Data Use Agreements and Why They're Essential

Data is one of a company’s most valuable assets. Data use agreements (DUAs) outline the terms and conditions under which one party can use data owned by another. These agreements are becoming increasingly important in today’s data-driven world, where organizations often share and store sensitive and personal information.

This article will explore:

• What data use agreements are
• Who needs a DUA
• The elements and standard clauses of DUAs

A data use agreement is a legally binding contract between two parties that outlines the terms and conditions for the use and sharing of data. This agreement defines the purposes for which you can use the data, the responsibilities of each party concerning the data, and any restrictions or limitations on the use and dissemination of the data. A data use agreement aims to ensure the proper handling and protection of sensitive or confidential information while still allowing the data to be used for business or research purposes.

A data use agreement is necessary when sensitive information is collected and shared because it can provide added protection for the individuals and organizations whose data is being used. Though by no means an exhaustive list, some common scenarios for a DUA include the following.

Healthcare

A hospital or clinic will need a DUA when it shares patient data with a research organization conducting a study. The agreement will outline the specific purpose for which the data can be used, the measures that will be taken to protect the confidentiality of the data, and the responsibilities of each party in the event of a security breach.

Finance

If a bank shares customer data with a technology company to develop a new financial product, it will need a DUA to protect its customers’ privacy and confidential business data.

Technology

Software companies that share data with a third-party vendor to perform data analysis or develop new products also need to craft a DUA.

Research

Organizations or individuals who conduct research often sign a data use agreement to protect sensitive or confidential information. A DUA can ensure that the data is used only for research and that personal identifying information, such as the identity of human subjects, is removed before use.

Government

In government contracts, a data use agreement can ensure that sensitive or confidential data is shared only for authorized purposes and that users take appropriate measures to protect the confidentiality of the data.

A data use agreement outlines the terms and conditions under which a recipient may use data provided by a data owner. In contrast, a data-sharing agreement outlines the terms and conditions under which two or more parties will share data.

Both agreements address issues such as confidentiality, security, and ownership of the data. However, the focus and scope of these agreements can vary depending on the specific circumstances of the data-sharing arrangement.

Though it varies based on the specific use case, common elements of a DUA include the following:

• Name
• Legal Authority for Data Use
• Program Authority for Data Use
• Purpose
• Background
• Mutual Interest of Entities
• Responsibilities of Entities
• Funding Information
• Costs and Reimbursement
• Custodian of Data
• Agency Point of Contact (Project Officer)
• Data Security Procedures
• Inspecting Security Arrangements
• Data Transfer, Media, and Methods for the Exchange
• Reporting Requirements
• Records Usage, Duplication, and Re-disclosure Restrictions
• Record Keeping, Retention, and Disposition of Records
• Potential Work Constraints
• Ownership
• Results Reporting and Public Data Release Conditions
• Data Release Policy and Procedures for Researchers
• Penalties for Unauthorized Information Disclosure
• Term of the Agreement
• Constraints (Performance Standards, DUA Review Procedures, Audit Clause, Liability Issues, Definition of a Breach)

There are a few clauses that may be included in DUAs.

Data Definition

Data definition clauses often include a comprehensive definition of the relevant data. This clause can contain information on any restrictions on its use and who is authorized to access it. The description can outline the format of the data and any use limitations.

A limited data set refers to a subset of data that has been reduced in scope and size from a more extensive data set, often to protect sensitive information. For example, a limited data set may exclude certain identifying information, such as names, addresses, and Social Security numbers, to reduce the risk of unauthorized access or disclosure of the data.

Purpose of Use

The recipient’s intended use of the data can be included to ensure that the data is used only for the intended purpose and not for anything that could harm the data owner or violate laws or regulations.

Confidentiality

A confidentiality clause is often included in a data use agreement to prevent unauthorized disclosure of the data. This clause may include restrictions on the recipient’s ability to use, copy, or share the data and on transferring the data to a third party.

Data Security

Ensuring the security of the data is often covered in a DUA, and the agreement can outline the measures the recipient must take to protect it. Data security clauses may include technical and physical security measures, such as encryption, access controls, and secure storage.

Data Ownership

The data ownership clause can specify who owns the data and what rights the recipient has to use or disclose it. Clarifying ownership helps the data owner retain control over the data and take action if the recipient violates the terms of the agreement.

Term and Termination

The term of the agreement and conditions for terminating it can be part of a DUA — including conditions for early termination if either party breaches the contract or if the recipient violates any laws or regulations.

Liability and Indemnification

Provisions addressing liability and indemnification can be outlined in the event of unauthorized use or disclosure of data. This clause helps ensure that the recipient is held responsible for any damages caused by a breach of the agreement.

Compliance with Laws

The agreement can include a commitment by both parties to comply with all relevant laws and regulations related to the data, such as laws pertaining to data privacy, data protection, and data security.

Dispute Resolution

A dispute resolution clause can provide a process for resolving disputes between the parties, such as mediation, arbitration, or litigation.

Governing Law

Including the jurisdiction and governing law that will apply to the agreement can ensure both parties understand the legal framework that governs their relationship. Generally, contract law governs data use agreements. They may also be subject to privacy laws, data protection laws, and other laws related to specific types of data.

Some of the most commonly applicable laws include the General Data Protection Regulation in the European Union. The U.S. doesn’t have a singular law governing data protection. A mixture of laws, such as the California Consumer Privacy Act in California and the Health Insurance Portability and Accountability Act for health data, apply to data use.

Data use agreements help ensure the recipient uses the data responsibly and ethically while also protecting the rights and privacy of individuals. With increasing amounts of data being generated and shared, organizations may benefit from well-drafted DUAs that comply with applicable laws and industry standards. By doing so, organizations can establish trust with their customers, partners, and stakeholders and promote a secure and responsible data ecosystem.