Data Use Agreements
A Data Use Agreement (DUA), which may also be called Data Sharing Agreement, Data Transfer and Use Agreement, or other similar titles, is a legally binding agreement between a data provider and a data recipient that requires signature or other acknowledgment to facilitate the transfer of data between the parties.
The DUA’s basic purpose is to define the data recipient’s rights and obligations related to the access, storage, protection, use, processing, and transmission of the provider’s data, which may include data types such as Protected Health Information (PHI), Personally Identifiable Information (PII), Limited Data Sets, Proprietary Information, or Confidential Information. A data provider may also include requirements for handling unregulated, de-identified, or other low risk data.
Such an agreement, when related to the conduct of research at North Carolina State University (NC State), must be reviewed by appropriate University personnel and signed only by an authorized signatory of the University on behalf of its researchers.
Researcher roles, including who may serve as a Principal Investigator, are defined by NC State Policy. You may also contact your College Research Office (CRO) to discuss possible exceptions that require additional approvals.
Who may sign a DUA?
Only an authorized signatory of North Carolina State University may approve terms and conditions and sign agreements on behalf of the University and its researchers, whether such agreements signed electronically or otherwise. Authorized signatories are delegated under REG 01.20.02 and listed here. Faculty members, students, or other individual data users are not authorized to sign Data Use Agreements on behalf of North Carolina State University and should seek assistance from their College Research Office to properly route such agreements to SPARCS for review and signature.
PIs must also retain a copy of the fully executed DUA with their research records as dictated by REG 01.25.12, and in accordance with any other retention requirements indicated by the data provider or funding agency agreement(s).
How do I request a review of a DUA or obtain approval to access a Data Set?
If you are in receipt of a Data Use Agreement or intend to seek access to a protected dataset, you should work with your College Research Office to route a Data Use Agreement-type Project Information and Navigation System (PINS) record. Once you’ve worked with your College Research Office, you will complete this Data Use Agreement Intake and Request Form, and submit it along with relevant information and other documentation as described below. This will provide SPARCS with the initial information needed to assist with processing your Data Use Agreement. General questions may be submitted to the appropriate College Research Office.
PINS is an electronic system used to track proposal data and to verify approvals from all faculty and administrators involved in submitting a particular proposal. The use of the PINS system is a required part of the submission process for all proposals submitted by all NC State university faculty.
- Title convention: “Data Use Agreement with [Company Name]”
- Deadline Type: Target
- Complete the ‘Associated RADAR Project ID’ field, if applicable
- Total Amount Requested: $0
- F&A Rate: 52%
- F&A Basis: MTDC
- Justification for Underrecorrery: F&A Fully Recovered
- Provide sponsor point-of-contact information: name and title, email address, and phone number, at minimum.
- Documentation: DUA Agreement, Description of Project (if not included in the agreement), Data Management Plan (if required), and DUA Intake Form.
The agreement and PINS record will be reviewed by SPARCS to determine the next steps needed to agree to the terms and conditions on behalf of NC State University.
These steps may include but are not limited to:
- Negotiations to request changes to language in the agreement
- Data Security Review
- Acceptance of higher risk terms and conditions by department or college leadership
When will a Data Access and Security Plan be required for DUAs?
Data Access and Security Plans may be required for regulated data, such as Human Subject information or Export Controlled data, or when the Data provider requires one. The DUA intake form is intended to help SPARCS identify those circumstances. If the requester has developed a DASP, that can be included in the PINS record, but is not required.
Do I need IRB approval for the use of Data that is covered under a DUA?
Depending on the specific data and the requirements set forth in the DUA, IRB review and approval or a specific determination may be needed. The IRB outlines requirements for the secondary use of human subjects’ data. Reasons IRB approval for the use of data that is covered under a DUA could include:
- If the data are obtained for research purposes and are considered private and individually identifiable or easily re-identifiable to the research team.
