Supplement 2: What Legal Clauses Should be Included in a Restricted Access Species Data Negotiated Licence Agreement?
(Version 1/12/2022)
This supplement provides sample clauses to be included in legal agreements either between data custodians or between data custodians and data receivers under the RASD Framework. Data receivers may be Approved Data Requestors or, in the case of data access requests between data custodians, the requesting data custodian.
These clauses address:
the duration of the agreement
citation of the dataset
third-party Intellectual Property (IP)
the requirement that data are held in a secure environment with role-based access controls where necessary
whether data can be passed onto third parties with or without consent of the data custodian
that data to be used for the purposes outlined in the agreements only and not for any other purpose
the consequences if a breach of agreement conditions occurs including suspension of current and future access requests
In these sample clauses capitalised words are terms that should be defined in the negotiated agreement. It is important to clearly identify the “Data” that are the subject of the agreement.
The sample clauses use the terms “Supplier” and “Receiver”. For agreements between a data custodian and an Approved Data Requestor, the Supplier is the data custodian and the Receiver is an Approved Data Requestor. Text in [square brackets] needs to be replaced when the agreement is being prepared.
Provision of Data
| Condition | Example Clause(s) to Add | Guidance |
|---|---|---|
| How and in what timeframe will the Data be delivered to the Receiver? | The Supplier will transfer the Data to the Receiver on [insert the date when the Data will be provided] by [describe the manner in which the Data will be transferred to the Receiver]. | A clause should be included specifying when and how the Data are to be provided. |
| Who is responsible for ensuring that the Data are de-identified and that there are no -party restrictions on the transfer of Data? | 1. The Supplier must ensure that the Data are de-identified, and that it has the right to transfer the Data to the recipient. 2. Notwithstanding clause 1, if any personal information is incorporated in the Data, each party must, in dealing with that personal information: (a) promptly notify the Supplier that the Data includes personal information; (b) comply with all laws applicable to that party (including, without limitation, privacy laws and data protection laws) which regulate the collection, storage, use and disclosure of Personal Information; (c) promptly notify the other party of any complaint or investigation under, or relating to, any breach of the foregoing laws in relation to that information; and (d) reasonably cooperate with the other party in resolving any such complaint or investigation |
This reflects the onus outlined in the Framework. |
| Is the Data to be held longer term and updates provided periodically? | (a) At the Receiver’s written request, which may only be made [stipulate agreed frequency of these requests], the Supplier will provide updates of the Data to the Receiver. (b) After receiving the written request under paragraph (a) and subject to paragraph (c) below, the Supplier will use reasonable efforts to provide the updates of the Data promptly. (c) The Receiver acknowledges that the updates of the Data may contain data (such as Indigenous data or -party data) that requires changes to the conditions placed on the use of Data under this Agreement. The parties agree to negotiate in good faith to vary this Agreement before the updates to the Data are released. |
This clause can be used to specify the frequency of updates e.g. annually or two times in a calendar year. |
Use of Data
| Condition | Example Clause(s) to Add | Guidance |
|---|---|---|
| What can the Data be used for? | 1. The Receiver will only use the Data for the Purpose. 2. No right, licence or ownership is granted to the Receiver in relation to the Data and any Intellectual Property in the Data, except as set out in this Agreement. |
The purpose of this clause is to specify how Data can be used and to make clear that there are no additional rights to the Data or any IP in the Data. “Purpose” should be defined in the agreement. Thought should be given to whether Derived Products may be produced from the Data. |
| Are there restrictions on the use of the Data? | The Receiver will not use the Data for the following purposes (a) [e.g. commercial purposes (b) aggregation with other datasets for the purpose of publication; (c) teaching; (d) producing Derived Products; and (e) publication]. |
The purpose of this clause is to emphasise how Data cannot be used. Note that this clause operates in addition to the stipulation of what Purposes the data can be used for. As such, there is no need to be exhaustive. It can be used to stipulate uses that are of particular concern. Note regarding “commercial purposes”: if commercial purposes are to be excluded, consider whether this needs to be defined. In particular, if the Receiver is a forprofit it may be necessary to carve out specific commercial uses that are not permitted. |
| Is there Indigenous data within the Data with discreet restrictions on use? | The Receiver acknowledges that the Data contains Indigenous data. The Receiver agrees that it will not use the Data for the following purposes without first speaking to the relevant Indigenous communities: (a) [stipulate any matters for which Indigenous peoples requested to be consulted e.g. commercial purposes or aggregation with other datasets for the purpose of publication] |
Data Custodians will need to consult with Indigenous peoples prior to release of Data containing Indigenous data. In some cases, Indigenous peoples might agree to the use of Indigenous data for certain purposes. If so, those conditions can be listed in the clause in the row above (“Are there restrictions on the use of the Data?”) However, in most cases, it will be appropriate for the Receiver to consult with Indigenous peoples before certain uses are made. Such conditions should be addressed in this clause. |
