What is a DUA?
The transfer of data between organizations is common in the research community. When the data is confidential, proprietary, or otherwise considered sensitive, the organization providing the data (“Provider”) will often require that the organization receiving the data (“Recipient”) enter into a written contract to outline the terms and conditions of the data transfer. Such a contract is usually referred to as a Data Use Agreement (DUA), although it may also be referred to as a License Agreement, Confidentiality Agreement, Non-Disclosure Agreement, Memorandum of Understanding, Memorandum of Agreement, or other names if these agreements include data sharing or data transfer requirements.
Any agreement for confidential or proprietary data should be legally structured as a contract between the President and Fellows of Harvard College (“Harvard”) and the Provider or Recipient and be reviewed and signed by an authorized Harvard signatory in either the Office for Sponsored Programs (“OSP”) for University area schools, the Office of Research Administration (“ORA”) at the Harvard T.H. Chan School of Public Health, or the Office of Research Administration (“ORA”) at the Harvard Medical School (collectively, the “Negotiating Office(s)”). DUAs may not be signed by University faculty or staff members in the absence of institutional approval from the appropriate Negotiating Office.
What is the process for requesting an incoming DUA?
When obtaining data from a third party, Harvard researchers should follow the steps outlined here (and further detailed in the DUA Job Aids):
- Submit your initial data request to the Provider, including a description of the dataset being requested and your intended uses, as well as any other information and/or documentation required by the Provider.
- If approved, the Provider will either provide you with a draft DUA (this can be a document or online version) for review and signature by the appropriate Negotiating Office, or ask that Harvard provide a draft DUA.
- Whether Harvard or the Provider is drafting the DUA, you will submit your request to the Negotiating Office through the DUA-Agreements Application. You can access the Application by logging in with your HarvardKey.
You can create a new request by clicking “Create Agreement”, and entering your project’s information into the online forms. The prompts and number of questions you are asked may change based on the answers you provide. The system will direct you as to where to attach relevant information and documentation, for example:
- The draft DUA (if there is one),
- A description of the data you are requesting and how you plan to use it,
- Human or non-human subjects research determination, whether determined by the IRB and linked via Manage Related Projects, or determined by the faculty member overseeing the project,
- The corresponding Data Security Level via link to the linked Data Safety submission, and
- Applicable email correspondence with the Provider.
- Once you click “Submit” the DUA will be automatically assigned to the authorized Negotiating Office, and a negotiator will reach out to you about next steps.
- You are also required to obtain Security Review of the dataset and DUA terms by your local information security officer in the Data Safety Application. Once you've submitted your Security Review request, you should link the two reviews using the "Manage Related Projects" activity.
You can track the status of the DUA as it is reviewed, negotiated and finalized and also communicate with the negotiator directly in the Agreements Application.
*Don't forget to utilize the "Manage Related Projects" function to link relevant IRB-ESTR and Data Safety submissions!
The process for outgoing DUAs is similar to that for incoming DUAs, in that outgoing DUAs must also go through the DUA-Agreement Application and Data Safety Application1 and be reviewed and signed by the appropriate Negotiating Office.
Not every data exchange requires a DUA, but many outgoing datasets do require certain restrictions to prevent the data from being used inappropriately or illegally. For example, data originally provided or owned by a third party, identifiable data, data resulting from human subjects research, and data that is protected by federal or international regulations (e.g. FERPA, HIPAA, GDPR) would require a DUA. If you are at all unsure about whether a DUA might be helpful or required to properly protect the use of your data, please reach out to your local Negotiating Office.
1 Certain categories of outgoing DUAs do not require a new review in Data Safety (however, if applicable, existing relevant Data Safety record(s) should be updated to reflect the current state of the underlying data & Research Team): (i) departing PI, as described in Section 4, Transfer in The Event A Researcher Leaves Harvard of the Data Ownership Policy, and (ii) animal data, unless there are specific data security requirements attached.
What are the "Standard Contractual Clauses" required by the General Data Protection Regulation (GDPR), and how do they apply to DUAs?
When receiving "personal data" (see GDPR Research Guidance) from a Provider in the European Economic Area (EEA) or United Kingdom (UK), or sharing personal data with a third party (e.g. collaborator, vendor, previous student), the governing agreement often must incorporate the Standard Contractual Clauses (SCCs) in order to satisfy certain GDPR requirements. For DUAs and research collaboration agreements, the Negotiating Office will ultimately make the determination as to whether the SCCs are applicable, based on the requirements of GDPR.
The SCCs are model terms and conditions developed by the European Commission, that reflect certain elements of GDPR relevant to the exchange of personal data. The SCC document will be affixed to the DUA (or other agreement - MTA, collaboration agreement, vendor contract, etc.), and outlines the parties' roles and responsibilities, timelines for data use and destruction (or full anonymization), and any applicable security concerns or "special categories" of personal data (e.g. mental or physical health, political or religious beliefs, race or ethnicity). Because of the specific requirements associated with processing personal data, the University developed the GDPR DUA Supplemental Guidance for researchers to reference whenever requesting or sharing personal data under a DUA. The Guidance describes the datapoints that must be included in the relevant DUA-Agreements Application submission, otherwise the Negotiating Office will be unable to sign-off on the data transfer.
Note: The SCCs require that personal data be anonymized or destroyed at the end of the project’s period of performance (if not before). Researchers should reflect this requirement in their anticipated timeline and documentation (e.g. ESTR, Data Safety and Agreements Applications).