Data Use Agreements (Section 10.b)

10.1 Important: University Counsel (U.C.) is the university’s authority for contractual matters, including data use agreements. U.C. has delegated limited authority to The Office of Research Compliance to help investigators execute most de-identified data use agreements.

10.2 Templates:

• De-Identified Data Use Agreement — This is to be used if you plan to share de-identified data with investigators from another institution. 
• Data Use Agreement for data containing identifier (not for Limited Data Sets) — This form is to be used if you plan to send data that includes identifiers to another institution.
• Confidentiality agreement - This form is to be used when using non-research personnel (third party) translation or transcription services. 
• IS Secured Use & Confidentiality of University Records and Data — This is to acknowledge that investigators understand the rules associated with university records and data confidentiality. 

10.3 What are data use agreements?

• Data use agreements (DUA) are contractual documents that define limitations on a recipient’s use of non-public data or data that is otherwise restricted by the data provider or under applicable law.

10.4 When is a data use agreement required?

• Typically, you must use a DUA when sharing identifiable data or non-public de-identified (including anonymous) data with a party external to KSU. The terms of a DUA are under the purview of University Counsel. The IRB works with University Counsel to help facilitate DUAs for inter-institutional human subjects research.

10.5 When is a data use agreement not required?

• If another fully executed agreement (i.e., sponsored research agreement, grant agreement, or IRB inter-institutional authorization agreement) includes terms for data sharing and supersedes the need for a data use agreement. 

10.6 What if the data I am sending to an external party includes Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) or education records protected under the Family Education Rights and Privacy Act (FERPA)?

• You must get approval from the University’s Privacy Officer (PHI) (or Registrar (FERPA) and follow their requirements.

10.7 Who can sign a DUA on behalf of the University?

• DUAs may only be signed by a University official with the appropriate delegated signature authority, including your Dean or certain representatives from the Division of Research and Sponsored Programs.

10.8 What if I am asked to sign a DUA by an external party?

• Contact University Counsel.
• Once fully executed, abide by the terms and conditions of the agreement.

10.9 Do I need to contact the IRB prior to sharing data?

• If the data was collected under the approval of the KSU IRB, you must contact the Office of Research Compliance. The ORC will review your IRB application to ensure sharing of data is not disallowed.

10.10 What types of data use agreements exist?

• The two most common types are stand-alone de-identified data agreements or confidentiality  agreements with data-use provisions. If sharing identifiable data (using a confidential agreement) you must justify to the IRB the need to share identifiers.

10.11 Can I sign a data use agreement?

• Research related data use agreements typically need to be signed by VP for research or a legally delegated designee. Check with University Counsel for more information. 

10.12 Other helpful federal information

• National Science and Technology Council - DESIRABLE CHARACTERISTICS OF DATA REPOSITORIES FOR FEDERALLY FUNDED RESEARCH
• NIH Data Management and Sharing Policies 
• National Institute for Standards and Technology - includes information about Cybersecurity