Data Sharing in Swiss Health Research
Summary of SPHN paper: A Unified Contractual Framework for Data Sharing in Swiss Health Research
Gorka Fraga González 
In 16.10.2025 the Swiss Personalized Health Network (SPHN) released the paper A Unified Contractual Framework for Data Sharing in Swiss Health Research with practical information for the set-up of a contractual framework for multi-center data-driven health research. The paper explains the basics of the Legal Agreement Templates published by SPHN and offers in-depth insights on complex issues such as governance, data reuse, and intellectual property. This is a summary of that paper.
1. Introduction
The SPHN is a Swiss data infrastructure coordinated by the Swiss Academy of Medical Sciences (SAMW) in collaboration with the Swiss Institute of Bioinformatics SIB. SPHN makes health data interoperable and shareable for research in Switzerland.
To facilitate and simplify the legal negotiations of data-driven research projects, SPHN together with legal experts from institutions across the country have developed a unified contractual framework and published several SPHN Legal Agreement Templates for the Swiss research community. They address the need for binding agreements such as Data Transfer and Use agreement when granting access to sensitive health data. They try to follow standardize terminology; the key terms as explained in the SPHN Glossary.
Background of the unified contractual framework
It was built during the SPHN Initative 2017-2024 which involved establishing health data infrastructures across the country and facilitation of data-driven projects. The framework is thus developed in the context of complex multi-center data-driven projects. A key set of projects to develop inter-institutional negotiations were the National Data Streams projects are jointly funded by SPHN and Personalized Health and Related Technologies (PHRT) of the ETH domain. They involve different topics and data types (e.g., molecular, clinical data and other types).
The SPHN Data Governance Working Group is mandated to promote harmonized governance frameworks for (health) data access. Refer to their updated mandate. The DGWG has representatives of university hospitals, universities and the SIB.
2. The SPHN contractual framework
2.1. Components
The framework describes and regulates the cooperation and conditions of data transfer and use. The three components are:
Consortium Agreement (CA): Main legal agreement for a research project involving multiple collaborating institutions. It sets the rules for how the institutions work together, including how tasks are divided, how publications and intellectual property (IP) are handled, regulating financial arrangements, and project governance.
- Who needs it: institutions of the Principal Investigators who are sharing health data to conduct a multicenter research project.
Data Transfer and Use Agreement (DTUA): Governs the transfer and use of health data between institutions. For example, if a hospital (the “Provider”) shares data with a university (the “Recipient”), this agreement specifies the terms and conditions under which this data can be used. The Provider and the Recipient determine together the purpose of the data processing within the framework of the research project. Therefore, they both assume the role of “Data Controller” (as opposed to the role of “Data Processor” described below). The Recipients are responsible for ensuring the data’s confidentiality, integrity, and security.
- Who needs it: institutions that exchange data as part of the project.
Data Transfer and Processing Agreement (DTPA). Sometimes, the institutions (the “Controllers”) may need to subcontract the secure transfer and hosting of data to a third party, such as BiomedIT 1, a secure IT network. The DTPA outlines the terms for this relationship, ensuring the subcontractor (the “Processor”) follows the Controllers’ instructions and maintains the required data access rules and data security standards. The Processors are responsible for ensuring the data’s confidentiality, integrity, and security of the systems with regard to the data processing.
- Who needs it: The institutions involved in the DTUA and any third-party processing data on behalf of the Controllers, like e.g., host institutions of BioMedIT nodes.
2.2 Content
The CA regulates project-specific aspects covering all potential issues to be addressed in a multi-center data driven research project with health data. Setting up this agreement before starting a project provides trasnparency and minimizes the risk of misalignments, delays, etc. Project-specific aspects are:
Governance. Roles and responsibilities (e.g., Sponsor or Investigator) in line with the Human Research Act and ordinance.
Finances: Allocating financial resources (e.g., Grant money) to each party, eligible costs and deliverables.
Reuse (open data): Planning the conditions for reuse of the data for purposes outside the scope of the project. This includes defining the governance and authority for data reuse or deciding on a repository to make data available in the long run.
Intellectual Property (IP): how intellectual property rights are handled, licensing conditions for other parties and the distribution of revenues from IP exploitation.
Confidentiality: Ensuring the confidentiality of proprietary or non-public information and its return after the project termination.
Publications: Rights and obligations to publish results
The DTUA and DTPA cover data protection aspects and integrate Swiss data protection laws. Some key legal referneces here are :
- Data Protection Act, Art. 6
- Regulation EU 2016/679, Chapter II
- Data Protection Act, Art. 5
- Regulation EU 2016/679, Chapter IV
Main roles:
- Data Provider: Agrees to disclose data to a data Recipient.
- Data Recipient: Receives data from the Provider.
- Data Controller: Defines the purpose and means to process the data.
