Data Use Agreements

What is a DUA?

What is a DUA’s purpose?

Who may sign a DUA?

How do I request review of a DUA or access a Data Set? (Incoming Data)

Who may accept an electronic DUA?

Do I need IRB approval for the use of a Data Set that is covered under a DUA?

How do I share PSU Data? (Outgoing Data, Data Share)



What is a DUA?

“Data Use Agreement” (DUA) is an agreement from a Data Provider that requires a signature, that can be electronically accepted, or that must be acknowledged in some other way to receive data from another party.

DUAs can be called many other things (Data Sharing Agreement, Data Transfer Agreement, License Agreement etc), but the basic purpose of a DUA is to define the legal obligations the Data Recipient* has related to use, storing, processing, and transmitting the Data (among other things). These terms and conditions, if accepted by Penn State, are legally binding, so they must be reviewed by appropriate Penn State personnel.

*Data Recipient is defined as Penn State which in turn assigns responsibility of managing the data to the Recipient (Principal) Investigator. The PI is accountable for all project personnel who will have access to the data.

For clarity, who can serve as a Principal Investigator is defined in PSU policy RA03.

What is a DUA’s Purpose?

Generally a DUA describes how to access, store, protect, use, and transmit data types such as Protected Health Information (PHI), Personally Identifiable Information (PII), Limited Data Sets, and/or Proprietary (Confidential) Information.

However, DUAs may also include a data provider’s requirements for handling unregulated, de-identified, or other low risk data. Interpreting the Terms and Conditions and other variables associated with the Data should be left to appropriate offices within the University. You are not expected to be an expert in contract interpretation.

Who may sign a DUA?

A Faculty Member is not authorized to sign a Data Use Agreement. Only an authorized representative of Penn State may approve terms on behalf of the University, whether they are accepted by hard signature or electronically. When an actual signature is required, individuals that have been specifically authorized by Penn State must approve and sign the agreement. These individuals are listed in Policy FN11 and Guideline FNG02.

How do I request review of a DUA or otherwise access to a Data Set? (Incoming Data)

If you are in receipt of a Data Use Agreement or you want to otherwise request access to a Data Set, you should complete the  Data Acquisition Request (DAR) Form. Please work with your College Research Office  to assist with submitting this form. Questions may also be directed to the Data Use Agreement Coordinator in the Office of Sponsored Programs.  The purpose of this form is to gather initial information to assist with processing your data acquisition request. This form, along with a copy of any relevant agreements and other documentation, should be submitted to

The agreement and Data Acquisition Request Form will be reviewed by Penn State to determine the next steps needed to agree to the terms and conditions on behalf of Penn State.

These steps could include some or all of the following:
  • Negotiations to request changes to language in the agreement
  • Data Security Review
  • Acceptance of terms and conditions by department/college leadership 
Who may accept an electronic DUA?

When a DUA needs to be electronically accepted please contact and provide a copy of the provider’s terms (may be copy/pasted) and the Data Acquisition Request Form before accepting the terms and conditions. You MUST receive a written delegation approval before accepting the electronic terms and conditions.

Do I need IRB approval for the use of a Data Set that is covered under a DUA?

Dependent on the specific Data Set and the requirements set forth in the DUA, IRB review and approval or determination may be needed.  Penn State Policy RP03 outlines requirements for the use of human subjects data.

If IRB review and approval is required, a copy of the DUA should be provided to the IRB for review with the proposed IRB protocol. Any provisions for appropriately protecting Data as outlined in the DUA and disposition of the Data should be congruent with what is submitted to the IRB for review in the associated study protocol.

Some DUAs require a certain level of review by the IRB and may require an additional sign off by an IRB representative (e.g. IRB Chairperson).

For general inquiries about the need for IRB review and approval please contact the IRB program at

How do I share PSU Data? (Outgoing Data, Data Share)


A researcher seeking to transfer Data outside of Penn State is directed to contact the Office of Technology Management to initiate an Outgoing DUA at



University Policies related to Data:

AD22 – Health Insurance Portability and Accountability Act (HIPAA)
AD35 – University Archives and Records Management
AD53 – Privacy Policy
AD95 – Information Assurance and IT Security
AD96 – Acceptable Use of University Information Resources
AD97 -  Penn State Identification Numbers  
BS15 – Disposal and Purchase of Obsolete, surplus or Scrap University –owned equipment, supplies and/or materials
FN14 - Use of University Tangible Assets, Equipment, Supplies and Services
HR60 - Access to Personnel Files
IP01 - Ownership and Management of Intellectual Property