Acceptable use policy (AUP) and terms and conditions (T&C) are necessary instruments in the regulation of infrastructure access. And while for 'enterprise' sources they can be complex - as you have to define for example what is acceptable use for employees of organisational resources - for access to resources by collaborations and their users it can be far simpler. Basically, a collaboration access resources for a particular specific purpose: achieving the objectives of the common research goals. As such, the AUP can be simple: it binds the user to the ‘purpose’ for which the services and resources they use have been provided.
Yet, like with privacy notices, the reader is rather inclined to click through and proceed with the actual task at hand. Thus, to reduce the burden on the user and increase the likelihood that they will read the AUP, the number of times a user is presented with such notices must be kept to a minimum, preferably just a single time. Yet the notice should cover as much of the user’s potential use of the infrastructure as possible: the more services and resources deem an AUP as sufficient for their policy purposes, the better it will be. This will allow users to use resources from multiple service and resource providers without the need to confirm acceptance of additional AUPs.
This Acceptable Use Policy and Conditions of Use (“AUP”) defines the rules and conditions that govern your access to and use (including transmission, processing, and storage of data) of the resources and services (“Services”) as granted by {community, agency, or infrastructure name} for the purpose of {describe the stated goals and policies governing the intended use}.
Remember that the PDK practical steps asked you to "identify a governance body to make policy decisions"? That's the name of the 'community, agency, or infrastructure name' that is authoritative for your AUP. it is here typically the name of your research collaboration, like in "... as granted by the Harderwijk Herbal Research Collaboration HHRC for the purpose of ...". The purpose of your collaboration was the next item in the priority list, and that text goes into the next placeholder. For example "... for the purpose of identifying flowers and ever-green plants on your neighbourhood commons during the airing of BBC2 gardening TV programmes.". So if somebody accesses the HHRC in order to locate where plant species could found, picked, and their generic composition taken in violation of the Nagoya protocol, that is clearly unacceptable use.
... and of these points, none are controversial. So at a minimum include the 10 commandments from the WISE Baseline AUP. By doing so, all resource providers, infrastructures, and your peer collaborations or partner 'nodes' know they can accept your collaborators without further ado.
And if you as a collaboration, backed by the resource providers, can provide more guarantees to its users this is perfectly fine as well! Just add these terms and conditions, and state the advanced service levels, in the last section of the "AUP/T&C" in the spot indicated in the WISE Baseline AUP. But keep the Baseline AUP intact for interoperability. The basic set is merely these:
1. You shall only use the Services in a manner consistent with the purposes and limitations described above; you shall show consideration towards other users including by not causing harm to the Services; you have an obligation to collaborate in the resolution of issues arising from your use of the Services.
2. You shall only use the Services for lawful purposes and not breach, attempt to breach, nor circumvent administrative or security controls.
3. You shall respect intellectual property and confidentiality agreements
4. You shall protect your access credentials (e.g. passwords, private keys or multi-factor tokens); no intentional sharing is permitted.
5. You shall keep your registered information correct and up to date.
6. You shall promptly report known or suspected security breaches, credential compromise, or misuse to the security contact stated below; and report any compromised credentials to the relevant issuing authorities.
7. Reliance on the Services shall only be to the extent specified by any applicable service level agreements listed below. Use without such agreements is at your own risk.
8. Your personal data will be processed in accordance with the privacy statements referenced below.
9. Your use of the Services may be restricted or suspended, for administrative, operational, or security reasons, without prior notice and without compensation.
10. If you violate these rules, you may be liable for the consequences, which may include your account being suspended and a report being made to your home organisation or to law enforcement.
Now just add your contact address for information, security and privacy at the end and you are done. The actual privacy notices can be referenced and do not need to be included. It is fine to have these one more click away (so in total two clicks).