Skip to Main Content
library logo banner

Working with data: Collaborating

Guide on working with data

Image for decorative purposes

On this page you will find guidance on considerations when working with collaborations, including collaboration agreements, intellectual property, transferring personal data and sharing data with collaborators

Working on collaborative projects

When you are working on a project involving more than one organisation it is important that the project has: 

  • A collaboration agreement which sets out how the shared understanding of how the project will be conducted
  • A Data Management Plan detailing how data will be managed across the different institutions, how data will be transferred (if needed) between the institutions, and how the data will be archived and published at the end of the project.

Considerations when working with collaborators

When more than one organisation collaborates on a project, the shared understanding of how the project will be conducted is set down in the collaboration agreement. This may be in addition to a contract between the funder and lead organisation. If you are an investigator on a collaborative project you should ensure that the collaboration agreement addresses the basis on which the data will be collected, stored, accessed, retained and published. Typical issues addressed within the collaboration agreement are listed below.


Intellectual Property (IP)

  • Who holds the rights (IP) to data created by the project? Note that data will not be mentioned separately, it comes under the term 'Foreground IP'.
  • If the data has multiple rights holders, how will those rights be administered during and after the project? 
  • Will published data be released under a common licence (which one?), or will licensing be decided on a case-by-case basis, and if so, by whom? 
  • Oh what terms will the data owned by one partner be shared with other partners?

There is more information on IP on the 'Intellectual Property' tab, 


Data Controller

If the study is collecting personal data then the Data Controller should ideally be identified within the collaboration agreement. See the 'Who is the Data Controller' tab for more information. 


Information Classification

  • What classes of data will be considered commercially sensitive or otherwise confidential?
  • Under what terms might third parties be granted access to the data? Could the archived data be shared with other researchers subject to a non-disclosure agreement? Would access be restricted on the basis of purpose; for example, granting access only for the purposes of peer review or validation? 

There is more information on classifying research data on our 'Sensitive data' guide. 


Research Council funded research

UKRI expect that 'researchers engaged in collaborative research [with commercial partners] should ensure that the governance of who will have access to data is set out in advance in the collaboration agreement'. (Guidance on best practice in the management of research data). 

What is Intellectual Property (IP)?

Intellectual Property is 'the rights relating to: literary, artistic and scientific works; the performance of performing artists, phonograms and broadcasts; inventions in all fields of human endeavour; scientific discoveries; industrial designs; trade marks; service marks and commercial names and designations; and all other rights resulting from intellectual activity in the industrial, scientific, literary and artistic fields' (World Intellectual Property Organisation 1967). 

For researchers this means that IP covers your ideas, inventions, knowledge, written and artistic works, know-how, designs and data arising from your research. (University of Bath Research Commercialisation presentation).  The University of Bath Intellectual Property Policy can be found here. 


What is the difference between Background and Foreground IP?

Background IP is the Intellectual Property that forms the background to the project. This can include Intellectual Property owned by the University of Bath, Intellectual Property owned by collaborators and Intellectual Property owned by other people ('Third-Party IP'). 

Foreground IP is the Intellectual Property that is generated during the course of a project. When you are negotiating your collaboration agreement bear in mind that this includes all of the data arising from the study. When you are writing your Data Management Plan the ownership of the data, according to the contracts or collaboration agreements, should be included.

If you are working with, or collecting, personal data during your collaborative project it is important to clarify which institution (as this will be an institution, not a person) is the data controller for the project. This is not always easy to do and we suggest that you discuss any queries with the Data Protection team ( and with the Research and Commercialisation Contracts team ( You should not assume that the data owner (Rights Holder / owner of the Foreground IP) is the Data Controller. 


What is the difference between a 'data controller' and a 'data processor'?

When we are discussing these terms they only relate to personal data. 

The Information Commissioners Office defines the data controller as: 'a person who (either alone or jointly in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed. The data controller exercises control over 'why' and 'how' of a data processing activity. 

The Information Commissioners Office defines the data processor means any person (other than an employee of the Data Controller) who processes the data on behalf of the data controller. 

Processing is defined by the University, in the Data Protection Policy, as 'every possible form of action that can be taken in relation to data' including: 

  • 'obtaining data
  • recording data
  • keeping data
  • using data in any way
  • sharing or disclosing data
  • erasing and / or destroying data'


Common roles of a data controller in a research project

The Information Commissioners Office states that only the data controller can decide: 

  • to collect the personal data the the legal basis for doing so
  • which items of personal data to collect
  • the purpose or purposes that the data are to be used for
  • which individuals to collect the data about
  • whether to disclose the data, and if so, who to
  • whether subject access and other individuals' rights apply (i.e the application of exemptions under the Data Protection Act)
  • how long to retain the data and whether to make non-routine amendments to the data.

