Division of Research

Data Use Agreements (DUAs)

A data use agreement (DUA) is a formal, written, contractual agreement that establishes specific ways data may be used and how it must be protected. Brown University has established specific administrative procedures for the review, approval and execution of DUAs.

What’s in a Data Use Agreement?

Sometimes referred to as a data transfer agreement or data sharing agreement, or other variations on these terms, a DUA is a contract between two or more parties regarding the use and protection of data. Often data subject to an agreement are a necessary component of a research project. Having an executed agreement in place may be a required precondition to transfer certain data, including human subject research data, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA), or other data deemed to be sensitive or confidential by the data provider. A DUA may also be required when a researcher intends to access protected data in an externally hosted data repository.  

DUAs address important issues such as:

  • Limitations on use of the data 
  • Obligations to safeguard the data 
  • Liability for harm arising from the use of the data 
  • Intellectual property and publication expectations
  • Privacy rights associated with transfers of confidential or protected data 

DUAs legally bind the institution and the individual researcher(s) to appropriate protection and use of the data. The mutual understanding established by an agreement can help prevent future issues by clearly setting forth the expectations of both the data provider and data recipient. Importantly, researchers may not sign agreements on behalf of Brown University; review and signature are required by a responsible party authorized to act on behalf of the University.

Brown has classified its information assets into one of four risk-based categories (None, Level 1, Level 2, or Level 3) for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access. It is the data and service owner’s responsibility to ensure appropriate security measures are taken depending on the risk classification.
Researchers at Brown must complete a request form for all proposed incoming and outgoing data use agreements to ensure that appropriate terms and conditions are negotiated. Please email any questions about the request or this form to dua@brown.edu.
Brown provides guidance to assist the research community with understanding the relationship between research and protected health information (PHI) that is covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The Information Security Group is available for consulting on all topics related to information security, privacy, P2P, compliance, social networks, wireless, laptop safety, and online protection. The group also consults on new and on-going security projects, and is also available for speaking at department and organizational meetings.
Stronghold is a secure computing and storage environment that enables Brown researchers to analyze sensitive data while complying with regulatory or contractual requirements. It has been established by Brown University to be compatible with Federal and Rhode Island Law standards for data privacy and protection.

Roles and Responsibilities

Several groups and individuals have specific responsibilities regarding the execution of DUAs.

Within the Division of Research, Research Agreements and Contracting (RAC) facilitates review and approval of DUAs, including modifications to previously executed agreements. RAC is also responsible for informing the appropriate parties of any breaches of security or unauthorized access to data as reported by the Brown research team or Information Technology.  

Additionally, RAC supports the Brown research community by providing guidance, education and resources to facilitate the conduct of ethical research in accordance with governing federal and state regulations and University policies. For more information, contact researchcontracts@brown.edu.

RAC centrally manages the administrative procedures for DUAs that involve research data, with one exception. Brown’s School of Public Health (SPH) leadership has authorization to review DUAs for Centers for Medicare and Medicaid Services data when such data are being used for an SPH research project. SPH then submits the agreement to RAC for approval and signature.

The Brown principal investigator (PI) is responsible for compliance with Brown University’s DUA review and signature procedures as well as the data protection and use requirements outlined in the agreement. Overall PI responsibilities include: 

  • Ensure that the agreement is reviewed and signed by the appropriate institutional official using established submission channels 
  • Approve the final language of the agreement by co-signing the agreement and acknowledging all PI and other research team members’ responsibilities as indicated by the agreement
  • Ensure that all research team members are aware of and comply with their responsibilities under the agreement
  • Administer or otherwise arrange for any required training set forth in the DUA and retain records documenting such training
  • Ensure that an Institutional Review Board (IRB)-approved protocol is in place to cover the work if it involves human subjects, including facilitating an amendment to an existing IRB-approved protocol, when needed, to add the incoming data to the project
  • Work with the appropriate departmental information technology (IT) support consultant, as needed, to identify the appropriate data risk level and adhere to all data security, storage and destruction requirements of the DUA
  • As necessary, promptly notify their respective IT support consultant or IT contact who manages access to the data in the event of any changes in composition of the study team 

When the DUA lists specific research team members with access to the data, the PI must also promptly notify RAC of any changes to the research team to facilitate an amendment to the agreement, if needed.