- Data Processor: Executes the data processing as determined by the Controller.
For example, the Provider might be a hospital and the Recipient a university. They both assume the role of data Controller if they either jointly determine the purpose and means of data processing within their sphere of influence, or each party for their respective areas. An external Processor comes into play if a third party is subcontracted — for example, to execute the secure hosting of the data on the BioMedIT network.
key principles
The key principles outlined in data protection laws are:
- Purpose limitation – Data collection or processing must be linked to a specific purpose.
It is not allowed to collect, use, or transfer data without specifying why.
The purpose must be evident to data subjects and stated in the project proposal and DTUA.
A clear and specific research question is required; broad purposes (e.g., generating hypotheses) are not specific enough.
- Data minimization – Data transfer and processing must be limited to what is necessary to achieve the intended purpose.
- Only data for the research project should be disclosed; unrelated data must not be included.
- Researchers must reflect on required data variables and document them in the DTUA.
- It is insufficient to specify only a patient cohort (e.g., patients diagnosed with multiple sclerosis from 2020-2024) without specifying and limiting those variables about patients that are necessary for the project.
- Data security – Those involved in processing personal data must adopt technical and organizational measures to avoid unauthorized access.
- Trusted Research Environments (TRE) like BioMedIT play a key role as external processors.
- Contract partners must specify the data management infrastructure, responsibilities, and security measures.
- Specially when using cloud services, the identity and security measures of services providers must be reviewed carefully.
Finally, the DTUA stipulates that personal data must be de-identified and that any attempt at reidentification of the data subjects is inadmissible. In addition to these core principles, the DTUA ensures the liability of all involved parties in case of a violation. It furthermore explicitly grants the right to data subjects to also enforce such liability in case of violation.
2.3 Structure
The SPHN agreements can be used as building kits and allow adaptation to specific agreements or existing contracts and regulations. CA, DTU and DTPA can be combined into one document but note it would be an overwhelming document with schedules, annexes and sometimes exhibits. The following table provides some simple guidance on what templates to choose:
| Status | To Do | Template to be used |
|---|---|---|
| No legal agreement present | Set up agreements for the general collaboration between consortium members, and for transfer, use, and (if applicable) processing of data | CA integrating DTUA and DTPA (if BioMedIT node should be added) |
| Written commitment (CA) present | Set up agreement for transfer, use, and (if applicable) processing of data | DTUA integrating DTPA (if BioMedIT node should be added) |
| Everything in place except data processing part | Set up agreement for processing of data by service provider | DTPA (if BioMedIT node should be added) |
The most frequently used combined template is the combined CA+DTUA+DTPA. The structure of this templates is shown in the figure below:
Schedule 1 - project Description. All operational and technical details about the project. Names of stakeholders; Annex I with deliverables, timelines, etc.; Annex II ethical approval statement or waiver (a copy of the approval can be appended). More annexes are possible.
Schedule 2 - Governance. List of governance bodies. E.g., executive boards with responsibilities, names of representatives of the different parties of the project.
Schedule 3 - DTU. Regulates transfer and use of health data between institutions. Annex I lists of transferred data. Annex II if the project involves processing in trusted research environments like BioMedIT. Signatories in the DTPA are different than those in the DTUA. Exhibit 1 describes data to be trasnferrred and serviced performed by the BioMedIT node, and responsibilities. Exhibit 2 lists information and Audits of Security Measure (terms and conditions of the node). Annex III is a placeholder for BioMedIT Information and Security Policy accessible upon request.
Schedule 4 - Authorship guidelines. Guidelines Swiss Academies of Arts and Sciences (2013). Authorship and scientific publication.. Depending on the project OPTIONAL Schedule 5 for Material Transfer Agreement (see the Swiss Biobanking website) and OPTIONAL SCHEDULE 6 for intellectual property aspects.
3. Major discussion themes during the contractual framework development
The templates are intended as a starting point and are meant to be tailored and adjusted. They may not fully reflect the views of every participant in the Data Governance Working Group. There were some topics that required in-depth discussions and led to revisions. Some clauses in the templates are presented now as multiple alternatives to choose from.
3.1. Governance
The governance section is meant to ensure the effective execution of projects. The principal roles outlined within this framework are the Project Leader, Investigator, Sponsor, Executive Board and Scientific Board.
Implementation in the template
The section has two parts: one listing and defining the key people and governance bodies, and a second part with the rules governing their operations.
Executive Board. A main challenge is to balance control over decision without stalling the projects. A refine list of topics in which the board can make decisions is provided in the template to help address this challenge.
