Data Use Agreements

Procedures and Information


A Data Use Agreement (DUA) is a contractual document between a “Data User” (usually the UMBC investigator requesting access to information) and the “Data Set Source” (the organization or institution providing the data) describing the provisions associated with the transfer of confidential, protected , or restricted-use data. Examples include records from governmental agencies or corporations, student records information, existing human research subjects data, and limited data sets.

DUAs address important issues such as limitations on use of the data, liability for harm arising from the use of the data, publication, and privacy rights that are associated with transfers of confidential or protected data. The DUA also assures that Data Users are using the data in accordance with applicable law (e.g. HIPAAFERPA) and prevents the inappropriate use of protected or confidential data that could cause harm to the investigator, the University, or individuals whose data is part of the data set.

In general, a Data Use Agreement includes:

  • What data will be released or shared
  • Who has ownership of the data
  • What, if any, identifiers will be included
  • The purposes for which the data may be used
  • With whom, if anyone, the data may be shared
  • Data security and safeguards
  • To whom violations of the agreement should be reported
  • The term of the agreement
  • The disposition of the data at the end of the agreement
  • Any indemnification or insurance requirements

Review of Data Use Agreements

It is important for researchers to read the terms of a DUA before routing the draft Agreement to the UMBC Office of Sponsored Programs (OSP) for review. It is the researcher’s responsibility to understand and follow the terms of the DUA and to only use data for purposes specified. OSP assumes that a researcher who transmits a DUA to OSP has read and agrees to conform to those terms, whether or not the researcher’s signature is required on the DUA itself. When a researcher signs such an agreement, they could be subjected to legal and financial risks. A researcher should not sign a DUA prior to OSP approval of the DUA.

OSP serves as the campus signatory for research-based Data Use Agreements. DUAs must be routed through Kuali Research to OSP for final sign-off and approval. OSP is authorized to enter into contractual agreements, including DUAs, on behalf of UMBC to ensure compliance with appropriate policies and regulations. Researchers are not authorized to negotiate or sign these agreements and cannot sign DUAs on behalf of UMBC. DUAs should not be signed by University faculty or staff members in the absence of institutional approval from OSP.

Data Use Agreements and Human Subjects Research

DUAs are commonly used when a researcher wishes to access archives or restricted data sets that may contain identifiable information about individuals for the purpose of conducting such projects. The IRB must be contacted if the use of the archived protected health data falls under the IRB’s definition of “research.” Research dealing directly with data with personal identifiers may require a HIPAA Authorization to use and/or disclose PHI (for individual authorizations to access PHI) or a HIPAA Waiver of authorization (for request of large sample size where individual authorizations are impractical and the request meets privacy rule specifications).  Application forms must address the protective mechanisms planned to protect the identity of persons and to evaluate the security of procedures to safeguard these identities.

When a DUA is a part of the project submitted to the IRB, a draft version must be included in the protocol application. The IRB may provide conditional approval of a protocol if it is needed in order to get a DUA signed, but final IRB-approval will not be granted until a copy of the signed DUA is received from the Office of Sponsored Programs and submitted to the IRB.

For more information, please click here or contact the ORPC at 5-2737 or


Sometimes, a transfer of data from one entity to another is addressed in the context of a larger agreement between the parties, such as a subaward agreement or a contracted services agreement.  Data transfer as part of such a collaborative research project is often addressed in the study protocol or in the funding agreement terms and conditions.  In those cases, a separate DUA is generally not necessary.  However, for a data transfer that takes place in the absence of a funding agreement (grant, contract, subaward, contracted services agreement, etc.) between the provider and the recipient, a DUA will be needed.

Please follow the following link for the Training Guide for routing DUAs at UMBC: A link to the Guide also appears on the OSP website under “Forms”: These step-by-step instructions provide guidance on how to route the DUAs in Kuali and how to complete the DUA Questionnaire in Kuali as well.

When conducting research with data that contains personal identifiers but does not fall under the above IRB’s definition of research (e.g. Other Sponsored Activity), then the IRB would not be involved. However, the HIPPA Privacy Rule applies when researchers want to obtain, create, use, and/or disclose individually identifiable health information (See Health Information Privacy Rule topics – Research Use Purposes Rule Application to Research Projects). OSP will expect that any HIPPA waiver would have already been obtained by the data owner, as outlined by the scope of an executed agreement between UMBC and the Data owner.

Any and all additional and applicable compliance documentation should be attached to the DUA routing in Kuali.   OSP must receive and review the DUA Routing before they can begin a review of the draft Data Use Agreement.

Additional Information