Module 5: Legal and Compliance
Ethical Frameworks for Federation
This module defines the legal and ethical foundations for cross-border sensitive data federation. Template legal agreements, operating procedures, and interface definitions will be published in future versions of the ENTRUST Blueprint.
Legal Alignment and Governance Metadata
Legal obligations directly shape the governance metadata required in the federation.
- Governance metadata records who can access which assets and why (Project metadata, User metadata).
- Dataset metadata must record the Data Controller, who is legally accountable for its use.
Multi-Jurisdictional Compliance
Federation requires clear legal roles, agreements, and responsibilities across countries.
Legal Roles and Agreements
Define legal responsibility using standard agreements:
| Agreement | Purpose |
|---|---|
| Data Sharing Agreement (DSA) | Sets overall conditions, licensing, and access rules for sharing data between parties. |
| Data Transfer Agreement (DTA) | Template per data type; defines requirements for transferring data securely. |
| Data Use Agreement (DUA) | Defines access conditions, user obligations, and permitted use of data. |
Roles must be explicit—including Data Controller and Data Processor, as defined in GDPR and national laws.
Process Harmonisation
- The Federation Governance actor must coordinate and simplify the signing of multiple DUAs across TREs.
- A single point of access should route project-based agreements to all relevant TREs.
- TRE SOPs must address data transfers to third countries to ensure legal compliance.
EHDS Alignment (Health Data)
The European Health Data Space (EHDS) introduces new rules for secondary health data use.
EHDS and Secure Processing Environments (SPE)
- The upcoming EHDS Act defines requirements for Secure Processing Environments (SPE).
- The TRE Research Analytics Zone (RAZ) is functionally equivalent to an EHDS SPE.
Health Data Access Bodies (HDABs)
- EHDS will create Health Data Access Bodies (HDABs) to evaluate and permit access to health data.
- Once operational, access requests in the federation should follow the EHDS procedures.
- The Data Access Application Management System (DAAMS) will be the official platform for submitting EHDS access requests.
Roles under EHDS
- When a project spans multiple TREs, one TRE must act as the Project Host.
- Future guidance will clarify legal responsibility between the TRE and PI for output approvals, especially when the TRE is not the Data Controller.
Model Agreements (Future Content)
Upcoming versions of the Blueprint will include complete template agreements.
Final Notes
- No templates are provided at this stage—this module defines the legal structure only.