| Does the Data contain third-party datasets? | The Receiver acknowledges that the Data includes third-party data that can only be used for the Purposes defined in this Agreement. | A clause similar to this should be included in cases where the Data includes third-party data. |
| Is access to the Data required for more than one individual? | 1. The Receiver must create the following roles to manage access to the Data: Administrator - Role: Assigns roles to other Authorised Users and manage Authorised User access - Access rights: Full access to Data including read / create / delete / update. General user - Role: Uses the Data for the Purpose (or aspects of the Purpose) - Access rights: Able to query and analyse but not edit the Data. Developer - Role: Uses the Data for the Purpose (or aspects of the Purpose) - Access rights: Able to query and analyse but not edit the Data. Able to create and publish Derived Products. Able to integrate and query Data with other datasets. 2. The Receiver must maintain a record of Authorised Users, roles assigned to each Authorised User (as provided in clause 1) and what Data are accessible to each Authorised User. 3. The Receiver must ensure that each Authorised User is only given the Access Rights and the Data that the Authorised User needs for their role. 4. Before the Receiver provides Authorised Users with access to Data: (a) the Receiver must ensure that Authorised Users understand and are able to comply with the Data use obligations in this Agreement; and (b) the Receiver must maintain a documented record (co-signed by the Administrator and the general user or developer, as applicable) of the Authorised User’s understanding, including a description of the Data use obligations. |
In some cases, more than one individual within a Receiver’s organisation will need access to the Data. In such cases a clause should be included to specify how Data should be managed by the Receiver. A possible definition of ‘Authorised User’ is “An employee, director, officer or student of the Receiver that needs, and is granted, access to Data by the Receiver and who is assigned a role under clause X of this Agreement”. |
| Are there restrictions to Data being passed to third parties by the receiving Approved Data Requestor? | Where Data must not be provided to third parties The Receiver acknowledges and agrees that the Data are being provided for use by Authorised Users only. The Receiver agrees that it has no right to provide the Data or any sub-set of the Data to any third-party and that it has no right to sub-licence any of its rights under this Agreement. Where Data can be provided to third parties [Option A] (a) If the Receiver wishes to pass Data received under this Agreement to a third-party, the Receiver must first obtain the express written permission of the Supplier. The Supplier may withhold permission at the Supplier’s discretion. [Option B] (a) The Receiver may pass Data received under this Agreement to a third-party provided that the Receiver first notifies the Supplier of the third-party. (b) Before any Data are provided to a third-party, the Receiver must: (i) enter into a written agreement on terms that are similar to, consistent with and at least as onerous as the terms of this Agreement; and (ii) ensure that: A. no legal restrictions on the use of the Data are breached by providing the Data; B. the Data are cited and attributed correctly; and C. the Data does not contain any Personal Information. |
A clause should be included to address whether Data – that is, the untransformed Data received from the Data Custodian – can be provided to third parties. If Data can be provided to third parties, the clause should specify the circumstances under which Data may be transferred. Two potential approaches are suggested. Another approach would be to permit Data to be passed on to certain categories of third parties or for certain usages only. |
| Are there restrictions to Derived Products being passed to third parties by the Approved Data Requestor? | Where Derived Products must not be provided to third parties The Receiver agrees that it has no right to provide Derived Products to any third-party. Where Derived Products can be provided to third parties (a) [Option A] Subject to clause (b) and (c) [amend as appropriate], the Receiver may provide Derived Products to a third-party. (b) [Option B] If the Receiver wishes to provide Derived Products to a third-party, the Receiver must first obtain the express written permission of the Supplier. The Supplier may withhold permission at the Supplier’s discretion. (c) Before any Derived Product is provided the Receiver must ensure that: (i) the location of restricted access species or sensitive attributes relating to them cannot be derived from the Derived Product; (ii) no legal restrictions on the use of the Data are breached by providing the Derived Product; (iii) the Data are cited and attributed correctly in the Derived Product; and (iv) the Derived Product does not contain any Personal Information. [Where an embargo period applies prior to release of a Derived Product] (a) The Receiver will not release any Derived Products to the public or to third parties prior to [DD/MM/YYYY]. |
A clause should be included to address whether Derived Products can be provided to third parties. Here Derived Products means any dataset or product that is produced using or derived from the Data including transformed data and models. If Derived Products can be provided to third parties, this clause should stipulate the conditions of release including any embargo periods, what transformations are to be applied and what output checks are required before the Derived Product is released. |
| What must the Receiver do to protect the Data? | The Receiver must maintain reasonable administrative, technical, and physical safeguards to: (a) protect the Data from loss or misuse; (b) ensure that the Data are only accessible by Authorised Users; and (c) protect the Data from unauthorised use, modification, or disclosure [including (without limitation) through the measures stipulated in clause [refer to “Is access to Data required for more than one individual at the Receiver?”] of this Agreement]. |
