Guidance on requirements for Data Transfer Agreements
To comply with information governance a Data Transfer Agreement needs to be in place to cover the transfer of data sets between establishments. We would normally expect only anonymised data to be transferred
Data Transfer Agreement
Agreement established between organisations that governs the transfer of one or more data sets from the owner/provider to a third party.
This guidance sets out the Clinical School procedures that govern the transfer, both outgoing and incoming, of data sets between the Clinical School and a recipient organisation.
Incoming data transfers
DTAs received by researchers from external parties for incoming data sets MUST be reviewed by a member of the contracts team in the Research Office BEFORE the data is transferred as terms need to be checked carefully against any applicable funding terms
Outgoing data transfers
A DTA must be put in place by a member of the contracts team in the Research Office before data is transferred
To ensure that this is done as efficiently as possible researchers should supply the following information
Outgoing transfers
- Recipient institution, name and address
- Recipient scientist’s name
- Transferring researcher’s name
- Copy of the consent form, PIS and ethics approval letter for the study under which the data was collected
- Description of the data to be transferred
- A lay summary of the use of the data
- Funding details for the research which originally generated the data, including the RG number of the grant if available
- If any identifiable data is involved, details about the ”safe haven” arrangements at the institution receiving the data
Incoming transfers
- Transferring institution, name and address
- Transferring Scientist’s name/department
- Recipient researcher’s name
- Description of the data to be transferred
- A lay summary of the use of the data
- Funding details for the research requiring the data, including the RG number of the grant if available
- If you are receiving identifiable data, detailed information about the secure data storage arrangements
Identifiable data samples
Whenever possible it is good practice for research to be conducted on coded or completely anonymised data. In the event that identifiable information is requested by third parties or collaborators it should be ensured that any duty of confidence is not be breached. The terms of the original consent should be checked to see whether the proposed use by third parties is covered and if not, then consent should be sought if necessary. It should be stressed that personal identifiable data should not be passed on unless consent is in place and the storage area is secure
Sending data outside the EEA
The eighth Data Protection Principle (see Data Protection Act Overview) requires that personal data must not be transferred outside the European Economic Area (the European Union member states plus Iceland, Norway and Liechtenstein), unless the country or territory to which the data are to be transferred provides an adequate level of protection for personal data. One of the exemptions for this is if you have appropriate consent. It is therefore important that you have made clear in your participant information sheet and consent form that data may be sent outside the UK or the EEA.