Data Use Agreement (DUA)

A Data Use Agreement (DUA) is a binding contract between organizations governing the transfer and use of data. The transfer of data between organizations is common in the research community. When the data is confidential, proprietary, or otherwise considered sensitive, the organization providing the data (“Provider”) will often require that the organization receiving the data (“Recipient”) enter into a written contract to outline the terms and conditions of the data transfer. Such a contract is referred to as a DUA and must be signed by a Harvard Chan School Institutional Authorized Signatory in the Office of Research Administration (“ORA”). 

Note: DUAs may not be signed by University faculty or staff members in the absence of institutional approval from the appropriate Negotiating Office.

 Process for Incoming DUA

Harvard has expanded its Huron IRB-ESTR system to include two new modules: DUA-Agreements and Data Safety. The new modules are in response to the recent rise in data security requirements and regulations.

This updated process for data use agreements (DUA) is for when a Harvard Chan researcher requests access to another party’s data - referred to as INCOMING DATA (PDF version of process). There is a separate process similar to this one dealing with Harvard Chan researchers sending data out to another party.

Purpose of Process

The past few years have seen a sharp increase of specific data security regulatory requirements throughout the world for research data. Due to the evolving landscape of data safety laws and standards (e.g., GDPR[1], FISMA[2], NIST, CMMC, PIPL[3] etc.), the need for Harvard to be able to track more closely its research data commitments has become a necessity. This document updates Harvard Chan School’s DUA process to align with the new DUA and Data Safety modules to the ESTR/Huron system.

Process Snapshot

DUA Process Snapshot

Key Points

  • A DUA cannot be signed/finalized until there is IRB approval (or a not human subjects determination) and Data Safety approval as well as the terms and conditions having been reviewed and, where necessary, negotiated.
  • The “Owner” in the DUA module is merely a system distinction. This person is only responsible for reviewing and, were necessary, negotiating the terms of the DUA. The researcher responsible for making sure IRB/no-human-subjects and data safety are completed and related to the DUA record.
  • You can start the data review in any of the three modules and navigate between the modules from any other. MAKE SURE TO RELATE the records from each module

Process Steps

  1. Human Subjects

    1. Data you are asking to use may be subject to IRB approval given the nature of the data.
  2. Data Safety

    1. Most datasets require some type of security measure to keep it safe from those not authorized to use it. Penalties for breaches can be steep either financially, administratively, or likely both. These penalties would affect not only you, but the Harvard Chan School and Harvard University.
    2. The Harvard Chan School has a dedicated Research Computing resource.
      • Andy Ross is Harvard Chan’s Information Security Officer who can assist with any research data security question you may have, whether related to a data use agreement or not.
      • Read the Data Safety Submission Guide for assistance
  3. DUA Terms and Conditions

    1. This is the actual content of a DUA that outlines your responsibilities as well as Harvard’s, as requested by the data provider (or by law), in storing, using, and disposing of the data.
    2. Access the DUA module
    3. Often the terms are not unlike those you may find in a research grant/agreement, such as:
      • Intellectual property
      • Publishing
      • Indemnification
      • Data Security
    4. The DUA is reviewed and, if needed, negotiated pursuant to Harvard’s policies and practices by the Harvard Chan School’s Office of Research Administration (ORA).
      • ORA manages the DUA-Agreements module only. The IRB manages ESTR and Data Safety manages the Data Safety module
    5. PLEASE NOTE: A DUA CANNOT be signed by Harvard until the IRB and Data Safety approvals are satisfied.
      • If you are certifying to not-human-subjects, you need to upload the completed IRB questionnaire referenced in section 1.ii above to the “Supporting Documents” area of the DUA record.
      • You can also access the not-human-subjects determination questionnaire in the DUA system
    6. Read the DUA-Agreements Submission Guide

    1. The system that ESTR, Data Safety, and DUAs are modules of allows you to “relate” records between the modules.
    2. This is a key function that allows the three offices (ORARC, IT Security, and ORA) having a roll in finalizing a DUA to see the status of each record. An ORA reviewer can easily see if IRB and/or Data Safety has been approved, making finalizing a DUA quicker and efficient.



[2] FISMA – Federal Information Security and Modernization Act; NIST – National Institute of Standards and Technology; CUI – Controlled unclassified information (see also NIST 800-171 found at the NIST link above); FERPA – Family educational Rights and Privacy Act

[3] PIPL: China’s Personal Information Protection Law