The Office of Research Integrity (ORI) centrally manages Data Use Agreements that involve research data. From start to finish, ORI will coordinate all behind-the-scenes required reviews (e.g., with CIS, OGC, etc.) and work expeditiously to bring draft agreements to execution on behalf of the investigator. The Office of Research Integrity requires completion of the Data Use Agreement (“DUA”) Request form for all proposed incoming and outgoing DUAs to ensure that appropriate terms & conditions are negotiated.  Please email any questions about the request or this form to [email protected] 

What is a Data Use Agreement (DUA)?

Do I need a DUA?

Where do I obtain a DUA?

Who has authority to sign a DUA?

Storing and Sharing Data

How do I initiate review of a DUA?

Documents required for submission

Amendments to an existing Data Use Agreement

What is a Data Use Agreement?

A Data Use Agreement (DUA), sometimes referred to as a Data Transfer Agreement (DTA) or Data Sharing Agreement (DSA) or other variations on these terms, is a formal, written agreement into which two parties enter that establishes specific ways in which the data may be used and how it must be protected. Often, this data is a necessary component of a research project. It may or may not be human subject data from a clinical trial, or a Limited Data Set as defined in HIPAA. Importantly, investigators may not enter Brown University into such agreements -- review and signature is required by a responsible party on behalf of the University (which is not the PI).

A data use agreement (DUA) provides that the recipient of the data will:

  • not use or disclose the information other than as permitted by the DUA or as otherwise required by law,

  • use appropriate safeguards to prevent uses or disclosures of the information that are inconsistent with the DUA,

  • report to the providing party uses or disclosures that are in violation of the DUA, of which it becomes aware,

  • ensure that anyone to whom the receiving party provides the information to abides by the same restrictions and conditions that apply to the original recipient with respect to such information, and

  • not re-identify the information or contact an individual and, if stated in the DUA, not combine the data with other datasets.

Data Use Agreements may be incoming, when an external party will be sharing data with Brown, or outgoing, when Brown will share data with an external party.

Why do I need a DUA?

  • DUA terms protect confidentiality when necessary, but permit appropriate publication and sharing of research results in accordance with University policies
  • DUAs legally bind the institution and the individual researcher(s) to appropriate use of the data
  • Data shared via a DUA are frequently identifiable human subjects or otherwise sensitive data about individuals

When do I need a DUA?

  • When no other contract governs the transfer (i.e. no subcontract, grant or clinical trial agreement)
  • When the data is protected, sensitive, or otherwise deemed confidential
  • When the data being provided is to be used for research purposes

Outgoing DUA

When Brown is the data provider, a DUA is required to transfer the following types of data:

  • Individually identifiable health information or protected health information (“PHI”)
  • Student information derived from education records that are subject to Family Educational Rights and Privacy Act (“FERPA”)
  • Data that is controlled by laws or regulations other than or in addition to those listed above
  • Data obtained from another individual or organization under obligations of confidentiality
  • Data whose storage, use and transfer must be controlled for other reasons (e.g., Level 3 data that will be shared with anyone outside of Brown, or proprietary concerns)

Incoming DUA

When Brown is the data recipient, a DUA may be required for any of the reasons listed above, or as otherwise required by the data provider

  • If you request to receive data from an outside institution or organization, it is the responsibility of the data provider to determine whether a DUA should be executed prior to sharing the data with Brown.  Some governmental organizations have an application process that must be completed prior to the start of negotiations.  Please contact the ORI when starting this type of application process so that we can assist you with identifying and managing compliance issues. 
  • The data provider will share a template with the data sharing terms. Please submit this template to ORI through the DUA Request Form

When don't I need DUA?

  • When data is publicly available in the public domain

  • When data is exchanged that is not subject to a legal or other restriction on its use

  • When de-identified data is exchanged for research purposes under a subcontract or other form of agreement with the recipient

  • When the data provider does not require Brown to enter into a DUA for the transfer of data

Where do I obtain a DUA?

