We recommend researchers enter into a data use agreement any time data is transferred into or out of BU. Learn more below or find the DUA Request Form here.
What is a Data Use Agreement?
A Data Use Agreement (“DUA”), sometimes referred to as a Data Transfer Agreement (“DTA”) or a Data Sharing Agreement (“DSA”), is a formal, written contractual agreement between two or more parties that establishes speciﬁc ways in which data may be used and how it must be protected. These agreements can be set up between academic institutions, government agencies, and/or corporate entities. A DUA is generally required for any data sharing to occur; sharing data without a DUA in place can leave researchers and institutions unwittingly in violation of ethical and regulatory standards.
Often, data subject to a DUA are a necessary component of a research project. A DUA legally binds the parties to appropriate protection and use of the data, and establishes conditions such as who is permitted to use and receive the data set, the limitations on use and further disclosure of the data by the recipient, obligations to safeguard the data, liability for harm arising from misuse of the data, and publication expectations and/or acknowledgments. The mutual understanding established by a DUA can help prevent future issues by clearly setting forth the expectations of both the data provider and data recipient.
Researchers may not sign DUAs on behalf of the University. DUAs are legal documents that have to be signed by an University-authorized signatory in order to bind the University to its terms. Please contact Industry Engagement if you receive a DUA from a third party with a request for a signature from BU. The IE contracting team can help review the DUA and guide you through the process.
Common Obligations of a DUA
Common obligations of a DUA provide that the data recipient will:
- not use, disclose, or destroy the data set other than as permitted by the DUA, or as required by law;
- use appropriate administrative, technical, and physical safeguards to prevent unauthorized uses or disclosures of the data set;
- report to the data provider any uses or disclosures of the data set in violation of the DUA;
- ensure that anyone to whom it provides the data set agrees to the same requirements that apply to the data recipient for receiving or accessing the data; and
- not re-identify the information or contact the data subjects (for data related to a human subject).
Types of Data That May Be Shared
Having an executed DUA in place is a prerequisite to the transfer of identifiable data.
When Do I Need a DUA?
Unsure if a DUA is necessary? Download the DUA decision tree.
Who will handle my DUA?
Industry Engagement can help manage the review and signing of the DUA. The process for establishing a DUA vary with respect to the type of data being shared, the agencies or institutions involved, and whether the data is inbound (received by Boston University) or outbound (provided by Boston University).
When sending a request for a DUA to Industry Engagement, please complete the DUA Request Form:DUA Request Form
What happens after form submission?
The completed DUA Request Form provides Industry Engagement with necessary background information about the research. A project summary, list of data elements, funding sources, expectations for sharing results and publication authorship, and human/animal/stem cell compliance (as applicable) are essential to ensuring the terms of the DUA are appropriate. Industry Engagement may contact you with additional questions based on the information provided and the speciﬁc agreement terms. We may also consult with other compliance and legal oﬃces at the University, as necessary, in our review of the DUA to ensure adequate protective measures and approvals are in place. Changes to the agreement may be necessary based on project/data speciﬁcations.
CHIA Data & Other Master Agreements
All BU researchers in any school/institute/other division of BU who obtain CHIA data for research must comply with this protocol.
Please note that BU may already have master data use agreements in place with certain entities:
- CHIA Master Data Use Agreement
- BEDAC-BMC Master Services Agreement
Glossary of Terms
- Fully identifiable human subjects data – information with any personal identifiers, as well as information about an individual, or his or her relatives, household members, or employer that alone or in combination could identify the individual.
- Limited data set – data set that is not fully de-identified according to the Privacy rule regulations. The data set must exclude the following 15 of the 18 Privacy Rule personal identifiers:
- street addresses (other than town, city, state and zip code);
- telephone numbers;
- fax numbers;
- e-mail addresses;
- Social Security numbers;
- medical records numbers;
- health plan beneficiary numbers;
- account numbers;
- certificate license numbers;
- vehicle identifiers and serial numbers, including license plates;
- device identifiers and serial numbers;
- IP address numbers;
- biometric identifiers (including finger and voice prints) and full face photos (or comparable images).
The following personal identifiers may be retained in a Limited Data Set:
- dates such as admission, discharge, service, date of birth, date of death;
- city, state, five digit or more zip code; and
- ages in years, months or days or hours.
AND, the following two requirements apply:
- the covered entity may release only the minimum necessary information, so the intended recipient must indicate what is needed; and
- the recipient must agree to a “data use agreement” which generally describes the permitted uses and disclosures of the information received and prohibits re-identifying or using this information to contact the individuals. A data use agreement is an agreement between the HIPAA covered entity and the recipient of the data. Note, a data use agreement is required for recipients that are both internal and external to the HIPAA covered entity. For more information about BU’s HIPAA covered components, see https://www.bu.edu/hipaa/files/2017/06/6-20-2017-HIPAA-CC-Designation.pdf.
- Personally identifiable information – information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. This includes any and all information that can be used to identify, locate or contact an individual student—such as name, address, student ID, and login information. It also includes the student’s academic, health, and disciplinary records, as well as information that can be combined to identify a particular student, such as demographics and birth date.
- Personal data of a person in the EEA/EU – the European Union instituted the General Data Protection Regulation (GDPR) in 2016 to protect the personal data of people in the EEA/EU. GDPR regulations purposefully define “Personal Data” very broadly; nearly any data relating to a person in the EEA/EU could be considered “Personal Data.”
- Data deemed confidential, internal, or restricted use per BU’s Data Classification Policy – see BU’s Data Classification Policy for more information.
- Data transferred across international borders – for example, a de-identified data set being received from collaborators in South Africa.
- Data related to another agreement – existing agreements may have obligations or restrictions relating to the data that will need to be respected; future agreements involving a re-transfer of the data will need to be harmonized with BU’s DUA contractual obligations to the data provider.
- DUA requested by other party – the providing or receiving party asks to use a DUA for the transfer.
- De-identified data – the following identifiers of the individual or of relatives, employers or household members of the individual must be removed from the data set in order for the data to be de-identified:
- All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
- The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
- The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints, full face photographic images and any comparable images; and
- Any other unique identifying number, characteristic, or code.
For questions about DUA processing, please contact Industry Engagement at email@example.com.