Within a collaboration agreement, a data processor, processing the data on behalf of the data controller, may decide: 

  • what IT systems or other methods to use to collect personal data
  • how to store the personal data
  • the detail of the security surrounding the personal data
  • the means used to transfer data from one organisation to another
  • the means used to retrieve personal data about certain individuals
  • the method for ensuring a retention schedule is adhered to
  • the means used to delete or dispose of the data. 

(Reproduced from the Information Commissioner's guidance, accessed October 2018).

Data transfer or sharing agreements

If you are sharing identifiable or pseudoanonymised (containing a participant identifier that can be used to re-identify the participant) between collaborators you may need to set up a data transfer agreement or data sharing agreement between the data controller and the institution that the data is being transferred to. If the University of Bath has been identified as data controller in a project then contact the Data Protection team to determine whether a data transfer agreement is needed.  


Transferring data to a transcription service

In order to comply with the Data Protection Act you should avoid transferring personal data (such as audio files) or sensitive personal data (such as video files) to a transcription service that is based outside the European Economic Area (EEA). Be especially careful if you are transferring personal data to an online transcription service because the location of the servers might be outside the EEA. If you are transferring identifiable data you might need to set up a data transfer agreement with the transcription service, depending on their terms and conditions. If you are unsure please contact the Data Protection team for advice.


Transferring personal data outside the European Economic Area

Transferring identifiable personal data outside the EEA may result in a breach of the Data Protection Act therefore personal data that has not been fully anonymised must not be transferred out of the European Economic Area (EEA) without approval by the Data Protection team (  Transfer of personal data (securely) is permitted for the following countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lichtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom. 

Transfers of data to Andorra, Argentina, Guernsey, Isle of Man, Isreal, Jersey, New Zealand, Switzerland and Uruguay are considered by the EU Commission to be 'adequate' in terms of their data protection. If you are unsure about whether or not you can transfer identifiable personal data please contact the Data Protection team for advice.

The UKRI guidance on best practice in the management of research data stipulates that 'any reasonable steps should be taken to ensure that research data are not held in any jurisdiction where the available legal safeguards provide lower levels of protection than are available in the UK. 

The University provides several options for sharing data with collaborators. The appropriate option to choose depends largely on the nature of the data to be shared, for example, the size and quantity of the files, how often you expect them to change, and how sensitive they are. 


Using the X: Drive

Internal collaborators can be granted access to specific folders on the X: Drive. Contact your local IT supporter to ask for permissions to be set up for folders on the X: Drive.  External collaborators can be provided with temporary (annual) University of Bath logins that will allow them to access data on a shared folder on the X: Drive. The Digital, Data and Technology Group provide guidance on setting up external email accounts

Data stored on the X:Drive can be accessed using the following methods:

  • users can map the drive so it appears like a local disc on their computer; if they are connecting away from campus, they will first need to log in to the Virtual Private Network (VPN). Once the VPN is set up you can map the X:Drive to your own device. 
  • the files.bath service can be used to access the X:Drive through a web browser
  • the files.bath service can be used to set up dedicated sharing folders for sharing with collaborators and you can control access to these folders yourself however, you must contact your local IT supporter ahead of time if you are planning to use this service for a large quantity of data. 

If you set up a dedicated folder on files.bath for sharing data with collaborators this can also be used as a secure file transfer service without the need for collaborators to have a Bath account created by the Digital, Data and Technology Group. You are able to generate a link to the folder within files.bath that is live for seven days and is password protected. You should ensure that you send the link to the folder and password to collaborators separately. 


University of Bath wiki

The University provides a wiki service with can be used for collaboration. Access to wiki pages can be set by the page creators, the most permissive state for wiki pages grants read-only access to the public and write access to anyone with a Bath login, but wiki spaces can be locked down with more restrictive permissions to the level of particular users and groups. As with the X: Drive, external collaborators would need to be given a temporary Bath account to be able to access private spaces and pages within the wiki. The Digital, Data and Technology Group can provide these logins on an annual basis. 


Cloud storage: enterprise vs. personal

When contemplating the use of cloud storage for research and the storage of sensitive data, it is important to differentiate between cloud storage that is enterprise-grade (e.g. provided by an institution/ university account) vs. a non-institutional (personal) account.

While personal accounts for external cloud services such as Dropbox, Google Drive and OneDrive are convenient, they do not comply fully with the University's data policies due to the following issues: 

  • data may be stored in jurisdictions outside the European Economic Area and therefore are unlikely to be compliant with EU Data Protection legislation (General Data Protection Regulation, GDPR)
  • they do not interact well with existing University storage services
  • they do not provide sufficient guarantee of continued availability
  • extra precautions must be taken in order to ensure that more than one person at the University has access to the data, in case of researchers leaving the University.

Personal cloud-based storage solutions must not be used for sensitive data. 

However, when using cloud storage, the above issues can be addressed via the use of enterprise-grade cloud storage provided for by the university as they are resilient and meet the NCSC’s 14 cloud security principles. Computing Services provide advice on storing information in the cloud.

If you are working with external research partners and they propose the use of cloud storage, ensure that this storage is enterprise-grade.