Data Use Agreements

Data Use Agreements

Data Use Agreements

Data Use Agreements (DUA) are non-funded contracts which define the terms and conditions of non-public data that is subject to restricted use. A DUA is normally used to assist parties wishing to share data to better understand important information regarding the data being exchanged, such as privacy rights that are associated with transfers of confidential or protected data, obligations to safeguard the data, limitations on use of the data, and any liabilities related to the use of the data.

A DUA should not be used if a funding agreement is in place between UAB and the other entity for the same project. The project’s funding agreement should address data sharing.

If the agreement being submitted is a research collaboration agreement, or an agreement for a departmentally funded project in which the sponsor requires the agreement to cover extended terms and conditions, please submit an editable version of the agreement to OSP with a UAB Extramural Support Checklist and an Original/New RPL.

There are typically three types of data that can be shared by UAB and other institutions.

De-identified Data

De-identified data is data that has been “stripped of all HIPAA defined identifiers” – a DUA is not normally required however some institutions may require a DUA just to cover their transmission of the data to another entity.

Limited Data Set (LDS) Data

A limited data set (LDS) is data that has been “stripped of all HIPAA identifiers, except age/dates and city/state/zip” - a LDS DUA is required when HIPAA authorization for the data sharing has not been obtained from the participants. If participants have signed a HIPAA authorization that allows for the data sharing, a DUA referencing a LDS is not appropriate.

Protected Health Information (PHI)

Protected Health Information is data “beyond that which would qualify as a LDS” – Sharing PHI data requires a BAA (Business Associate Agreement) if the participants have not signed a HIPAA authorization for the data sharing.

Submitting a DUA to OSP

To submit a data use agreement to the UAB Office of Sponsored Programs, please include the following forms to osp@uab.edu;

  1. UAB Data Use Agreement (DUA) Checklist - is required for DUA submissions. Additional required documents are described within this form.
  2. Editable Version of DUA Agreement - provide a Word version of the DUA agreement provided by the institution sending data. If an agreement needs to be drafted, please indicate in the body of the email.
  3. Project Description - details the work to be done by the recipient with the Data (if UAB is the Provider of Data), or details the work to be done by UAB (if UAB is the Receiver of Data).

dbGAP Data Requests - NCBI (National Center for Biotechnology Information)

Developed and operated by the National Library of Medicine’s National Center for Biotechnology Information (NCBI), dbGaP archives and distributes data from studies that have investigated the relationship between phenotype and genotype, such as genome-wide association studies (GWAS).

The database provides two levels of access: open (available to anyone with no restrictions), and controlled (requiring preauthorization). The controlled-access portion of the database provides for downloads of individual-level genotype and phenotype data that have been de-identified (i.e., no personal identifiers, such as name, etc.).

HIPAA DUA Decision Tree