Data Use Agreements 101

Share with your network

In the age of technology and data collection, the privacy and protection of data is a priority for both those who collect and those who utilize data. A Data Use Agreement (DUA) is a useful tool for the transfer of non-public data or use-restricted data that has been developed by private, government, or nonprofit organizations.

What is a Data Use Agreement?

A DUA, also sometimes called a data transfer agreement (DTA), is a legal contract that serves to protect data and confidentiality. It lays out the terms under which an entity – like a university or research center – can share the data it collected from participants in a research study or from medical records with another entity. A DUA usually includes:

  • Details of data elements being shared
  • Purpose of sharing data
  • Applicable legal requirements
  • Security requirements
  • Reporting requirements

This kind of contractual agreement is essential for the transfer and management of data that is involved in research. It also protects the supplier, recipient, the data itself, and individuals whose data may be included in the set.

Types of data covered by Data Use Agreements

Datasets covered by DUAs can be identified, limited, or de-identified data. There are also public use datasets, but they do not typically require an agreement. The data involved in DUAs can include human subject research, animal research, data protected by HIPAA, student record information, records from governmental agencies, or datasets with restrictions.

However, as the type of data differ, so do the DUA requirements. Agreement graphicFor human subject data, a DUA is typically required when the disclosure of data is for research purposes and when there is no existing contract concerning the data between the provider and recipient. However, for human subject data, it’s not required when the data is publicly available in the public domain, or the data has no legal or privacy restrictions. For a Limited Data set, a DUA demands that the recipient of the data will not use or disclose any of the information in the dataset other than what is permitted by the DUA.

How Emory OTT handles DUAs

At Emory, the Office of Technology Transfer is responsible for Incoming and Bi-Lateral DUAs, as well as Outgoing DUAs in which data to be transferred is sourced from database records in the Schools of Medicine and Nursing, Rollins School of Public Health, or the College of Arts and Sciences; or if it’s collected from Emory Healthcare pursuant to an Emory IRB-approved protocol. Other types of DUAs may be handled by Emory Healthcare or the Office of Sponsored Research.

In 2024, OTT introduced a new process for low-risk, outgoing DUAs to reduce cycle time and give PIs and their research teams more control over the timeline. You can find the criteria for low-risk DUAs on OTT’s website.

Here’s how the new outgoing, low-risk DUA works:

  1. PI may need to obtain a determination from the IRB to send the data to the recipient.
  2. PI reviews the low-risk documentation to assure the subject data meets the low-risk criteria
  3. PI completes DUA online training (refresh tri-annually).
  4. PI downloads the appropriate Federal Demonstration Partnership (FDP) form for this data transfer from the OTT website.
  5. PI completes the form, but does NOT sign, and sends the form to the recipient for institutional signature.
  6. PI goes to contractConnect and completes the attestation form for submitting a low-risk DUA for signature and attaches the partially signed FDP form from the recipient.
  7. Upon receiving a complete and accurate package, OTT signs the DUA as the authorized official and sends a fully executed copy to both the PI and the recipient.

For high-risk DUAs, we’ll keep the same process of the PI, or their designated representative, completing an outgoing DUA questionnaire form found on Emory contractConnect.

Have questions about your Data Use Agreement? Email OTT’s Contracts team at ottmta [at] emory [dot] edu.