Data Use Agreements

What is a Data Use Agreement?

A Data Use Agreement (DUA) is a contract that outlines the terms and conditions for transferring and using data between two or more parties, often when the data is non-public or subject to restrictions. It specifies permitted uses, limitations, and obligations for handling the data, ensuring proper access, security, and accountability.

Key Components of a Data Use Agreement:

  • Parties Involved: Identifies the data provider and recipient(s).
  • Data Description: Specifies the data being transferred and its characteristics.
  • Permitted Uses: Defines how the recipient can use the data, including any specific research, analysis, or other purposes.
  • Limitations on Use: Outlines any restrictions on the data’s use, such as prohibitions on further disclosure, commercialization, or identification of individuals.
  • Data Security Measures: Specifies the recipient’s obligations to protect the data from unauthorized access, use, or disclosure.
  • Duration and Termination: Defines the agreement’s validity period and conditions for termination.
  • Reporting Requirements: Specifies any reporting obligations, such as notifying the provider of unauthorized data use or breaches.
  • Disposal or Return of Data: Outlines how the data should be handled at the end of the agreement (e.g., deletion, return).
  • Governing Law and Jurisdiction: Specifies the applicable laws and the jurisdiction where disputes will be resolved.

FDU must ensure that a research data use agreement, involving human subjects, with another Institution, Organization and/or Agency is reviewed, and requirements completed to ensure the proper safety, use and storage of data received from another Institution. Faculty, staff, and students using such data, that may have identifiable information or non-identifiable information, must comply with the following procedures and requirements.

Submission of the DUA for review

DUAs are requested to be e-mailed to the HRCM (kim_diccianni@fdu.edu) for review, cc’ing the CISO (ddunkerley@fdu.edu). The HRCM will review the DUA to ensure compliance with IRB review processes and procedures. The CISO will review all relevant sections of the DUA to ensure FDU security, safeguards, and policies are met. If the CISO determines that additional review and guidance is required, the DUA will be forwarded to the Data Safety Response Team (DSRT) for review. The HRCM will be notified if a review is needed. The HRCM will notify the requestor(s) of the DUA.

DUA Requirements for Faculty and Staff

  • The DUA must name Fairleigh Dickinson University as the Institution receiving the data and the names of those working with the data. (If a student, see below). All named individuals must verify he/she/they will comply with the restrictions and the requirements for data use.
  • All named individuals must complete FDU’s required WISP training. A copy of the completion certificate must be sent to the HRCM.
  • The data should be encrypted, and password protected. The following parameters for the password creation are required:
    • At least one uppercase letter
    • At least one lowercase letter
    • At least one digit (0 through 9)
    • At least one special character ($, @, # and so on)
    • A password will not include a single instance of a dictionary word
    • A password will not include the user’s user ID or email address
    • A password will not include the name of a group the user account belongs to
  • The work should only be completed on an FDU provided laptop or desktop running whole disk encryption.
  • The data should not be taken off the FDU provided laptop or desktop. All data storage must be in compliance with the DUA.
  • At the time of sending the WISP certification to the HRCM, verification must also be provided that all will be in compliance with the above. A copy of documentation of compliance should also be retained by the faculty and/or staff member.
  • Once the work is completed, those named must comply with the requirements of the DUA for the deletion/storage of the data.
  • The HRCM must be e-mailed with confirmation that all the above will be completed and provided with the most recent copy of the DUA, if any changes are made, for review and signature by the UD, GSP. The CISO will be updated by the HRCM so that all is completed and the DUA is ready to be reviewed and signed by the UD, GSP. The HRCM will forward the DUA to UD, GSP cc’ing the requestor(s).

DUA Requirements for Students

The following additional requirements must be completed for students requesting access to data at another Institution where a DUA is required.

  • The student must have a Faculty Sponsor. The DUA must be between FDU, on behalf of the Faculty Sponsor of the student, with the data owning Institution. The student(s) should also be added to DUA as they will be completing the work/research activities.
  • The student must review and comply with the University’s Acceptable Use Policy (AUP) and the Confidentiality Agreement found here https://it.fdu.edu/acceptable-use-policy-for-computer-usage/ and https://it.fdu.edu/confidentiality-agreement-and-security-policy/
  • Faculty Sponsors must provide a copy of their current WISP training completion certificate to the HRCM.
  • The faculty sponsor must create a Student Worker Request Form found here: https://it.fdu.edu/category/forms/
  • Once the form is approved, an account is created, this will allow the student to complete the WISP training. The student will be provided with a separate account from their student account to complete the work/research activities. This Student Worker account must be used for all official communications related to these work/research activities.
  • The student must comply also with all the above requirements listed under DUA Requirements for Faculty and Staff.

IRB Review of the Use of the Data

The faculty, staff or student(s) using the data for the Data Use Agreement must review all information on the IRB website or contact the HRCM to ensure that all IRB processes and procedures are satisfied or completed. The researcher must at least complete a Human Research Determination form to ensure that further IRB review is not required or necessary if identifiability of the data is known. If it is not known, the HRCM must be provided with this information, and the requestor and/or student must contact the HRCM once identifiability is known before any work/research activities begin/begin. Once that form is reviewed, the HRCM will determine if further review by the IRB is necessary. If it is determined that the project requires review, the HRCM will provide guidance on the review process to the researcher. No work or research activities with the data can be done until all IRB review requirements have been completed.

Execution/Signing of the DUA

Once the above information is confirmed by the HRCM, the DUA will then be forwarded to the UD, GSP for review and signature. The signed DUA will be provided back to the requestor(s) once signed by the UD, GSP cc’ing the HRCM. A copy of the executed DUA must be provided to the HRCM at the time of the IRB submission of a human subject to research determination, exempt determination, expedited or full board review documents.