Data Use Agreement (DUA)

When is a DUA Needed?

Generally speaking, a DUA is needed any time non-public data is exchanged between entities.* A DUA provides assurances to the institution releasing the data that the data will be protected and will be used only for a specific purpose. This is especially important when the data being exchanged is subject to HIPAA or FERPA regulations.

Certain entities, including NIH and the International Cancer Genome Consortium, require that a DUA be executed before granting a researcher access to their databases. These Data Access Agreements do not require any negotiation, but they do require institutional approval. For this reason, the process for obtaining institutional approval is the same as for other DUAs.

Data Use / Data Access Agreements address issues such as:

  • Publication Rights and Authorship Requirements
  • Data Security/ Data Protection Obligations
  • HIPAA Compliance
  • Permitted Uses of the Data
  • Reporting Requirements
  • Disposition Requirements when the agreement ends

*PLEASE NOTE: When a VCU investigator is receiving HIPAA-covered data from the VCU Health System via a Limited Data Set, a different type of DUA is needed. That agreement is executed between the PI and the VCU IRB. It can be found on the VCU IRB website.

Sending/Receiving Data

Regardless of whether you are sending or receiving data, the process for implementing a DUA is fairly simple. Just submit a DUA Request in RAMS-SPOT to let us know you need an agreement executed, and we’ll take it from there.

To submit a DUA Request:

  • Log in to RAMS-SPOT.
  • Select “Submit Document for Review” in the yellow workspace on the left. (Use this process even if you do not have a document to submit.)
  • Answer the ensuing questions, and be sure to assign the review to the Gray Team. Careful, thorough responses will help expedite the review process by reducing or eliminating the need for questions from the review staff. If the PI is clear about his/her needs and intentions, we will be better able to negotiate an agreement that is consistent with those needs.
  • Upload the draft agreement sent by the Provider (if applicable) and submit.

The Gray Team in the Office of Sponsored Programs ( will draft a preliminary agreement, or review the one sent by the other party, and negotiate acceptable terms directly with the outside entity.

Progress of the review and negotiation can be tracked in RAMS-SPOT. Once the agreement has been signed by both parties and all necessary regulatory approvals are in place, the PI is free to send or receive the data. The final executed agreement will be available in RAMS-SPOT for convenient reference.

IMPORTANT NOTE: VCU cannot sign an agreement in which human subjects data is exchanged until the IRB has approved the protocol associated with that exchange. If the data is deidentified, you will need IRB documentation that the proposed project does not meet the criteria for “human subjects research.” For fastest turn-around, please do not submit a DUA request until you have IRB approval (or are very close to it).

Compliance Review

Review by the Office of Sponsored Programs focuses on ensuring that the Terms of the Agreement do not conflict with any state laws, university policies, or other project-related agreements.

  • If the Data was collected as part of a human research subjects protocol, we will confirm that the PI has an IRB approval or exemption on record.
  • If the data will be received from or shared with a foreign country, we will confirm that doing so does not violate any Export Control Laws.

The following terms are the most common “problem points” that need to be revised/negotiated with the other party:

  • Publication rights – VCU’s investigators must have the academic freedom to publish their work. Sponsors cannot require excessive pre-publication delay or impose other limitations on publication.
  • Intellectual Property rights – In accordance with the Intellectual Property policypdf logo, VCU cannot agree to assign its rights in a VCU investigator’s invention to a third party. Ownership of the results of an investigator’s work similarly must stay with the university.
  • Confidentiality requirements – VCU policy limits the duration of a commitment to protect confidentiality and sets certain requirements for how confidential information is identified. Also, because VCU is a public institution and is subject to the Freedom of Information Act, agreements must make allowances for legally-required disclosures, including the existence and terms of an agreement.
  • Indemnification – VCU does not have the authority to execute an indemnification agreement and cannot indemnify any third party. VCU does, however, accept responsibility for its own actions.
  • Governing Law - VCU cannot agree to be bound by the laws of another state or country.

Research Data Ownership, Retention, Access, and Security Policypdf logo