Data Use Agreements
A Data Use Agreement (DUA) is a legally binding agreement established between parties to define how data provided by one party (the “Provider”) can be used by the other party (the “Recipient”).
A DUA can have terms that are important to review carefully including, but not limited to, limitations on who can access the data, whether and how the data can be published in academic writing and how the data must be physically secured and/or accessed. If the terms of a DUA are problematic, the Office of Technology & Industry Alliances will reach out to the provider to try to negotiate revised terms.
DUAs may require coordination with different campus departments and units including the Research Integrity group, the researchers’ respective departmental information technology groups, the central Enterprise Technology Services (ETS) group, and/or the Secure Computing Research Environment (SCRE).
See also the guidance from the UCSB Chief Information Security Officer (CISO) here for navigating issues concerning data sets.
The Office of Technology & Industry Alliances handles DUAs from all entity types, regardless of the type of entity that is providing the data (company, nonprofit, government, etc.) DUAs are considered “Incoming DUAs” when the data is being provided to a UCSB researcher from another organization, and “Outgoing DUAs”, when UCSB researchers wish to provide data to others.
The Office of Technology & Industry Alliances’ Industry Contract Team are the only individuals with delegated authority to sign DUAs on behalf of the University. The following are types of personal or sensitive data:
When requesting to receive data sets from some governmental agencies, such as the Institute for Education Sciences and the federal or state Departments of Health, the agency may require a specific administrative process that involves obtaining the signature of the Information Security Officer (ISO) and the Senior Official (SO) for final institutional sign-off.
All licenses that require security signoff must use a process reviewed and/or implemented by the UCSB Office of Information Technology. To learn more about this process, please go to:
Often, a DUA is used to allow access to protected health information (PHI). Any access to PHI must be done in accordance with HIPAA Regulations found at 45 CFR Part 160-164. PHI data requires careful handling and is regulated under federal law. Prior to requesting access to PHI, the researchers should determine whether the PHI is actually necessary for the research project. Often, either a limited data set or completely de-identified data can be effective in the proposed research project, so the extra obligations and responsibilities associated with accepting PHI may not be necessary.
An Outgoing DUA must be put in place for any data is transferred if any of the data is from human subjects; and/or the Data to be transferred is HIPAA protected. Please note that if the data to be provided is completely de-identified and there is no means to re-identify, a DUA is not needed. To meet this qualification the data must be stripped of the data elements cited above in personally identifiable information. If the data contains any of these identifiers then a DUA must be in place. DUAs must also be in place if sponsored funding was involved and there are data ownership and/or dissemination requirements.
If you would like to move forward with a Data Use Agreement, please complete the DUA Request Form, which will provide the DUA Officer with the critical information needed to review and negotiate appropriate data transfer and use terms. Please send the completed form to firstname.lastname@example.org, and also take additional action as noted below for incoming data sets, as applicable.
For incoming data sets, please also provide any draft DUA document that has been sent by the provider. The Office of Technology & Industry Alliances can also draft a DUA for incoming data sets should the provider either not have a draft DUA or be interested in working from UCSB’s template.