Each research team member accessing the data is responsible for meeting and complying with the specific DUA security, confidentiality and access requirements.

In some instances, research team members must sign security pledge agreements within a DUA acknowledging obligations related to use of the data. It is each research team member’s personal responsibility to adhere to any security and/or confidentiality agreements signed in an individual capacity; 

Research team members shall promptly notify the appropriate parties (the PI, Brown Technology Innovations and Information Technology) if they become aware of any breaches of security or unauthorized data access.

Researcher team members are not authorized to sign agreements on behalf of the University.

The Brown data requester may be the Brown PI or a member of the Brown research team. This individual initiates the DUA Request Form and corresponds with RAC to provide additional information, as needed, to facilitate review and negotiation of the agreement.

The recipient data requester is typically an external researcher collaborating with a Brown PI on a research study in which there is a request to access or receive data to be provided by Brown.

The data provider is an entity or individual seeking to transfer data or enable access to data that has certain restrictions associated with its use, thereby necessitating a DUA. It is the data provider’s responsibility to establish an agreement outlining terms and conditions for data sharing.

The vice president for research is authorized to enter into research agreements, including DUAs, on behalf of the University. All agreements will be executed by the vice president for research or their designee(s) once all terms are negotiated to the satisfaction of the University.

RAC may consult with the Office of General Counsel (OGC), if necessary, to negotiate legal terms in a DUA. If the data provider is a foreign government or the data being provided to Brown are subject to the General Data Protection Regulation, the PI should be prepared for the agreement to undergo OGC review.

RAC may also consult with the Strategic Procurement and Contracts (SPC), if necessary, to review insurance terms embedded within DUAs.

RAC consults with the Office of Information Technology (OIT) to ensure that data security requirements set forth in the DUA related to processes and systems that will be used to transfer, access, store and destroy the data can be met by Brown.

The Brown data requester may also consult with OIT to determine the appropriate data risk classification level for their research data and verify their ability to meet the minimum security standards as set forth in the DUA. 

OIT also supports the use of Stronghold for risk Level 3 data. Stronghold is a secure computing and storage environment that enables Brown researchers to analyze sensitive data while complying with regulatory or contractual requirements.

The University Library helps faculty and student researchers with writing data management and sharing plans for sponsored research proposals and with digital curation. It assists researchers with retaining data by documenting and depositing data sets in long-term repositories for public discovery, access and reuse.

How to Initiate and Manage Agreements

When Brown Is the Data Provider 

When Brown is the data provider, an outgoing DUA is required to transfer the following types of data to a recipient data requester: 

  • individually identifiable health information or protected health information;
  • personally identifiable information being shared beyond the parties named in the formal agreement or contract that governs the transfer of the data, or in the Brown IRB-approved informed consent;
  • student information derived from education records that are subject to the Family Educational Rights and Privacy Act; 
  • data that are controlled by laws or regulations other than or in addition to those listed above; 
  • data obtained from an individual or organization under obligations of confidentiality; 
  • data whose storage, use and transfer must be controlled for other reasons (e.g., risk Level 3 data that will be shared with anyone outside of Brown, or proprietary concerns.

If Brown data being shared externally has been de-identified, Brown does not require a DUA or RAC review.

Review Process for Outgoing DUAs

  1. The recipient data requester (outside party) requests data from the Brown PI.
  2. The Brown PI or a designee from the Brown research team completes the DUA Request Form.
  3. Upon electronic receipt of a new request, RAC begins its initial submission review and contacts the administrative contact listed in the submission if any of the required documentation is missing or incomplete.
  4. RAC prepares a draft of the outgoing agreement to send to the PI and the administrative contact listed. 