Agency and Executive Board Authority. To balance the need for decision power of the individual Parties with practical concerns, the Consortium Agreement includes a non-agency clause to ensure that no party may act on behalf of another, except in a specific case related to data reuse. To simplify the process, the chairperson of the Executive Board may sign a DTUA on behalf of all consortium members when data is reused for research beyond the original project scope. This exception only facilitates administrative efficiency and does not transfer decision-making power, as any such agreement requires prior approval by the Executive Board and the data provider. Governance of project data therefore remains subject to the individual institutions’ data governance policies.
Scientific Board. The Scientific Board is advisory only, so its rules are simplified, omitting quorum, voting, and agenda requirements, while distinguishing it from the decision-making Executive Board. Both internal and external experts are included, with external members possibly required to sign Non-Disclosure Agreements (NDAs).
3.2 Data definitions
A common understanding of specific data types along the life cycle is needed to ensure a common understand of some aspects of the collaboration. The DGWG together with expertise developed the follow distinctions:
| Data Type | Description |
|---|---|
| Primary data | Directly collected data that hasn’t undergone extensive processing. |
| Curated data | Processed through curation (selection, structuring, annotation, semantic mapping, etc.) and ready for analysis or algorithm training. |
| Combined data | Curated data from multiple providers, merged (same variables from different subjects) or linked (different variables from the same subject). |
| Deposited data | Patient-level data stored in repositories for reuse; should be FAIR and de-identified for data protection. |
| Analyzed data | Results from applying methods for generating scientific insights (e.g., graphs, figures, summary statistics). |
| Published analyzed data | Published summary statistics or graphs for knowledge dissemination. |
Implementation in the template
Since they do not have an established legal meaning the data types are described in the SPHN Glossary. Authors filling the templates are encouraged to reflect on the term ‘data’ in the agreements to ensure there are no misunderstanding. An explanatory text and recommendations is provided in the templates.
3.3 Data reuse and open data
Health data reuse in Switzerland is essential for efficient, cost-effective, and innovative research but faces legal and governance gaps. National and international initiatives, guided by FAIR principles, are promoting systematic preservation, discoverability, and sharing of datasets. Strengthening technical infrastructure and supportive frameworks ensures datasets are accessible, maximizing scientific progress.Some key initiatives promoting open access and reuse:
- National Strategy Council Open Research Data
- Swiss National Open Research Data Strategy, Swissuniversities (2021)
- European Health Data Space Regulation (EHDS) – European Commission
The Swiss legal framework for data reuse is currently limited and complex, with the Human Research Act applying differently to pseudonymized and anonymized data. Researchers navigate this complexity, but legislation is recognized as insufficient for innovative, data-driven projects. A 2022 motion called for a framework law on data reuse to clarify governance, support pilot projects, and balance privacy with innovation, expected for consultation by 2026. Until a national framework is implemented, project contracts should define governance, legal, practical, and strategic terms for data reuse to prevent datasets from becoming inaccessible.
Implementation in the template
The CA has two clauses: one for reuse of data during the terms of the CA, and addressing reuse after the termination of the CA.
During the CA, a designated chairperson can sign reuse contracts on behalf of the consortium, with Executive Board approval, streamlining agreements while preserving institutional decision power.
For data reuse (Combined and Analyzed Data) after the CA ends, the template encourages depositing data in a named repository or institutional platform and requires a reuse strategy at least six months before termination. Addressing data reuse beyond project termination remains a key challenge, with ongoing collaboration needed to ensure responsible and effective use while preserving scientific value.
3.4 Intellectual property
This is often a hot topic of discussion. There are different positions in industry and academia. An important distinction is made between IP, non-inventive contributions and data. IP rights do nto include data, but data and know-how can be acknowledge as non-inventive contribution to the IP rights and be subject to receiving a share of the IP revenues. Foreground IP are IP rights made in the performance of work under the agreement, background IPs means IP rights owned by or licensed to a party at the start of the project.
Implementation in the template
Background IP. If this is need attach a list of background IP as annex to the agreement. Legal deparment advise is recommended. Licenses can be agreed if a partner needs to use background IP.
Foreground IP. Parties have to agree how to handle ownership of assets generated in the project. The template gives two alternatives:
Alternative 1. Future IP jointly owned only if the contribuions of each party cannot be clearly separated
Alternative 2. The parties agree joint ownership fo the future IP under all circumstances
The scope of potential licenses to partners not owning the results need to be described in any case.
- IP Exploitation. It has to be decided whether exploiting for potential foreground IP will be decided in the agreement or postponed to a later time point. Regarding the weight ““significant non-inventive contribution”” several factors need to be taken into account to find a fair balance between each party’s contributions: amount of work to curate, prepare and process the data, the resources from each party to carry out this work , and whether the coutcome of the project is markeatable product (e.g., an algorithm). The template encourages to take significant non-inventive contributions into account when negotiating IP exploitation while allowing the parties to choose, entirely delete, respectively to find a wording that fits the project and interests the best.