Data Use Agreements

This page works alongside Protecting & Sharing Data at BU. The main sharing page helps you classify, minimize, authorize, and secure data sharing. This page helps you determine when a formal review pathway, including a Data Use Agreement, may be required and what is typically approved, limited, or declined.
When a DUA is often needed
A DUA may be needed when a request involves broader sharing, more sensitive information, increased privacy risk, cross-system analysis, research use, or an external audience. Requests are reviewed by AS&IR and the relevant Data Trustee, and some requests may need to be narrowed or revised before they can proceed.
Start here
If your use case involves identifiable or sensitive data, data combined across systems or populations, research or publication, external sharing, or a request that goes beyond routine role-based access, you should plan to complete a Data Use Agreement.
If your request matches the types of scenarios described on this page, the next step is the
Internal requests with added sensitivity
A DUA may be appropriate when a request includes identifiable records, sensitive data elements, small populations, or combinations of data that increase re-identification risk.
Cross-system or cross-population use
Requests that combine data from multiple systems, offices, or populations often need additional review to confirm stewardship, scope, and approval pathways.
Research, publication, or external sharing
Requests connected to research, dissertations, theses, publication, vendors, or external collaborators may require both research compliance review and institutional approval.
How data access decisions are made
Submitting a request does not guarantee approval. Review focuses on whether the request is appropriate, necessary, aligned to role and mission, and structured in a way that protects privacy and supports responsible use.
Purpose
Is there a clear institutional, operational, academic, or research need for the data?
Data minimization
Is the request limited to the minimum data necessary, or could aggregate or de-identified data meet the need?
Role alignment
Does the request align with the requester’s official responsibilities, approved project role, or institutional function?
Privacy and risk

Does the request involve sensitive, identifiable data or FERPA protected data or create unnecessary re-identification risk?
Institutional benefit
Will the work support a broader institutional need, such as a reusable report, dataset, dashboard, or analytic resource?
Compliance readiness
If the request is for research, have the appropriate IRB steps been completed in addition to institutional review?
Typical approval and denial patterns
These examples do not guarantee an outcome, but they show the conditions that commonly support approval or lead to limitation, revision, or denial.
More likely to be approved
  • The request supports a legitimate institutional, administrative, or approved research purpose.
  • The data requested is aggregated, de-identified, masked, or otherwise limited to what is necessary.
  • The request aligns with the requester’s role and responsibilities.
  • The request supports academic, operational, compliance, or strategic priorities.
  • Required IRB review or approval is documented, when applicable.
  • The work may produce a reusable institutional dataset, dashboard, report, or analytic tool.
May be limited or declined
  • Identifiable data is requested without a clear business, academic, or research justification.
  • The request exceeds what is necessary for the stated purpose.
  • Sensitive student, employee, compensation, or other restricted data is requested outside authorized scope.
  • Small-population reporting introduces privacy or re-identification risk.
  • External sharing is proposed without the correct agreement or institutional review path.
  • The request does not align with policy, governance standards, or role-based access expectations.
Research, dissertations, theses, and publication
Requests involving dissertations, theses, or research intended for publication often require Institutional Review Board review or approval. IRB review may also be required when administrative university data is used for research purposes, especially when the work involves identifiable records, surveys, interviews, or other human-subjects research activities.
Important distinction
IRB approval does not replace institutional approval for access to University data. A DUA or other applicable data governance review may still be required before data can be accessed, shared, or used.
To identify the correct institutional pathway, use the Data Executive and Trustee Table to find the appropriate Data Trustee for your requested data area.
IRB resources
Charles River Campus IRB
Guidance and services for CRC investigators conducting human-subjects research.
BUMC IRB Submission Requirements
Submission guidance for Medical Campus and Boston Medical Center research activities.
Ready to submit a DUA?
If your request aligns with the scenarios above, use the DUA form to begin the formal review process. The form is the primary intake point for requests that need institutional review for data access, use, or sharing.
Use the DUA form when your request involves
  • Identifiable, confidential, restricted, or otherwise sensitive University data
  • Cross-system, cross-unit, or cross-population data use
  • Research, dissertations, theses, or publication-related use of University data
  • External sharing, vendor access, or collaboration beyond routine internal use
  • A use case that requires review by AS&IR and the appropriate Data Trustee
Submit the form
Before submitting, review the guidance on this page so you can describe your purpose clearly, request only the minimum necessary data, and identify whether IRB review or Trustee approval may also apply.
Common routing guide
The table below helps users understand where requests are typically routed. Final routing may vary based on the nature, sensitivity, and use of the requested data. Find the Data Trustee for your Data Area here (Note: you do not need to contact the data trustee directly; the form will be directed to them as part of the review process.)
Data type Typical route
Student data University Registrar
Employee data Human Resources
Applicant data Admissions
Alumni data Advancement
Derived or cross-system data AS&IR
Cross-population data AS&IR and the relevant Trustee
External sharing Office of Research and/or other applicable institutional review

 

Confidence check

Before moving forward, ask yourself these three questions. This mirrors the quick decision style of the main BU data sharing page while focusing specifically on when a DUA or added review may be needed.

1
Purpose
Do I have a clear institutional, academic, operational, or research reason for requesting this data?
2
Minimum necessary
Am I requesting only the minimum data needed, and have I considered aggregate or de-identified alternatives?
3
Approval path
Does this request involve sensitive data, cross-system use, research, or external sharing such that Trustee review, IRB review, or a DUA may be required?
Get help
Data Enablement
Questions about DUA requirements, review pathways, Data Trustee approvals, or institutional use cases.
Additional support
For broader sharing, compliance, or research-related questions, connect with the appropriate Data Trustee, AS&IR, IRB office, or Office of Research based on the nature of the request.

About Data Enablement