Approval Process for Outgoing DUAs

If the data are being shared under the auspices of a Brown IRB-approved protocol in which the recipient party or parties receiving identifiable data from Brown are named in the informed consent, then an outgoing DUA is not required by Brown. However, if Brown is sharing identifiable data with a party not named in the informed consent or the data being shared are subject to special restrictions regarding their protection or use, then an outgoing DUA must be executed. 

Once the terms have been finalized to the satisfaction of Brown, the agreement will be circulated for signature. After the agreement has been fully executed (signed by all parties), a PDF copy will be provided to the PI and to the administrative contact listed in the submission. 

Data is then transmitted to the recipient data requester in accordance with the terms and conditions outlined in the DUA. When the agreement has expired or is terminated, the recipient data requester must destroy or return the data in accordance with the terms and conditions.

When Brown Is the Data Recipient 

When Brown is the data recipient, an incoming DUA may be required for any of the reasons listed for when Brown is the provider, or as otherwise required by the data provider. 

If a Brown PI requests to receive data from an outside institution or organization, it is the responsibility of the data provider to determine whether a DUA must be executed prior to sharing the data with Brown. 

Some governmental organizations have an application process that must be completed prior to the start of negotiations. Please contact RAC when starting this type of application process to assist you with identifying and managing data use/compliance issues.

The data provider will share a template with the data sharing terms. Please submit this template to RAC through the DUA Request Form.  

RAC does not, as a matter of routine practice, create DUAs on behalf of the data provider. If a data provider is requesting that Brown create a DUA on its behalf, please contact the office to discuss. 

Review Process for Incoming DUAs

  1. The Brown data requester submits a data request directly to the data provider. The data provider will typically either send the Brown data requester a draft DUA for review and signature by Brown or directly engage in conversation with RAC to determine whether an agreement is needed.
  2. Once the data provider and RAC confirm that a DUA is needed, the Brown data requester submits the DUA Request Form to ensure the appropriate terms and conditions are negotiated.
  3. Upon electronic receipt of a new request, RAC will begin initial submission review and will contact the PI and the administrative contact listed in the submission if any of the required documentation is missing or incomplete.
  4. The DUA is negotiated in compliance with all applicable Brown policies and in consultation with other offices and individuals as needed.  

Approval Process for Incoming DUAs

Once all terms have been finalized to the satisfaction of Brown and the data provider, the DUA will be circulated for signature. RAC notifies the Brown data requester that the agreement is executed and provides a copy.

It is the Brown data requester’s responsibility to understand and comply with the terms of the DUA and to ensure data are only used and/or shared as specified in the agreement. Prior to receiving data from the data provider, the Brown data requester should seek clarification from RAC if any requirements remain unclear. 

Sharing Data and Updating an Incoming DUA

The data provider shares data with the Brown data requester in accordance with the DUA terms and conditions. Agreements will typically contain specific conditions on publication and disposition of the data. The Brown data requester is responsible for following such requirements. 

Any requested updates to the agreement must be submitted to RAC by the Brown data requester. When the expiration date of the agreement is approaching, RAC will alert the Brown data requester of the impending expiration date. The Brown data requester is then responsible for requesting an extension of the term if additional time is needed to complete the research.

Amendments to Existing DUAs

Amendments to existing DUAs may be necessary for a variety of reasons, including changes in custodian/contact information, adding data files, requesting an extension or adding a collaborator.

For both incoming and outgoing data, the submitting individual (provider or requester) must submit the original agreement and proposed amendment to RAC for review. RAC will sign off on the amended DUA once the terms have been finalized.

Special Categories of Data

Centers for Medicare and Medicaid Services 

SPH leadership has authorization to review its own DUAs for Centers for Medicare and Medicaid Services data when such data are being used for an SPH research project. SPH then submits the agreement to RAC for approval and signature.

