What is a Data Use Agreement (DUA)?
A Data Sharing Agreement, Data Transfer Agreement, or Data Use Agreement (DUA) is a legally-binding contract between two or more institutions that documents what data are being shared and how the data can be used. Working toward a formal agreement prior to a data transfer helps prevent miscommunication between the parties by opening discussions on subjects relevant to data use, such as the following:
- What study will be performed using the data
- How long the recipient is permitted to use the data
- Whether the data should be returned or destroyed after the termination of the agreement – if the latter, in what manner they will be destroyed
- What permissions (e.g., IRB) the recipient institution should have in place to conduct the study using the data
- What individuals at the institution are authorized to use the data
- Whether the providing institution has a right to review any proposed publications resulting from the recipient’s use of the data
- The form acknowledgements in any publications should take
- Whether the recipient must share with the provider its results from the study using the data and what, if any, license the provider is given to use the recipient’s results
- What data and/or associated information should be kept confidential and for how long
- How the data will be transferred/shared (e.g., electronically, by mailing a CD, via remote VPN access)
- Which party will cover the costs associated with sharing the data
- Legally-required and/or provider-required practices and standards for data security
Secure computing resources like the SDE are pertinent to the last item on the above list: legally-required and/or provider-required practices and standards for data security.
How the University of Chicago Processes DUAs
The University of Chicago’s Authorized Institutional Representative (the Associate Vice President for Research Administration) must sign any research agreement for it to be binding on the University. Researchers, students, and department administrators/officers are not authorized to sign on the University’s behalf.
Before the University of Chicago endorses a DUA, it must be reviewed and, in most cases, negotiated by the relevant manager at the University Research Administration (URA).
The URA uses two categories when discussing DUAs: Incoming and Outgoing. Incoming DUAs are those DUAs facilitating a transfer of data to the University (i.e., where the University is the recipient of data). Outgoing DUAs are DUAs facilitating a transfer of data from the University (i.e., where the University is the provider of data). Below is an overview of how each category of DUA is processed:
1. Incoming DUAs: The University of Chicago researcher or department administrator requests a DUA from the providing institution. The department administrator then routes the agreement to the URA through AURA Agreements as an Incoming DUA. The URA manager then reviews the agreement and negotiates it if necessary to bring the agreement in alignment with the University’s contracting policies. During this stage, the URA also consults with the secure computing environment manager to ensure that the contract’s data security requirements can be met. Finally, the Authorized Institutional Representative signs the contract. Only after the DUA is signed by both parties will access to secure computing resources such as the SDE become available.
2. Outgoing DUAs: The University of Chicago researcher or department administrator determines what type of data will be sent. The researcher then completes the relevant project information in the template and sends it to his or her department administrator. The department administrator then routes the agreement to the URA through AURA Agreements as an Outgoing DUA. The URA manager ensures that IRB approval and other necessary compliance matters are in order and then sends the agreement to the intended data recipient for review. If the recipient requests changes to the terms, the URA negotiates as needed. Once the agreement’s terms are finalized, each party signs. In a situation where data is leaving the University, the matter of securing computing resources like the SDE is moot.