What is a DUA?
The transfer of data between organizations is common in the research community. When the data is confidential, proprietary, or otherwise considered sensitive, the organization providing the data (“Provider”) will often require that the organization receiving the data (“Recipient”) enter into a written contract to outline the terms and conditions of the data transfer. Such a contract is usually referred to as a Data Use Agreement (DUA), althogh it may also be referred to as a License Agreement, Confidentiality Agreement, Non-Disclosure Agreement, Memorandum of Understanding, Memorandum of Agreement, or other names if these agreements include data sharing or data transfer requirements.
Any agreement for confidential or proprietary data should be legally structured as a contract between the President and Fellows of Harvard College (“Harvard”) and the Provider or Recipient and be reviewed and signed by an authorized Harvard signatory in either the Office for Sponsored Programs (“OSP”) for University area schools, the Sponsored Programs Administration (“SPA”) office at the Harvard T.H. Chan School of Public Health, or the Office of Research Administration (“ORA”) at the Harvard Medical School (collectively, the “Negotiating Office(s)”). DUAs may not be signed by University faculty or staff members in the absence of institutional approval from the appropriate Negotiating Office.
What is the process for requesting an incoming DUA?
When obtaining data from a third party, Harvard researchers should follow the steps outlined here (and further detailed in the DUA Job Aids):
- Submit your initial data request to the Provider, including a description of the dataset being requested and your intended uses, as well as any other information and/or documentation required by the Provider.
- If approved, the Provider will either provide you with a draft DUA (this can be a document or online version) for review and signature by the appropriate Negotiating Office, or ask that Harvard provide a draft DUA.
- Whether Harvard or the Provider is drafting the DUA, you will submit your request to the Negotiating Office through the DUA-Agreements System. You can access the Agreements System by logging in with your HarvardKey.
You can create a new request by clicking “Create Agreement”, and entering your project’s information into the online forms. The prompts and number of questions you are asked may change based on the answers you provide. The System will direct you as to where to attach relevant information and documentation, for example:
- The draft DUA (if there is one),
- A description of the data you are requesting and how you plan to use it,
- Human or non-human subjects research determination (whether determined by the IRB or the faculty member overseeing the project),
- The corresponding Data Security Level, and
- Applicable email correspondence with the Provider.
- Once you click “Submit” the DUA will be automatically assigned to the authorized Negotiating Office, and a negotiator will reach out to you about next steps.
- You can track the status of the DUA as it is reviewed, negotiated and finalized and also communicate with the negotiator directly in the Agreements System.
The process for outgoing DUAs is similar to that for incoming DUAs, in that all DUAs must go through the DUA-Agreement System and be reviewed and signed by the appropriate Negotiating Office, regardless of whether the data is being shared with Harvard or a third party.
Not every data exchange requires a DUA, but many outgoing datasets do require certain restrictions to prevent the data from being used inappropriately or illegally. For example, data originally provided or owned by a third party, identifiable data, data resulting from human subjects research, and data that is protected by federal or international regulations (e.g. FERPA, HIPAA, GDPR) would require a DUA. If you are at all unsure about whether a DUA might be helpful or required to properly protect the use of your data, please reach out to your local Negotiating Office.