Typically, researchers requesting Health and Retirement Study/Medicare and National Health and Aging Trends Study/Medicare datasets will be asked to complete two separate DUAs; however, since the Centers for Medicare and Medicaid Services considers the submission a single request, all agreements will be reviewed and processed through SPH to ensure consistency and to streamline processes.

National Institutes of Health

The National Institutes of Health (NIH) has established designated data repositories, including the database of Genotypes and Phenotypes (dbGaP), Sequence Read Archive and NIH Established Trusted 6 Partnerships, for securely storing and sharing controlled-access human research data submitted to NIH under the NIH Genomic Data Sharing Policy.  

RAC is the signatory official for NIH data, and the appropriate staff member should be listed as signatory on all dbGaP requests. 

If other data or materials repositories (e.g., the European Genome-phenome Archive) require an institutional official to sign at the time of deposit, RAC will be the signatory official. 

Externally Hosted Data Accessed Electronically

In some instances, data may be accessed through acceptance of an electronic DUA frequently appearing as terms and conditions displayed on the researcher's computer screen for the researcher to click the "I accept" (or the equivalent) button. 

A Brown PI, or a designee of the Brown PI, may electronically accept terms and conditions associated with access to externally hosted data. Research Integrity will not need to review the terms and conditions associated with electronic access to the data. However, if there is a separate, standalone data use agreement requiring authorized institutional signature associated with access to the data, the standalone agreement must be sent to RAC for review.  

Any individual who electronically accepts terms and conditions is responsible for reading the terms and conditions, saving them electronically and distributing them to every individual who will have access to the data. Any individual who has access to the externally hosted data is bound by the accepted terms and conditions. 

Commonly Used Terms in DUAs

Aggregate data is data that has been gathered, processed and expressed in a summary or report form for reporting purposes such as making comparisons, predicting trends or other statistical analyses. Aggregate data is collected from multiple sources and/or measures, variables or individual human subjects. Since aggregate data is the consolidation of data from multiple sources, it is typically not able to be traced back to a specific human subject.

Anonymous data cannot be linked directly or indirectly by anyone to their source(s). Personally identifiable information was not collected or, if it was collected, identifiers were not retained and cannot be retrieved.

When referring to a study participant, “authorization” indicates an individual’s written permission to allow a HIPAA-covered entity to use or disclose specified protected health information for a particular purpose. Authorization states how, why and to whom the protected health information will be used and/or disclosed for research and seeks permission for that use or disclosure. This term in this context is specific to data use agreements covering protected health information. 

This term may also be used in the more general sense of permission, for instance, an authorization by one party of the DUA to allow the other party to provide the data to additional third parties. Care should be taken to establish the appropriate context when using this term. 

Per the U.S. Code of Federal Regulations (45 CFR § 160.103), a business associate is a person or entity who, on behalf of a covered entity, performs or assists in performance of a function or activity involving the use or disclosure of protected health information, such as data analysis, claims processing or administration, utilization review, and quality assurance reviews, or any other function or activity regulated by the HIPAA Administrative Simplification Rules, including the Privacy Rule. 

Business associates are also persons or entities performing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to or for a covered entity where performing those services involves disclosure of protected health information by the covered entity or another business associate of the covered entity to that person or entity. Special attention should be paid to the term “on behalf of” in the definition. 

Academic institutions are rarely business associates because the term is not applicable to collaborative relationships.

The business associate agreement contractually defines the rights and responsibilities between a covered entity and a business associate that would not otherwise be bound by HIPAA. A business associate agreement or contract is not appropriate when a covered entity is disclosing protected health information to a noncovered entity (like Brown) for use in a research project. 

With coded data, direct personal identifiers have been removed from the data and replaced with words, letters, figures, symbols or a combination of these (not derived from or related to the personal information) for purposes of protecting the identity of the source(s). The original identifiers are retained in such a way that they can be traced back to the source(s) by someone with the code. A code is sometimes also referred to as a “key,” “link” or “map.” 