- A data provider may require IRB review/approval or may require an official determination from the IRB that a project is “not human subjects research (NHSR)” before they will share the data.
- Some data providers will require IRB approval as a part of the DUA even if the NC State IRB says no IRB approval is required. In these cases, the NC State IRB will support the researcher and review the project as required by the data provider.
If IRB review and approval are required, a copy of the DUA must be provided to the NC State IRB for review with the proposed IRB protocol. Any provisions for data access, security, sharing, or disposition of the data as detailed in the DUA must be congruent with the study procedures submitted to the IRB for all associated study protocols.
The IRB can review and approve a study with a draft DUA to keep administrative processes moving. However, when the DUA is fully executed, the executed DUA (and any resulting updated study procedures) must be submitted to the IRB via an amendment for review and approval before any data are exchanged.
Who is permitted to access the Data received under a Data Use Agreement?
Data Use Agreements may specify only named project personnel as authorized to access data under the terms and conditions of the agreement. However, if the agreement does not require specifically named individuals, only North Carolina State University employees are authorized to access the data. Additional data security requirements should be taken into consideration, if applicable.
The PI is accountable for all project personnel who will have access to the data.
Students and Data Use Agreements
If you would like to allow an unpaid student (undergraduate and graduate student) access to data received under a Data Use Agreement, please contact SPARCS prior to allowing access.
Generally speaking, students who are not graduate students on a research assistantship conducting University research will need to be independently bound to terms and conditions contained in any Data Use Agreement, including obligations of confidentiality and non-redistribution.
Export Controlled Material
Under U.S. export control laws, a license may be required from the Bureau of Industry and Security of the Department of Commerce for the export of certain data. Anyone who is planning to transfer controlled material by the Department of Commerce or the Department of State outside of the United States should work with the NC State Export Control Office for assistance in seeking any required license. In addition, transfers of certain proprietary information to foreign entities and collaborators may require further review and consideration.
NC State Rules and Regulations related to Data
- REG 01.25.09 Privacy/Confidentiality, Release and Security of Protected Health Information
- RUL 01.25.02 Student Health Service, Counseling Center and Sports Medicine Joint Rule use and Disclosure of Protected Health Information
- REG 11.00.01 Family Educational Rights and Privacy (FERPA)
- REG 08.00.03 Data Management Regulation RUL 08.00.18 Endpoint Protection Standard
Steps to Operationalizing a DUA
|Responsible Office or Person
|Submit the Data Use Agreement with a completed Data Use Agreement Intake Form via PINS
|Principal Investigator/College Research Office
|Congruency check and approvals for data with Human Subjects, Animal Care, and Conflicts of Interest concern
Protected Health Information (PHI) review for agreements with health and financial information, education records, and other related protected information
|Sponsored Programs in coordination with Regulatory Compliance
|System security review for agreements with specific, Information Technology security standards for safeguarding data
|Sponsored Programs in coordination with Regulatory Compliance who may engage the Information Technology Office as necessary
|Review and negotiation of general legal terms and conditions of the agreement as needed
Finalize agreement, obtain signatures (execute) and distribute to relevant parties
|Approval for non-standard terms
|Dean for Research, Department Head
Institutional Data Use Agreements (DUA)
Certain data providers and repositories, such as the NIH database of Genotypes and Phenotypes (dbGaP) Data Access, will require online registration by the University or for a DUA to be signed by SPARCS prior to any employees of the University requesting access to the data. These “institutional” DUAs may be in addition to “transactional” (“project-specific”) DUAs, or in lieu of them. Because of their broader institutional nature, SPARCS handles them differently than transactional DUAs. If you have a requirement for an institutional DUA, please contact the SPARCS Operations Team at email@example.com.
Existing Institutional DUAs and Registrations
Some repositories, such as the NIH database of Genotypes and Phenotypes (dbGaP) Data Access, require online registrations. After the internal routing and review of the printed documentation, SPARCS will log in online to approve and submit the agreement.
- All of Us Research Hub (Register for Access)