The approach in the Example Clause does not stipulate that the Data are held in a certain location; rather it stipulates that however the Data are held, the Data must be afforded certain protections. Where there are multiple users of the Data at the Receiver, the bracketed text should be included, which provides a cross reference to the provisions under the Condition “Is access to Data required for more than one individual at the Receiver?”. |
Term and Termination
| Condition | Example Clause(s) to Add | Guidance |
|---|---|---|
| Is the Data for a specified project with an agreed defined timeframe in which the Data are to be used? | This Agreement will commence on the Delivery Date [the agreed date for delivery of the Data by the Data Custodian to the Receiver] and end on [DD/MM/YYYY], unless terminated earlier under clause x of this Agreement. | |
| Is the Data for an agreed range of uses that are ongoing, such that an option to extend the term of the agreement should be included? | This Agreement will commence on the Delivery Date [the agreed date for delivery of the Data by the Data Custodian to the Receiver] and end on [DD/MM/YYYY], unless terminated earlier under clause x of this Agreement. This Agreement may be extended for a further [stipulate time period] by mutual written agreement. | Clause specifying option to extend the term of the Agreement. |
| What are the consequences of termination of the Agreement (either because the term has expired, or the Data Custodian has terminated the Agreement)? | 1. If this Agreement is terminated or the term has expired, [except to the extent the Data has been incorporated into a Derived Product consistent with the terms of this Agreement]: (a) the Receiver must immediately stop using the Data; (b) any right or licence granted to the Receiver in relation to the Data and any Intellectual Property in the Data, expires; and (c) [subject to clause 2,] the Receiver must destroy all copies of the Data on the Receiver’s systems and devices within 7 days of the date of termination [2. The Receiver may retain one copy of the Data with the project file for a period of [specify period] after the end date of this agreement for the sole purpose of [specify the reason that the Data can be retained]. The Receiver must maintain the safeguards outlined in clause [“What must the Receiver do to protect the Data?”] for the duration of this period.] |
This clause should address what the Supplier requires the Receiver to do with the Data upon termination of the agreement. If relevant, this clause will need to take into account Data that has been legitimately incorporated within Derived Products. Consider whether the Receiver will need to retain a single copy of the Data for a specified purpose and a specified period of time. |
| What are the consequences of breach of agreement conditions? | 1. If the Data Custodian reasonably determines that the Receiver has: (a) used the Data for any purpose other than the Purpose [; or (b) passed the Data to a third-party; or (c) passed a Derived Product to a third party,] the Data Custodian may immediately terminate the Agreement by written notice. 2. The Receiver acknowledges and agrees that in the event that the Data Custodian reasonably determines that the Receiver has committed a serious or repeated breach of the conditions of use outlined in this agreement: (a) the Data Custodian may notify other Data Custodians that are signatories to the Framework that the Receiver has committed a serious or repeated breach of the conditions of Data use contained in this Agreement; and (b) the Receiver’s behaviour may be taken into account by other signatories when assessing future requests from the Receiver to access restricted access species data from other signatories. |
A clause should be included to specify what circumstances warrant immediate termination of the agreement. The text in brackets will only be appropriate if the agreement restricts third-party access to Data and/or Derived Products. |
General Provisions
| Condition | Example Clause(s) to Add | Guidance |
|---|---|---|
| What is the mechanism for handling any disputes that arise under this Agreement? | (a) Any dispute, controversy, difference, or claim arising out of or in connection with this Agreement and/or the subject matter of this Agreement, including its existence, breach, validity, or termination (Dispute), must be dealt with in accordance with this clause. (b) Nothing in this clause prevents any Party from seeking urgent injunctive or similar interim relief from a competent court. (c) Any of us claiming that there is a Dispute must notify each other in writing and give details of that Dispute to each other’s contact person. (d) Within 30 days of the date that the written notice of the Dispute is received, the Director, CEO or equivalent of each Party, or their delegates who have appropriate authority to resolve the Dispute, will conduct a meeting by telephone or video conference in an effort to resolve the Dispute. Each Party will bear its own costs of that meeting. (e) If the Dispute is not resolved within 90 days from the date that the written notice of the Dispute is received, then the Dispute must be submitted to mediation in accordance with, and subject to, the Resolution institute Mediation Rules. The mediation must take place in Sydney, Australia and be administered by the Resolution Institute. |
A dispute resolution process should be included in the agreement. |
| What assurances does the supplier provide in relation to the Data? | 1. The Receiver acknowledges its use of the Data is at its own risk and accepts that the Supplier, to the fullest extent permitted by law, is not liable (whether in tort (including negligence), contract, statute or otherwise) for any direct or indirect loss or liability arising from Receiver’s use of the Data. 2. The Supplier makes no warranty or any representation in respect of the Data, including any warranty or representation that the Data are accurate, is of a certain quality, or is fit for any particular purpose. 3. To the extent permitted by law, the parties exclude all warranties or other terms which otherwise might be implied in this Agreement. |
In most cases, it will not be appropriate for the Supplier to provide any warranty as to the quality or fitness for purpose of the Data. The Data are provided ‘as is’. |