If the Brown researcher is the recipient of research data from a non-Brown entity:

  • The Brown researcher will most likely be asked to sign the other party’s DUA and should first confirm with the collaborating party that a DUA is required. Please then complete a DUA request form to submit this information to the Office of Research Integrity for review. If the providing entity does not have a standard template for a proposed agreement, the researcher should consult with the ORI directly.

If the Brown researcher is the providing party of an identifiable dataset:

  • The ORI is utilizing a DUA form template for use by Brown researchers who wish to disclose research data to recipients. The Brown researcher must first complete a DUA Request Form to submit this information to ORI for review. Don't hesitate to reach out to [email protected] if you have any questions or if you would like to schedule a meeting to discuss a DUA.

Who signs DUAs?

The Office of the Vice President for Research (OVPR) at Brown University is authorized to enter into research agreements, including DUAs, on behalf of the University. ORI facilitates review and approval of all data contracts and data sharing agreements. Before forwarding the agreement to ORI for University signature, it is important for the researcher to read the terms of a DUA and agree to abide by those terms

  • The Office of the Vice President and General Counsel (OGC) as well as Computing and Information Services (CIS) may be consulted in the review and approval of any data security management plans and negotiation of applicable terms. Please allow for additional time that is usually required for these reviews.​

  • Researchers are not authorized to sign agreements on behalf of the University. If a researcher signs such an agreement on behalf of the University, the researcher could be subjected to legal and financial risks and the agreement is non-binding.

  • The School of Public Health leadership has authorization to review and sign its own Data Use Agreements for Centers for Medicare and Medicaid Services data.

Other information:

Storing and Sharing Data:

What is a limited data set?

A “limited data set” is defined as health information that excludes certain direct identifiers (listed below).

The Privacy’s Rule limited data set provisions requiring the removal of direct identifiers apply both to information about the individual and to information about the individual's relatives, employers, or household members.

The following identifiers must be removed to qualify as a limited data set:

  1. Names

  2. Street address information (other than town or city, state, and zip code)

  3. Telephone numbers

  4. Fax numbers

  5. E-mail addresses

  6. Social security numbers

  7. Medical record numbers

  8. Health plan beneficiary numbers

  9. Account numbers

  10. Certificate/license numbers

  11. Vehicle identifiers and serial numbers (including license plate numbers)

  12. Device identifiers and serial numbers

  13. Web universal resource locators (URLs)

  14. Internet protocol (IP) address numbers

  15. Biometric identifiers, including fingerprints and voiceprints

  16. Full-face photographic images and any comparable images

A limited data set may include:

  1. Dates such as admission, discharge, service, DOB, DOD;

  2. city; state; zip code; and

  3. age in years, months or days or hours.

To Initiate Office of Research Integrity (ORI) review:

  1. PI completes DUA Request Form

  2. Upon electronic receipt of a new request, the Office of Research Integrity will begin initial submission review and will contact the PI and the administrative contact listed in the submission if any of the required documentation is missing or incomplete.

  3. Once the terms have been finalized, the agreement will be circulated for signature.

  4. Once the agreement has been fully executed (signed by all parties), a PDF copy will be provided to the PI and to the administrative contact listed in the submission.

Documents required for submission:

  1. Completed DUA Request Form

  2. Proposed DUA (as an editable Word document) or request to use Brown DUA template (if Brown is receiving data from another entity)

  3. IRB approval letter (for human subjects research data)

Amendments to Existing Data Use Agreements

For incoming data, a DUA amendment may be required by the data provider for changes to the existing agreement.

Amendments may be necessary for:

  • changes in custodian/contact information
  • adding data files
  • requesting an extension
  • adding a collaborator

Please submit the proposed amendment and original agreement to [email protected] for review and once the amendment terms have been finalized, the agreement will be circulated for signature by OVPR.

For outgoing data, ORI will draft an amendment to an existing agreement upon request. Please begin by submitting the request to [email protected] for review.

Need additional help?

Please contact us at [email protected] 


Please contact Kelsey MacKinnon, Research Agreement Manager at [email protected] or 401-863-3278

FAQ Categories