Data Use Agreements (DUAs)

Definition

A Data Use Agreement (DUA) is a formal, written, contractual agreement that establishes specific ways data may be used and how it must be protected.

 

Purpose

DUAs serve to outline the terms and conditions of the transfer and address critical issues such as limitations on the use of the data, obligations to safeguard the data, liability for harm arising from the use of the data, publication, and privacy rights that are associated with transfers of confidential or protected data.

 

What's in a DUA?

Sometimes referred to as a data transfer agreement or data sharing agreement, or other variations on these terms, a DUA is a contract between two or more parties regarding the use and protection of data. Often data subject to an agreement are a necessary component of a research project. Having an executed agreement in place may be a required precondition to transfer certain data, including human subject research data, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA), or other data deemed to be sensitive or confidential by the data provider. A DUA may also be required when a researcher intends to access protected data in an externally hosted data repository. 

 

DUAs address important issues such as:

  • Limitations on use of the data 
  • Obligations to safeguard the data 
  • Liability for harm arising from the use of the data 
  • Intellectual property and publication expectations
  • Privacy rights associated with transfers of confidential or protected data 

 

DUAs legally bind the institution and the individual researcher(s) to appropriate protection and use of the data. The mutual understanding established by an agreement can help prevent future issues by clearly setting forth the expectations of both the data provider and data recipient. Importantly, researchers may not sign agreements on behalf of Princeton University; review and signature are required by a responsible party authorized to act on behalf of the University.

 

Data Purchases

The Dean for Research (DfR) has final authority over DUAs for teaching and research but has delegated review of data purchases to Procurement. For example, if Princeton is paying for the data itself and not just data preparation fees, then Procurement will take the lead on negotiating and finalizing the agreement with the goal of recommending to the DFR that the purchase proceed. For more information about data purchases, please see here.

 

Click-wrap or Online Terms of Service (TOS)

Some data providers offer their data via download, which often comes with a click-wrap or agreement with terms of service for use of the data at the time of purchase online. While the DfR has signature authority for data transactions for research and teaching, ORPA recognizes it is not possible for researchers to submit all of these types of terms for review so we have adopted a risk-based approach to evaluate whether or not these types of agreements require review or can be signed off on by the user.

 

If the terms include legal terms such as indemnification, liability obligations on Princeton (not disclaimers by a data provider), data security requirements, and those of the like, then it needs to be reviewed by the DFR via ORPA. If the terms are disclaimers, attribution requirements, and do not impose obligations on the university or create much risk, those do not need to be reviewed. Additionally, the type of data is a part of the risk calculation. Data that is regulated by law or regulation (such as human subjects data, personally identifiable information, educational records, financial data, etc) would require review. Standard license agreements, such as Creative Commons licenses, which primarily contain attribution requirements for use, do not need to be reviewed by ORPA. If you have any questions about whether something should be reviewed, please reach out to Liz Powell.