Legal Agreement Templates

Contractual architecture

The contractual architecture for a collaborative use of health-related data depends on the project specifications and responsibilities of participating parties, and is part of the legal and regulatory framework. The agreement templates proposed here establish the contractual framework necessary to conduct a multicenter research project involving the exchange of health-related data. Once put together, these agreements settle the important issues that need to be legally addressed (permitted use and ownership of data, publications, intellectual property and liability, etc.) and define the rights, obligations and responsibilities of all parties involved (e.g., Investigator, Data Provider, Data Recipient, Processor, etc.). The relevant terms used on this page are explained in the SPHN Glossary.

Choosing the right legal agreement

Please use the information below to find out about the different legal agreements necessary to establish research consortia, and data transfer and use in collaborative research projects. Please contact the Personalized Health Informatics (PHI) Group (click here) for guidance and support or watch the presentation "Legal agreements for using health-related data in multi-center projects". 

A legal agreement postulates a solid basis for a successful collaboration within a multicenter research project and needs to be submitted with the other project-specific documents when applying for an ethics approval.

Depending on the configuration of the project, three types of agreement should be considered:

  • Consortium Agreement (CA): A multicenter research project requires a framework research agreement between the different institutions involved, generally called a "Consortium Agreement".
    It regulates the general principles of collaboration between the parties to the research project (allocation of work, rules for publications and intellectual property, financial conditions, governance, etc.).

    Parties involved: Principal Investigators' home institutions having filed the research project with the ethics commission.

  • Data Transfer and Use Agreement (DTUA): The transfer and use of health-related data processed within the framework of the research project is generally subject to a separate agreement, the DTUA. It regulates the conditions under which a "Provider" (e.g. a hospital) agrees to disclose personal data to a "Recipient" (e.g. a university). The Provider and the Recipient jointly determine the purpose of the processing within the framework of the research project. They both assume the role of "Data Controller" (as opposed to the role of "Data Processor" described below). Recipients are obliged to ensure appropriate confidentiality, integrity, availability and resilience of the systems with regard to processing of the Data.
    Parties involved: The institutions that are required to exchange data for the project.
  • Data Transfer and Processing Agreement (DTPA): The Controllers may decide to subcontract the secure transfer and hosting of the data to a third party, for example to one or more BioMedIT node(s) (see description of the BioMedIT network below). The subcontractor acts according to the instructions of the Controllers, and therefore acts as "Processor". The relationship between Controllers and Processor is regulated in a specific contract, the DTPA, which precisely regulates the data access rules and security requirements to ensure appropriate confidentiality, integrity, availability and resilience of the systems with regard to processing of the Data.
    Parties involved: The parties to the DTUA and the institution(s) hosting for example the BioMedIT node(s).
For some projects it might be sufficient to use a DTUA with an integrated DTPA only, for example if there is already a signed CA or equivalent for the project. If there is only the need to cover terms and conditions for the use of a processing infrastructure in addition to an existing Data Transfer and Use Agreement, such as the BioMedIT node(s), a stand-alone DTPA might be the easiest solution.

For multi-center projects which are not part of the SPHN initiative and not using the BioMedIT infrastructure, a DTUA without processor (BioMedIT node) might be used.

The BioMedIT nodes were established to ensure a secure data flow and access within the project and build a Swiss secured IT network. In a research project that requires data exchange, the BioMedIT nodes act as processors to host and make available the data on behalf of the controllers (parties to the DTUA). There are three nodes established:

  • sciCORE in Basel, operated by the University of Basel
  • SENSA in Lausanne, operated by the University of Lausanne and  SIB Swiss Institute of Bioinformatics
  • SIS in Zurich, operated by ETH Zurich

Depending on participating parties, the project may use a single node or multiple nodes (see also “Data flow and Data access scheme of the research project”).

The guidance chart in Table 1 below shows which legal agreement is recommended to create an acceptable legal architecture for a research project depending on the availability of already signed commitments.

PHI can provide essential help in choosing the right document and creating a first draft according to the needs of the respective institutional legal departments.

Table 1: Guidance chart for legal agreements based on the status of available legal documents of a research project

Overview of available legal agreement templates and their contents

The three types of agreement can be included in a single agreement (e.g.: CA+DTUA+CA; see templates below). When the parties enter into a CA for the purpose of exchanging data and wish to use a subcontractor for data processing the CA integrates a DTUA and DTPA.

Detailed changes to former documents can be found here:

Data flow and Data access scheme of the research project

The BioMedIT nodes provide a secure high performance compute and storage infrastructure, which can be jointly used by all Swiss Universities, research institutions, hospitals, and other interested partners. Depending on the affiliation, data are provided to a linked node, for example data from the University Hospital in Basel are sent to the sciCORE node. A complete overview is shown in Figure 1.


Fig 1. The BioMedIT Network with three nodes established: sciCORE in Basel, operated by the University of Basel, SENSA in Lausanne, operated by UNIL and SIB Swiss Institute of Bioinformatics and SIS in Zurich, operated by ETH Zurich

Based on the participating institutions and involved BioMedIT node(s), it is recommended to draw a scheme to visualize the data flow within the project. The data flow and access scheme, showed in Figures 2, aim to give an overview about the different roles of participating parties. The scheme needs to be adapted according the project consortium by assigning the role “Provider” and “Recipient” starting in the following way:

  1. Add all institutions (parties) to the scheme
  2. Add all BioMedIT nodes, if applicable
  3. Specify data flow between data “Provider” and “Recipient”. Use grey dashed arrows between data “Provider” and “Recipient” to specify provided data (data flow). Use red color arrows to specify data access.

According to the data flow and access scheme, it is possible to decide which combination of agreements suits best for the project (see DTUA guidance chart above). An example for multicenter research projects using all three BioMedIT nodes is provided in Figure 2.


Fig 2. Example of data flow to SENSA

Figure 2 is an example of a data flow between participating institutions. The gray arrows describe data flow from the institution to the respective BioMedIT node. In this example the main node for data to be accessed is SENSA, which receives data from the other two nodes, sciCORE and SIS. All involved parties will have access to the data on SENSA as shown by the orange arrows. ​

Scroll to Top