Grant Development & Strategy
Do You Need a Data Use Agreement?
You have a Request For Application to review for a new principal investigator (PI) in the College of Education. You have enough time to do a read-through and start your checklist for the first meeting with Dr. Eager. She has an eye on an Institute of Education Sciences grant on the topic of Early Intervention in Special Education. Check! This is an area of research focus in Dr. Eager’s department and fits well with available resources.
Her focus is goal four, Effectiveness. You jump to that section of the Research Plan and note that this goal requires your PI to independently evaluate a fully-developed intervention. Hold! What intervention is Dr. Eager using? Where is she getting the data? When you reach out to ask this question, you find out that she will be using a dataset from another institution.
Okay, if this proposal is awarded, Dr. Eager may need to draft a Data Use Agreement (DUA). A DUA is a contract between the institution that owns a data set, an institution that will receive, as a whole or in part, the data for their own use, and occasionally a third party who will receive the data. The Common Rule, 45 CFR Part 46, subpart A, is Federal law that provides “a robust set of protections for research subjects.” The requirements of the law detail the circumstances under which data may be shared. A DUA satisfies the law by outlining the “terms and limitations on how the shared data can be used,” and it details the criteria that a receiving institution must meet to be eligible to receive the data (NIH, 2022). A DUA should address:
- Limitations on the use of data
- Liability for harm from the use of data
- Publication rights
- Privacy rights
- Access, storage, protection, use, transmittal of data, and disposal of data
- Protected Health Info (PHI) and Personally Identifiable Information (PII)
- Scope of the data set
- Proprietary information
- Prevention of inappropriate use of protected or confidential information
The PHI is any personal health information that can potentially identify an individual that was created, used, or disclosed in the course of providing healthcare services, whether it was a diagnosis, treatment, or research. The rule of thumb is that if any of the information is personally recognizable to the patient, or if it was utilized or discovered during the course of a healthcare service, it is PHI. The PII is any information that can be used to identify, contact, or locate a person. Examples of PHI and PII include:
- Names
- All elements of dates, except year, are directly related to an individual, including birth date, admission date, discharge date, etc.
- Addresses or geographic data smaller than a state, such as zip codes
- Telephone and fax numbers
- Social Security numbers
- Email addresses
- Medical record numbers
- Account numbers
- Vehicle identifiers and serial numbers, including license plates
- Web URLs
- Device identifiers and serial numbers
- Internet protocol addresses (IP addresses)
- Full face photos and comparable images
- Biometric identifiers (i.e., retinal scan, fingerprints)
- Any unique identifying number or code
- ID information, such as a driver's license or passport
- Credit card numbers
- Bank account numbers
- GPS location data
- Photos
- Employment or educational records
Knowing what counts as PHI or PII is crucial to guiding your PIs in the area of DUAs as they consider the requirements they will need to meet if their proposal is selected for award. The best way to reduce risk to your human subjects is to limit the data you receive to strictly what you need for your analysis, avoiding PHI/PII where possible, thereby minimizing the DUA process. The dataset Dr. Eager will receive contains de-identified test scores and aggregate demographics. After discussing these requirements with Dr. Eager, you determine together that she will not need to develop a DUA because there is no PHI or PII.