Data Use Agreements

Submit a NEW request for incoming Data under a Data Use Agreement:


Submit a request to amend a DUA already processed:

  • Submit a Data Agreement Amendment Request (eDAA) for a DUA processed in the Office of Sponsored Programs, Purchasing, or Office of Risk Management.
  • Request an amendment to a College of Medicine Data Use Agreement by emailing Office of Research Affairs Contracts Office via the email resource account: e-contracts@pennstatehealth.psu.edu

What is a DUA?
What is a DUA’s purpose?
Who may sign a DUA?
How do I request review of a DUA or obtain approval to access a Data Set? (Incoming Data)
Who may accept an electronic DUA?
Do I need IRB approval for the use of a Data Set that is covered under a DUA?

Who is permitted to access to Data received under a Data Use Agreement?
Students and Data Use Agreements

How do I share PSU Data? (Outgoing Data, Data Share)
RESOURCES 
University Policies Related to Data


What is a DUA?

A “Data Use Agreement” (DUA) is an agreement from a Data Provider that requires a signature, that can be electronically accepted, or that must be acknowledged in some other way to receive data from another party.

DUAs can be called many other things (Data Sharing Agreement, Data Transfer Agreement, License Agreement, etc.). The basic purpose of a DUA is to define the legal obligations the Data Recipient* has related to use, storing, processing, and transmitting the data (among other things). These terms and conditions, if accepted by Penn State, are legally binding, so they must be reviewed by appropriate Penn State personnel.

*Data Recipient is defined as Penn State which in turn assigns responsibility of managing the data to the Recipient Investigator (Principal Investigator). The PI is accountable for all project personnel who will have access to the data.

For clarity, who can serve as a Principal Investigator is defined in PSU policy RA03.

If you are not eligible to serve as PI and require access to data, your faculty mentor/advisor will be required to serve as PI for the Agreement. You can also contact your College Research Office to discuss possible exceptions that require additional approvals.


 What is a DUA’s Purpose?

Generally, a DUA describes how to access, store, protect, use, and transmit data types such as Protected Health Information (PHI), Personally Identifiable Information (PII), Limited Data Sets, and/or Proprietary (Confidential) Information.

DUAs may also include a data provider’s requirements for handling unregulated, de-identified, or other low risk data.

Interpreting the Terms and Conditions and other variables associated with the Data should be left to appropriate offices within the University. You are not expected to be an expert in contract interpretation.


 Who may sign a DUA?

Faculty members, students, or other individual data users are not authorized to sign Data Use Agreements on behalf of Penn State. Only an authorized representative of Penn State may approve terms and conditions on behalf of the University, whether they are accepted by hard signature or electronically (this includes electronic click-through agreements.)  When an actual signature is required, individuals that have been specifically authorized by Penn State must approve and sign the agreement. These approved signatories are listed in Policy FN11 and Guideline FNG02.


How do I request review of a DUA or obtain approval to access a Data Set? (Incoming Data)

If you are in receipt of a Data Use Agreement or want to otherwise request access to a Data Set, you should complete an electronic Data Acquisition Request (eDAR).   (For requests in the College of Medicine, use Data Use Agreement request form.)  Please work with your College Research Office to assist with submitting this form. Questions may also be directed to the Data Use Agreement Coordinator in the Office of Sponsored Programs.  The purpose of an eDAR is to gather initial information to assist with processing your Data Acquisition Request. A copy of any relevant agreements and other documentation, should be submitted through the eDAR. If you have any questions, please email DataRequest@psu.edu.

The agreement and eDAR will be reviewed by Penn State to determine the next steps needed to agree to the terms and conditions on behalf of Penn State.

These steps could include some or all of the following:

  • Negotiations to request changes to language in the agreement

    • Note: The status of DUAs in negotiation can be monitored via myResearch Portal under “Pending Negotiations”
  • Data Security Review
  • Acceptance of higher risk terms and conditions by department/college leadership 

 


Who may accept an electronic DUA?

BEFORE accepting the terms and conditions electronically, please submit an eDAR and provide a copy of, or a link to, the provider’s terms and conditions. For requests in the College of Medicine, submit to Data Use Agreement request form.

The office reviewing the terms and conditions will work with the Office of Risk Management to obtain approvals to electronically accept. Per FNG02, this one-time approval from the Office of the Corporate Controller to electronically accept the agreement must be made in writing and will be maintained in the contract file as evidence of the University’s acceptance of the agreement. You MUST receive this written approval before electronically accepting the terms and conditions.


Do I need IRB approval for the use of a Data Set that is covered under a DUA?

Depending on the specific Data Set and the requirements set forth in the DUA, IRB review and approval or determination may be needed.  Penn State Policy RP03 outlines requirements for the use of human subjects data. If data obtained for research purposes is private and individually identifiable, as outlined in the policy, prior IRB review and approval or exemption determination is required.

Researchers should also be aware that in some instances publishers, sponsors, or others may require an official determination from the IRB that a project is not human subjects research (NHSR).  If an official determination is needed, a submission in CATS IRB is necessary prior to the start of the project.

If IRB review and approval is required, a copy of the DUA should be provided to the IRB for review with the proposed IRB protocol. Any provisions for appropriately protecting Data as outlined in the DUA and disposition of the data should be congruent with what is submitted to the IRB for review in the associated study protocol.

Some DUAs require a certain level of review by the IRB and may require an additional sign off by an IRB representative (e.g. IRB Chairperson).

For general inquiries about the need for IRB review and approval please contact the IRB program at irb-orp@psu.edu.


Who is permitted to access the Data received under a Data Use Agreement?

Data Use Agreements may specify only named project personnel as authorized to access data under the terms and conditions of the Agreement. If the Agreement does not require specific individuals to be named, only University employees are authorized to have access to the data received under the agreement.


Students and Data Use Agreements

If you would like to allow student (undergraduate and MBA student) access to data received under a Data Use Agreement, please contact the Office of Sponsored Programs prior to allowing access.

Generally speaking, students who are not graduate students on a research assistantship conducting University research will need to be independently bound to terms and conditions contained in any Data Use Agreement, including obligations of confidentiality and non-redistribution.


How do I share PSU Data? (Outgoing Data, Data Share)

A researcher seeking to transfer Data outside of Penn State is directed to contact the Office of Technology Management to initiate an Outgoing DUA at otminfo@psu.edu.

For requests in the College of Medicine, submit to Data Use Agreement request form.


RESOURCES:

Office of Sponsored Programs
Office of Risk Management
Office of Procurement Services
Office of Information Security (OIS)
Office of Technology Management
OIS and General Data Protection Regulation (GDPR)
Implications of the GDPR on Research for Penn State
Institute for Computational and Data Sciences (ICDS)
PSU Policy


University Policies related to Data:

AD22 – Health Insurance Portability and Accountability Act (HIPAA)
AD35 – University Archives and Records Management
AD53 – Privacy Policy
AD95 – Information Assurance and IT Security
AD96 – Acceptable Use of University Information Resources
AD97 Penn State Identification Numbers 
BS15 – Disposal and Purchase of Obsolete, surplus or Scrap University –owned equipment, supplies and/or materials
FN11Contracts and Leases
FN14 - Use of University Tangible Assets, Equipment, Supplies and Services
FNG02Limited Delegation of Contract Approvals
HR60 - Access to Personnel Files
IP01 - Ownership and Management of Intellectual Property
RP03 – The Use of Human Participants in Research  


Page last updated 04/20/2022