Data governance for trust

The Data governance for trust pillar, or Article III of the Recommendation recommends that

“Adherents develop and implement co-ordinated mechanisms, strategies, or policies to make research data and other research-relevant digital objects from public funding openly accessible and reusable to the largest extent possible, while taking into account the need to restrict access for legitimate private, public, and community interests.” 

To enhance trust in data governance, national Open Science strategies and institutional policies should mandate researchers to determine appropriate disclosure levels for publicly funded research outputs, ensuring open access without financial or technical barriers.

• Research funding agencies should integrate Open Access (OA) obligations into grant agreements, require timely deposition of research outputs in repositories, and provide financial support for OA-related costs.
• Policies should promote permissive licensing (e.g., Creative Commons (CC) BY 4.0) and open-source software sharing while enforcing compliance through funding conditions.
• Where openness is not feasible, restrictive access measures should be incorporated, including secure environments, mediated/tiered access models, data trustee frameworks, and privacy-enhancing technologies.
• Risk mitigation strategies, particularly for sensitive data, should align with General Data Protection Regulations (GDPR) and emphasise technical and organisational measures (TOMs), trusted repositories, and anonymisation techniques.
• Stakeholder engagement should facilitate co-design and collaboration among policymakers, researchers, institutions, and civil society, ensuring alignment with disciplinary needs and ethical standards.

Institutional policies must clearly define researcher roles in data management, establish compliance mechanisms, and promote Open Science through training, infrastructure development, and awareness campaigns.

The implementation of Open Access (OA) and data governance policies faces significant hurdles, including cultural resistance to openness, disciplinary differences in data-sharing norms, and a lack of awareness or misconceptions about OA policies.

• Ensuring that research outputs are not only openly accessible but also FAIR-compliant (Findable, Accessible, Interoperable, and Reusable) remains a challenge, as poor metadata, non-standard formats, and inadequate documentation can render data technically open but functionally unusable.
• Balancing openness with intellectual property (IP) protection, privacy considerations, and commercial interests adds further complexity, particularly for sensitive data requiring restricted access.
• Developing secure research infrastructures, training researchers in data anonymisation, and implementing mediated or tiered access models require significant financial and technical resources.
• Legal and ethical fragmentation across jurisdictions, inconsistent risk mitigation strategies, and slow decision-making processes further hinder effective implementation. Additionally, overlapping mandates, fragmented policies, and unclear roles for researchers and institutions create accountability gaps.

Without proper infrastructure, guidance, and incentives—such as standardised consent mechanisms, embedded data stewards, and clear attribution practices—data-sharing efforts risk being ineffective, deterring stakeholder engagement and undermining trust in Open Science.

The Data governance for trust pillar can be broken down into the following provisions.

Publicly funded research data and digital objects should be openly accessible by default to the greatest extent possible, as timely, findable, user-friendly, accessible, supported by curation and maintenance, without discrimination and free of charge.

In cases where access needs to be partially or totally restricted to conform to legal rights, ethical principles and/or to protect legitimate private, public, or community interests, foster more limited forms of access, such as access to aggregated or de-identified data, restricted access within safe and secure environments to certified users with clearance adapted to the sensitivity of data, or access via analyses that share only de-identified results; foster searchable access to metadata that describes those datasets while respecting legal rights, ethical, principles, and/or, legitimate interests; 

Take steps to transparently manage risks posed by enhancing access to sensitive categories of research data and other research-relevant digital objects from public funding, including personal data, by applying specific risk mitigation measures, as well as providing for a “right to know” in cases of digital security incidents affecting the rights and interests of stakeholders. 

Consult with communities of stakeholders about open access to, sharing of, and re-use of research data and other research digital objects from public funding for reinforcing trust. This should include establishing open and inclusive processes that ensure equitable representation of stakeholder groups and consideration of their respective needs.

Require that consent or comparable legal basis be sought consistently for all collections of sensitive human subject data and metadata, including personal data, and that any use be in conformity with the consent granted, applicable privacy regulations, and ethical principles. Where it is proposed that personal data be used in ways not initially foreseen in the consent granted and seeking consent for such new use is impractical, specific case-by-case arbitration implemented by ethics review boards or similar authorities may be appropriate. Such case-by-case arbitration should also be accompanied by a review taking into account legal aspects of the planned change of purpose.

Clarify roles and responsibilities of researchers and other staff responsible for data access, so as to promote awareness and a culture of confidence and avoid undue risk averseness.