Complete your application governance

Complete your application governance#

Last modified: 27 Aug 2025

You must be covered by a UK LLC Data Access Agreement and have accepted UK LLC's and data owners' terms and conditions of data use before you can access the UK LLC Trusted Research Environment (TRE).

After an application is approved and before a researcher is permitted access to the UK LLC Trusted Research Environment (TRE) they must:

  • Be covered by a Data Access Agreement (DAA)

  • Accept UK LLC’s terms of use - the Data User Responsibilities Agreement (DURA)

  • Accept data owners’ terms of use.

In addition, they may be required to complete a System Level Security Policy (SLSP) to demonstrate sufficient levels of security policy and practice at their host organisation (see below).

1. Data Access Agreement (DAA)#

A DAA must be signed between the organisation(s) hosting researcher(s) named on the project and the University of Bristol (the owner of UK LLC). The DAA is a legal document and defines the terms and conditions for accessing and using data within the UK LLC TRE. Where a researcher is employed by multiple organisations, the DAA must be in place with the organisation sponsoring the research and taking accountability for it. The signing of the DAA is managed using Docusign.

2. Data User Responsibilities Agreement (DURA)#

Each researcher named on a project must accept UK LLC’s terms of use listed on the UK LLC DURA. Researchers can access their DURA by logging into UK LLC Apply.

3. Data owners’ terms and conditions (Ts&Cs)#

Different data owners and indeed different datasets sometimes specify particular terms and conditions (Ts&Cs). It is imperative that researchers adhere to their project-specific Ts&Cs throughout the lifecycle of their project, i.e. when they are analysing and publishing their analyses. Data owners’ Ts&Cs must be accepted by each researcher named on a project by logging into UK LLC Apply. If any Ts&Cs change while a project is active, researchers will be notified by email and will need to login and accept them.

4. System Level Security Policy (SLSP) (if required)#

Researchers must demonstrate sufficient levels of security policy and practice at their host organisation. This can be achieved through providing evidence that their research activity falls either within the scope of their organisation’s ISO 27001 certification or NHS England Data Security and Protection Toolkit (DSPT) audit. Where a researcher is not able to provide this assurance to UK LLC, they must complete the UK LLC System Level Security Policy (SLSP) form. The scope of the SLSP is limited to only the equipment used by the approved users, the setting in which they work and the network they use. It does not extend to the UK LLC TRE itself or their wider organisation. Typical contemporary University IT or Departmental Policy and Practice with adequate user training and awareness are likely to meet UK LLC’s requirements.

Contents