Data Use Agreement (DUA)

When is a DUA Needed?

Generally speaking, a DUA is needed any time confidential information (data) is exchanged between entities.* A DUA provides assurances to the institution releasing the data that the data will be protected and will be used only for a specific purpose. This is especially important when the data being exchanged is subject to HIPAA regulations.

Certain entities, including NIH and the International Cancer Genome Consortium, require that a DUA be executed before granting a researcher access to their databases. These Data Access Agreements do not require any negotiation, but they do require institutional approval. For this reason, the process for obtaining institutional approval is the same as for other DUAs.

When applicable, IRB Approval is required before a DUA will be signed at the institution level.

Data Use / Data Access Agreements address issues such as:

  • Publication Rights and Authorship Requirements
  • Data Security/ Data Protection Obligations
  • HIPAA Compliance
  • Permitted Uses of the Data
  • Reporting Requirements
  • Sponsor’s Audit Rights
  • Termination of an Agreement

*PLEASE NOTE: When a VCU investigator is receiving HIPAA-covered data from the VCU Health System via a Limited Data Set, a different type of DUA is needed. That agreement is executed between the PI and the VCU IRB. It can be found on the VCU IRB website.

Sending/Receiving Data

Regardless of whether you are sending or receiving data, the process for implementing a DUA is fairly simple. Just submit a DUA Request form to let us know you need an agreement executed, and we’ll take it from there.

Sending Data to an outside entity

  • Complete the relevant sections of the Data Use (DUA) Request Form.
  • Log in to RAMS-SPOT.
  • Select “Submit Document for Review” in the yellow workspace on the left.
  • Answer the ensuing questions, and be sure to assign the review to the Gray Team.
  • Upload the DUA Request form and submit.

The Gray Team in the Office of Research Administration & Compliance will draft a preliminary agreement and negotiate acceptable terms directly with the outside entity.

Progress of the review and negotiation can be tracked in RAMS-SPOT. Once the agreement has been signed by both parties and all necessary regulatory approvals are in place, the PI is free to send the data to the requesting scientist. The final executed agreement will be available in RAMS-SPOT for convenient reference.

Receiving Data from an outside entity

  • Complete the relevant sections of the Data Use (DUA) Request Form. PLEASE NOTE: If the associated project is not externally sponsored, the signature of the PI’s department chair is required to document his/her approval of the work.
  • Log in to RAMS-SPOT.
  • Select “Submit Document for Review” in the yellow workspace on the left.
  • Answer the ensuing questions, and be sure to assign the review to the Gray Team.
  • Upload the DUA Request form, as well as the draft agreement sent by Provider (if applicable), and submit.

The VCU Office of Research Administration & Compliance will review the draft agreement and negotiate acceptable terms directly with the outside entity. Particular attention is given to any other agreements or approvals associated with the project, to ensure that no terms contradict each other.

Progress of the review and negotiation can be tracked in RAMS-SPOT. Once the agreement has been signed by both parties (i.e., “fully executed”), the PI is free to receive the data. The final executed agreement will be available in RAMS-SPOT for convenient reference.

Compliance Review

Review by the Office of Research Administration & Compliance focuses on ensuring that the Terms of the Agreement do not conflict with any state laws, university policies, or other project-related agreements.

  • If the Data was collected as part of a human research subjects protocol, we will confirm that the PI has an IRB approval or exemption on record.
  • If the data will be received from or shared with a foreign country, we will confirm that doing so does not violate any Export Control Laws.

The following terms are the most common “problem points” that need to be revised/negotiated with the other party:

  • Publication rights – VCU’s investigators must have the academic freedom to publish their work. Sponsors cannot require excessive pre-publication delay or impose other limitations on publication.
  • Intellectual Property rights – In accordance with the Intellectual Properties policy, VCU cannot agree to assign its rights in a VCU investigator’s invention to a third party. Ownership of the results of an investigator’s work similarly must stay with the university.
  • Confidentiality requirements – VCU policy limits the duration of a commitment to protect confidentiality and sets certain requirements for how confidential information is identified. Also, because VCU is a public institution and is subject to the Freedom of Information Act, agreements must make allowances for legally-required disclosures, including the existence and terms of an agreement.
  • Indemnification – VCU does not have the authority to execute an indemnification agreement and cannot indemnify any third party. VCU does, however, accept responsibility for its own actions.
  • Governing Law - VCU cannot agree to be bound by the laws of another state or country.

Research Data Ownership, Retention, Access, and Security Policy