What is a DUA?
The transfer of data between organizations is common in the research community. When the data is confidential, proprietary, or otherwise considered sensitive, the organization providing the data (“Provider”) will often require that the organization receiving the data (“Recipient”) enter into a written contract to outline the terms and conditions of the data transfer. Such a contract is usually referred to as a Data Use Agreement (DUA), although it may also be referred to as a License Agreement, Confidentiality Agreement, Non-Disclosure Agreement, Memorandum of Understanding, Memorandum of Agreement, or other names if these agreements include data sharing or data transfer requirements.
Any agreement for confidential or proprietary data should be legally structured as a contract between the President and Fellows of Harvard College (“Harvard”) and the Provider or Recipient and be reviewed and signed by an authorized Harvard signatory in either the Office for Sponsored Programs (“OSP”) for University area schools, the Office of Research Administration (“ORA”) at the Harvard T.H. Chan School of Public Health, or the Office of Research Administration (“ORA”) at the Harvard Medical School (collectively, the “Negotiating Office(s)”). DUAs may not be signed by University faculty or staff members in the absence of institutional approval from the appropriate Negotiating Office.
What is the process for requesting an incoming DUA?
When obtaining data from a third party, Harvard researchers should follow the steps outlined here (and further detailed in the DUA Job Aids):
- Submit your initial data request to the Provider, including a description of the dataset being requested and your intended uses, as well as any other information and/or documentation required by the Provider.
- If approved, the Provider will either provide you with a draft DUA (this can be a document or online version) for review and signature by the appropriate Negotiating Office, or ask that Harvard provide a draft DUA.
- Whether Harvard or the Provider is drafting the DUA, you will submit your request to the Negotiating Office through the DUA-Agreements Application. You can access the Application by logging in with your HarvardKey.
You can create a new request by clicking “Create Agreement”, and entering your project’s information into the online forms. The prompts and number of questions you are asked may change based on the answers you provide. The System will direct you as to where to attach relevant information and documentation, for example:
- The draft DUA (if there is one),
- A description of the data you are requesting and how you plan to use it,
- Human or non-human subjects research determination, whether determined by the IRB and linked via Manage Related Projects, or determined by the faculty member overseeing the project,
- The corresponding Data Security Level via link to the corresponding Research Safety submission, and
- Applicable email correspondence with the Provider.
- Once you click “Submit” the DUA will be automatically assigned to the authorized Negotiating Office, and a negotiator will reach out to you about next steps.
- You are also required to obtain Security Review of the dataset and DUA terms by your local information security officer in the Research Safety Application. Once you've submitted your Security Review request, you should link the two reviews using the "Manage Related Projects" activity in the projects workspace.
You can track the status of the DUA as it is reviewed, negotiated and finalized and also communicate with the negotiator directly in the Agreements System.
*Don't forget to utilize the "Manage Related Projects" function to link relevant IRB-ESTR and Research Safety submissions!
The process for outgoing DUAs is similar to that for incoming DUAs, in that all DUAs must go through the DUA-Agreement Application and Research Safety Application and be reviewed and signed by the appropriate Negotiating Office.
Not every data exchange requires a DUA, but many outgoing datasets do require certain restrictions to prevent the data from being used inappropriately or illegally. For example, data originally provided or owned by a third party, identifiable data, data resulting from human subjects research, and data that is protected by federal or international regulations (e.g. FERPA, HIPAA, GDPR) would require a DUA. If you are at all unsure about whether a DUA might be helpful or required to properly protect the use of your data, please reach out to your local Negotiating Office.