Information Technology has classified its information assets into risk-based categories for the purpose of determining who is allowed to access the information and what security precautions must be taken to protect it against unauthorized access. It is the data and service owner’s responsibility to ensure appropriate security measures are taken depending on the risk classification.

With de-identified data, all direct personal identifiers are permanently removed from the data, no code or key exists to link the data to their original source(s), and the remaining information cannot reasonably be used by anyone to identify the source(s). Protected health information is de-identified when it does not contain any of the 18 identifiers specified by the HIPAA Privacy Rule at 45 CFR Part 164 (or has been determined to be de-identified by a statistician in accordance with the standards established by the Privacy Rule).

The Family Educational Rights and Privacy Act (FERPA) is a federal U.S. law that protects the privacy of student education records.

FERPA

The General Data Protection Regulation (GDPR) is a European law that went into effect on May 25, 2018, and establishes protections for privacy and security of "personal data" about individuals in European Economic Area (EEA)-based operations and certain non-EEA organizations that process personal data of individuals in the EEA. 

This law applies in the U.S. for activities involving identifiable information if personal data is being collected from one or more research participants physically located in the EEA at the time of data collection, regardless of whether the individual is an EEA resident. It also applies to activities involving the transfer of personal data collected under the GDPR from an EEA country to a non-EEA country (like the U.S.). 

DUAs with GDPR-related terms (such as “data controller” or “data processor”) will take longer to negotiate and execute and will be referred to Brown General Counsel for review. 

A limited data set is defined as health information that excludes certain direct identifiers.

HIPAA Privacy Rule limited data set provisions requiring the removal of direct identifiers apply both to information about the individual and to information about the individual's relatives, employers or household members. 

The following identifiers must be removed to qualify as a limited data set: 

  • names
  • postal address information, other than town or city, state and zip code
  • telephone numbers
  • fax numbers
  • email addresses
  • Social Security numbers
  • medical record numbers
  • health plan beneficiary numbers
  • account numbers
  • certificate/license numbers
  • vehicle identifiers and serial numbers, including license plate numbers
  • device identifiers and serial numbers
  • web URLs
  • Internet Protocol (IP) address numbers
  • biometric identifiers, including finger and voice prints
  • full-face photographic images and any comparable images
  • any other unique identifying number, characteristic or code except as specifically permitted by HIPAA

A limited data set may include the following information:

  • dates such as admission, discharge, service, date of birth and date of death
  • city, state and zip code
  • age in years, months, days or hours

Personally identifiable information can be used to distinguish or trace an individual’s identity and includes:

  • name (full name, maiden name, mother’s maiden name or alias)
  • Social Security number
  • date and place of birth
  • mother’s maiden name 
  • biometric records
  • passport or driver’s license number
  • taxpayer identification number
  • patient identification number
  • financial account or credit card numbers

Personally identifiable information also includes any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information. 

If the information cannot be linked to a living individual, is considered public or is given with the expectation that it will be made public and that it will be linked to the individual (e.g., biography or news story), then it is not considered private identifiable information. 

When allowing access to personally identifiable information, care should be taken that the data or combination of data elements when linked (i.e., taken in combination) do not allow the individual to be distinguished or traced.

Under the HIPAA Privacy Rule, "protected health information" is considered to be individually identifiable information relating to the past, present or future health status of an individual that is created, collected, transmitted or maintained by a HIPAA-covered entity in relation to the provision of health care, payment for health care services, or use in health care operations. Information is only considered protected health information when an individual could be identified from the information. 

Personal health information includes one or more of the identifiers listed under Personally Identifiable Information. If these identifiers are removed, the information is considered de-identified protected health information, which is not subject to the restrictions of the HIPAA Privacy Rule.

Sensitive information has the potential to damage an individual’s reputation, employability, financial standing or educational advancement; place them at risk for criminal or civil liability; etc.