Explore UAB

Data Use Agreements (DUA) are non-funded contracts which define the terms and conditions of non-public data that is subject to restricted use. A DUA is normally used to assist parties wishing to share data to better understand important information regarding the data being exchanged, such as privacy rights that are associated with transfers of confidential or protected data, obligations to safeguard the data, limitations on use of the data, and any liabilities related to the use of the data.

A DUA should not be used if a funding agreement is in place between UAB and the other entity for the same project. The project’s funding agreement should address data sharing.

If the agreement being submitted is a research collaboration agreement for ongoing collection of data or retrospective collection of data, or an agreement for a departmentally funded project in which the sponsor requires the agreement to cover extended terms and conditions, please submit an editable version of the agreement to OSP with a UAB Extramural Support Checklist, Scope of Work, Cost Sharing Commitment Form (as applicable), and an Original/New RPL.


Types of Data

There are typically three types of data that can be shared by UAB and other institutions.

De-identified Data

De-identified data is data that has been “stripped of all HIPAA defined identifiers” – a DUA is not normally required however some institutions may require a DUA just to cover their transmission of the data to another entity.

Limited Data Set (LDS) Data

A limited data set (LDS) is data that has been “stripped of all HIPAA identifiers, except age/dates and city/state/zip” - a LDS DUA is required when HIPAA authorization for the data sharing has not been obtained from the participants. If participants have signed a HIPAA authorization that allows for the data sharing, a DUA referencing a LDS is not appropriate.

Protected Health Information (PHI)

Protected Health Information is data “beyond that which would qualify as a LDS” – Sharing PHI data requires a BAA (Business Associate Agreement) if the participants have not signed a HIPAA authorization for the data sharing.



Submitting a DUA to OSP (excluding dbGaP DUA requests)

To submit a data use agreement to the UAB Office of Sponsored Programs, please include the following forms to This email address is being protected from spambots. You need JavaScript enabled to view it.;

  1. UAB Data Use Agreement (DUA) Checklist - is required for DUA submissions. Additional required documents are described within this form.
  2. Editable Version of DUA Agreement - provide a Word version of the DUA agreement provided by the institution sending data. If an agreement needs to be drafted, please indicate in the body of the email.
  3. Project Description - details the work to be done by the recipient with the Data (if UAB is the Provider of Data), or details the work to be done by UAB (if UAB is the Receiver of Data).
  4. Submit to the IRB. If your DUA includes human subjects research information, IRB approval is required. If you have an existing approval, submit a revision/amendment form to link to the DUA OSP number. See ePortfolio Initiated Applications: How to Create an Amendment. If the DUA is not related to an existing IRB protocol, follow the instructions for submitting an initial application here, providing the OSP Assigned Number on Page 7 of the ePortfolio. See How To Create an Initial Application Submission Using the ePortfolio.


Submitting dbGaP DUA Requests

Developed and operated by the National Library of Medicine’s National Center for Biotechnology Information (NCBI), dbGaP archives and distributes data from studies that have investigated the relationship between phenotype and genotype, such as genome-wide association studies (GWAS).

The database provides two levels of access: open (available to anyone with no restrictions), and controlled (requiring preauthorization). The controlled-access portion of the database provides for downloads of individual-level genotype and phenotype data that have been de-identified (i.e., no personal identifiers, such as name, etc.).

Please review both Starting Point to Applying for dbGaP Data and dbGaP Request Procedures to Access Individual-Level Data for detailed guidance from NCBI for requesting access to data. 

  1. The Principal Investigator (PI) and institutional Signing Official (SO) must have existing eRA Commons accounts. If you not have an existing account, please see the eRA Commons account registration page.
  2. The PI must login to the dbGaP controlled-access data request login page using the PI's eRA Commons username and password. The login page also includes information on who can apply for access, how to apply for access, and why access is controlled.
  3. If this is the PI's first dbGaP request, the PI will be prompted to provide contact information.
  4. The PI clicks on the "my projects" tab where a link is provided for new data request.
  5. The PI follows the provided directions for completing the SF 424 (R&R) to request data access. 
  6. Notable information provided in these forms:
    • Select your OSP Federal Grants Officer as the SO.
    • Provide a statement summarizing the proposed research use for requested data.
    • Provide a list of collaborating investigators at the same institution. Collaborators at other institutions must submit separate requests for co-submissions with their local SOs.
  7. Submitting a data access request will constitute agreement and acknowledgement by both the PI and SO to the terms of use for the specific dataset(s) requested. Data Use Certification (DUC) outline policies and procedures for data use (e.g., distribution controls, confidentiality protections).
  8. After the PI completes the electronic data request process, the SO will be notified by email that a request has been submitted and is awaiting signoff.
    • The PI should separately complete and submit a UAB Expedited Checklist to This email address is being protected from spambots. You need JavaScript enabled to view it. for routing to the appropriate OSP Federal Grants Officer.
  9. The SO will login to the dbGaP authorized access system to review the PI's application. The SO has the ability to edit the forms, return the forms to the PI for revision, or sign off that the submitted application is valid.
  10. The PI and SO will receive emails updating them on the status of a request or any required actions.
  11. Once submitted, the Data access request is reviewed by the appropriate Data Access Committee(s) at NIH.
  12. Both the PI and SO will be notified by email of approval or disapproval for the data access request.