to collaborators separately.
The University provides a wiki service with can be used for collaboration. Access to wiki pages can be set by the page creators, the most permissive state for wiki pages grants read-only access to the public and write access to anyone with a Bath login, but wiki spaces can be locked down with more restrictive permissions to the level of particular users and groups. As with the X: Drive, external collaborators would need to be given a temporary Bath account to be able to access private spaces and pages within the wiki. The Digital, Data and Technology Group can provide these logins on an annual basis.
When contemplating the use of cloud storage for research and the storage of sensitive data, it is important to differentiate between cloud storage that is enterprise-grade (e.g. provided by an institution/ university account) vs. a non-institutional (personal) account.
While personal accounts for external cloud services such as Dropbox, Google Drive and OneDrive are convenient, they do not comply fully with the University's data policies due to the following issues:
Personal cloud-based storage solutions must not be used for sensitive data.
However, when using cloud storage, the above issues can be addressed via the use of enterprise-grade cloud storage provided for by the university as they are resilient and meet the NCSC’s 14 cloud security principles. Computing Services provide advice on storing information in the cloud.
If you are working with external research partners and they propose the use of cloud storage, ensure that this storage is enterprise-grade.