Understanding Data Use Agreements and Confidentiality Agreements
Posted in: Sponsored Programs Central
As research administrators, we are primarily responsible for negotiating sponsored research agreements–i.e. agreements that exchange something of value (funding) to carry out a project/scope of work. However, this article focuses on the two types of non-monetary agreements we most commonly see at Montclair State University: Confidentiality Agreements and Data Use Agreements (DUAs). Both types of agreements outline provisions governing the transfer, protection, and destruction of sensitive and/or confidential data. But what does this information look like, and how do the terms of these agreements differ depending on what information they seek to protect?
In the context of Data Use Agreements that OSP negotiates, the term “data” most commonly refers to human subjects data, such as medical records or survey results. Data Use Agreements can also cover sensitive administrative data, de-identified datasets, or government-regulated information. In contrast, “confidential information” typically refers to non-public business/organizational information. There are different matters at stake here. It is important to protect data about individuals from being disclosed to the general public to prevent invasion of privacy, discrimination, or other kinds of physical, social, or economic harm to these individuals. By contrast, it is important to keep an organization’s proprietary information confidential to protect sensitive information and prevent other entities from infringing on intellectual property or releasing non-public information. Both these types of agreements can be one-way or two-way, or alternatively, “unilateral,” or “bilateral.” The party sharing the information is typically labeled the “Provider,” and the party receiving the data is the “Recipient.”
What is a Data Use Agreement?
A Data Use Agreement is used when there is a transfer of data between institutions that includes human subjects data or other kinds of sensitive data. These can include, but are not limited to the following:
- Medical records
- Human subjects research datasets
- School district data
- Census data
There are a number of regulations that govern the protection of this data. HIPAA covers protected health information (PHI), and FERPA regulations protect educational information. The FDP’s Tool for Classifying Human Subjects Data serves as a useful categorization tool for these cases.
Data Use Agreements contain terms on how to protect this information. The terms can vary depending on how sensitive the data is. Data Use Agreements define a discrete timeline for the recipient to be able to access the data. They also outline a plan for storing the data during the term of the agreement and a plan for returning or destroying the data after the term of the agreement has ended.
In the case of de-identified human subjects data, there is nearly always a provision specifying that the recipient must not use the data to try to re-identify or contact participants. The document also frequently outlines provisions about breaches of confidentiality, detailing who must be contacted in the event of a breach and how soon. Finally, the agreement can establish terms surrounding liability and indemnification to establish who can be held legally responsible for damages that may arise from misuse of the data.
What is a Confidentiality Agreement?
By contrast, a confidentiality agreement, often referred to as a Non-Disclosure Agreement (NDA) or Confidential Disclosure Agreement (CDA), exists to protect an organization’s proprietary information. For an industry sponsor, this could take the form of a scientific methodology or protocol, such as a particular drug company’s process for manufacturing a medication. Alternatively, it could be financial information or client information.
The standard terms in a Confidentiality Agreement outline what information must be kept confidential, often requiring that information is specifically labeled as such. This also includes defining what is not confidential information: that which has already been made public or that which was already known by the receiving party and is therefore not bound by the terms of the agreement.
The agreement outlines the obligations of the receiving party, including whether the information can be shared with any third parties (such as research associates assisting with the project). This often includes the clause that confidential information may be disclosed to a court upon legal request. Like a Data Use Agreement, Confidentiality Agreements outline how long the recipient may access the data and how and when it should be returned or destroyed. They may also contain a number of other standard contract clauses, such as limitation of liability (which party can be held responsible for damages) and governing jurisdiction (which municipality’s laws will govern a dispute).
Conclusion
Data Use Agreements and Confidentiality Agreements protect the interests of different parties: research participants and business partners, respectively. In negotiating these agreements, it is vital to consider not only the interests of the providing party, but also those of the receiving party (the researchers). In most cases, the top consideration is protecting researchers’ right to publish. In both of these kinds of agreements, research administrators often advocate for a publication clause establishing that the researcher may publish manuscripts, so long as they do not contain confidential information or the full dataset. Often, the provider of the data is granted a “review and comment” period, allowing them a certain amount of time to read the manuscript and request changes to protect their interests.
Faculty members should contact OSP when they are performing work on a project that involves providing or receiving any type of data from another institution, even if the project is not grant-funded. DUAs, NDAs, and CDAs must be reviewed and endorsed by the institution, so faculty members should not sign these agreements independently.