Data Use Agreements

Important: University Counsel (U.C.) is the university’s authority for contractual matters, including data use agreements. U.C. has delegated limited authority to The Office of Research Compliance to help investigators execute most de-identified data use agreements.

What are data use agreements?

  • Data use agreements (DUA) are contractual documents that define limitations on a recipient’s use of non-public data or data that is otherwise restricted by the data provider or under applicable law.

When is a data use agreement required?

  • Typically, you must use a DUA when sharing identifiable data or non-public de-identified (including anonymous) data with a party external to KSU. The terms of a DUA are under the purview of University Counsel. The IRB works with University Counsel to help facilitate DUAs for inter-institutional human subjects research.

When is a data use agreement not required?

  • If another fully executed agreement (i.e., sponsored research agreement, grant agreement, or IRB inter-institutional authorization agreement) includes terms for data sharing and supersedes the need for a data use agreement. 

What if the data I am sending to an external party includes Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) or education records protected under the Family Education Rights and Privacy Act (FERPA)?

  • You must get approval from the University’s Privacy Officer (PHI) (or Registrar (FERPA) and follow their requirements.

Who can sign a DUA on behalf of the University?

  • DUAs may only be signed by a University official with the appropriate delegated signature authority, including your Dean or certain representatives from the Division of Research and Sponsored Programs.

What if I am asked to sign a DUA by an external party?

  • Contact University Counsel.
  • Once fully executed, abide by the terms and conditions of the agreement.

Do I need to contact the IRB prior to sharing data?

  • If the data was collected under the approval of the KSU IRB, you must contact the Office of Research Compliance. The ORC will review your IRB application to ensure sharing of data is not disallowed.

What types of data use agreements exist?

  • The two most common types are stand-alone de-identified data agreements or confidentiality  agreements with data-use provisions. If sharing identifiable data (using a confidential agreement) you must justify to the IRB the need to share identifiers.