What is a Data Use Agreement?
A Data Use Agreement (DUA) is a written, signed agreement that outlines what data are shared, with whom, and how the data may be used. A DUA ensures that data are handled responsibly, protecting individual privacy and data integrity.
When should a DUA be used?
Scenarios when a DUA may be warranted:
- When the data could be used for a purpose other than the originally intended use
- When the request involves a novel or non-standard use
- When data will be shared externally such as for cross-institutional research
- Note: External data sharing will likely require consultation with the Office of the General Counsel.
Key concepts to address in a DUA:
- The purpose of sharing, if data will be shared beyond the original recipient
- Which data will be shared and which are considered sensitive
- Who is authorized to access the data and what level of security access will be applied
- Approved methods for securely transferring the data
- Approved methods for securely storing the data
- How long the data can be retained by the recipient
- The date or event by which the data must be destroyed, and approved methods of destruction
- The circumstances under which data may be used beyond the original request, if applicable
- Guidelines for handling sensitive data, if the data contain personally identifiable information or combinations of fields that could identify individuals
- Any exceptions
- Any additional compliance or security measures required by Information Security or the Office of the General Counsel