Data Use Agreement (DUA)

A Data Use Agreement (DUA) is a binding contract between organizations governing the transfer and use of data. The transfer of data between organizations is common in the research community. When the data is confidential, proprietary, or otherwise considered sensitive, the organization providing the data (“Provider”) will often require that the organization receiving the data (“Recipient”) enter into a written contract to outline the terms and conditions of the data transfer. Such a contract is referred to as a DUA and must be signed by a Harvard Chan School Institutional Authorized Signatory in the Office of Research Administration (“ORA”).

Note: DUAs may not be signed by University faculty or staff members in the absence of institutional approval from the appropriate Negotiating Office.

Process for Incoming DUA

Harvard has expanded its Huron IRB-ESTR system to include two new modules: DUA-Agreements and Data Safety . The new modules are in response to the recent rise in data security requirements and regulations.

This updated process for data use agreements (DUA) is for when a Harvard Chan researcher requests access to another party’s data - referred to as INCOMING DATA ( PDF version of process). There is a separate process similar to this one dealing with Harvard Chan researchers sending data out to another party.

Purpose of Process

The past few years have seen a sharp increase of specific data security regulatory requirements throughout the world for research data. Due to the evolving landscape of data safety laws and standards (e.g., GDPR [1] , FISMA [2] , NIST, CMMC, PIPL [3] etc.), the need for Harvard to be able to track more closely its research data commitments has become a necessity. This document updates Harvard Chan School’s DUA process to align with the new DUA and Data Safety modules to the ESTR/Huron system.

Process Snapshot

DUA Process Snapshot

Key Points

Process Steps

Human Subjects

  1. Data you are asking to use may be subject to IRB approval given the nature of the data.

Data Safety

  1. Most datasets require some type of security measure to keep it safe from those not authorized to use it. Penalties for breaches can be steep either financially, administratively, or likely both. These penalties would affect not only you, but the Harvard Chan School and Harvard University.
  2. The Harvard Chan School has a dedicated Research Computing resource.

DUA Terms and Conditions

  1. This is the actual content of a DUA that outlines your responsibilities as well as Harvard’s, as requested by the data provider (or by law), in storing, using, and disposing of the data.
  2. Access the DUA module
  3. Often the terms are not unlike those you may find in a research grant/agreement, such as:
  4. The DUA is reviewed and, if needed, negotiated pursuant to Harvard’s policies and practices by the Harvard Chan School’s Office of Research Administration (ORA).
  5. PLEASE NOTE: A DUA CANNOT be signed by Harvard until the IRB and Data Safety approvals are satisfied.
  6. Read the DUA-Agreements Submission Guide

RELATE YOUR ENTRIES

  1. The system that ESTR, Data Safety, and DUAs are modules of allows you to “relate” records between the modules.
  2. This is a key function that allows the three offices (ORARC, IT Security, and ORA) having a roll in finalizing a DUA to see the status of each record. An ORA reviewer can easily see if IRB and/or Data Safety has been approved, making finalizing a DUA quicker and efficient.

Resources

[2] FISMA – Federal Information Security and Modernization Act; NIST – National Institute of Standards and Technology; CUI – Controlled unclassified information (see also NIST 800-171 found at the NIST link above); FERPA – Family educational Rights and Privacy Act

[3] PIPL: China’s Personal Information Protection Law