Skip to main content

Data Use Agreement Guidance

Data Use Agreements (DUAs) are contractual documents used for the transfer of non-public data that is subject to some restrictions on its use. DUAs serve to outline the terms and conditions of the transfer. Specifically, DUAs address critical issues such as limitations on the use of the data, obligations to safeguard the data, liability for harm arising from the use of the data, publication, and privacy rights that are associated with transfers of confidential or protected data. The understanding established by a DUA can help avoid later issues by clearly setting forth the expectations of the parties (provider and recipient). Having a signed DUA in place may be a required precondition to transfers of certain data, or it may simply be a good idea. Determining whether a DUA is required is necessarily context-dependent. When a DUA is required, it must be study specific – i.e., data cannot be transferred pursuant to “master” or blanket sharing agreements. DUAs must be signed by a University of North Carolina at Chapel Hill (UNC) official who has the appropriate delegated signature authority from the Chancellor.

The purpose of this guidance is to assist its users in assessing whether a proposed outgoing transfer of data that is in the possession of UNC and/or a UNC investigator (developed in his or her work for UNC) to a third party (i) is permissible; and (ii) if so, whether a DUA is necessary or recommended to affect the transfer. This guidance contemplates the outgoing transfer of data to third parties who have a bona fide research use or practical application for the data (e.g., collaborating research institutions, academicians, public policy makers, community service providers, etc.). Note: this guidance does not address incoming data to be accepted by UNC, or a UNC investigator, from a third party, nor does it address providing data to a web hosting service, which comes with a separate set of considerations. Rather, this guidance contemplates the outgoing transfer of data to third parties who have a bona fide research use or practical application for the data (e.g., collaborating research institutions, academicians, public policy makers, community service providers, etc.). Where incoming transfer of data is proposed, the data provider will determine whether a DUA is necessary.

For more information, please contact the Office of Industry Contracting (part of OSP): OSPContracting@unc.edu

Is the Proposed Data Sharing Permitted?
  1. If the data is derived from human subjects’ research:
    1. Does the associated informed consent form that subjects signed upon entering the study, or the relevant IRB waiver of consent, permit disclosure for the contemplated DUA purpose?
    2. Has the IRB reviewed and approved the data sharing proposal underlying the potential DUA?
  2. If the data was collected pursuant to a sponsored research project, has the sponsor placed restrictions on the subsequent transfer of the data?
  3. If the data was initially received from, or derived from data received from a third party pursuant to a contract, does that contract place restrictions on the subsequent transfer of the data?
Image of ALICE's landing page
When is a DUA Necessary?
  1. Is the data to be transferred derived from human subjects’ research?
    1. No? → If the data does not involve human subjects (e.g., animal research; bench research), privacy concerns may no longer drive the need for a DUA, but the data may still be subject to contractual restrictions (see #4 &5 below) or constitute proprietary data (see #6 below).
    2. Yes? → Proceed to #2.
  2. Is the data HIPAA-protected (i.e., clinical data belonging to a Covered Entity, such as data generated from the Carolina Data Warehouse)?
    1. No – if it is completely de-identified within the meaning of HIPAA and is not disclosed with a code or other means to re-identify the data. Proceed to #3. Note: to qualify as completely de-identified, there must be no actual knowledge that the information to be shared could be used alone or in combination with other information to identify an individual, and the data must be stripped of the following elements:
      • Names
      • Geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes
      • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, etc.
      • Telephone numbers
      • Fax numbers
      • Email addresses
      • Social security numbers
      • Medical record numbers
      • Health plan beneficiary numbers
      • Account numbers
      • Certificate/license numbers
      • Vehicle identifiers and serial numbers
      • Device identifiers and serial numbers
      • Web URLs
      • IP addresses
      • Biometric identifiers, including finger and voice prints
      • Photographic images
    2. Yes – if the data contains identifiers (see above) or constitutes a Limited Data Set (LDS) within the meaning of HIPAA. If so, a data use agreement is required. Note: an LDS is Protected Health Information that excludes all the above identifiers except for dates and geographic information at the zip code, town, or city level.
  3. Does the data contain:
    1. “Personal Identifying Information” (PII) as defined by the North Carolina Identity Theft Protection Act.
    2. “Protected Health Information” (PHI) as defined by the Health Insurance Portability and Accountability Act (HIPAA).
    3. “Education Records” as defined by the Family Educational Rights and Privacy Act (FERPA).
    4. “Customer Record Information” (CRI) as defined by the Gramm-Leach-Bliley Act.
    5. “Card Holder Data” as defined by the Payment Card Industry (PCI) Data Security Standard.
    6. “Confidential Personnel Information” (CPI) as defined by the State Personnel Act.
    7. information deemed confidential in accordance with the North Carolina Public Records Act.
    8. any other information that is protected by UNC policy or federal or state law from unauthorized access; or
    9. any personally identifiable or proprietary data?
      1. No → Proceed to #4.
      2. Yes? → Then the data contains “Sensitive Information” as defined in the UNC Information Security Policy (https://policies.unc.edu/TDClient/2833/Portal/KB/ArticleDet?ID=131258 opens in a new tab) and a data use agreement is required. Note, with respect to determinations about whether the data to be shared contains any “proprietary data” per #3(ix) above, UNC’s default position is that the work product of faculty is not proprietary to UNC. So, unless the data was collected under a sponsored research agreement that allocates ownership of the data and/or imposes restrictions on use (see #4 below), UNC is willing to share, and the question of “proprietary” becomes one for the principal investigator (see #6 below).
  4. Was the data collected pursuant to a sponsored research project?
    1. No → Proceed to #5.
    2. Yes → Does the sponsor claim ownership of the data and/or restrict disclosure and use of the data? Check the terms and conditions of the grants, contracts, agreements, etc. governing the sponsored research project. Sponsor may require a data use agreement. Even if not, a data use agreement may be recommended to flow through the limitations and restrictions placed on UNC’s use and disclosure of the data.
  5. Are there other contractual restrictions on the contemplated data transfer?
    1. Do rules governing access to publicly available databases apply? (E.g., publicly available federal data repository click-through agreements). No? → Proceed to #5(b).
    2. Was the data initially received from, or derived from data received from a third party pursuant to a contract? Does that contract restrict use or disclosure? No? → Proceed to #5(c).
    3. Yes, to either (a) or (b)? → Data use agreement may be recommended to flow through the limitations and restrictions placed on UNC’s use and disclosure of the data.
  6. Even if not required, is a data use agreement a good idea?
    1. Does the principal investigator (PI) consider the data to be “proprietary?” (I.e., internally generated, not publicly available, and containing technical or other types of information that the PI would like to safeguard to protect his/her/UNC’s competitive edge)
    2. Does the PI wish to restrict use of the data, secure publication review and acknowledgment rights, or otherwise direct and control use of the data post-transfer?
    3. Yes, to either (a) or (b)? → Data use agreement may be recommended to clarify the expectations, rights, and responsibilities of the data recipient.
DUA decision making tree.

Back to Top