Skip to main content
IT Service Status
IT Service Status

Understanding Data Use Agreements

When you receive data from another institution, company, or agency, you will often be required to sign a Data Use Agreement (DUA). A DUA is a contract that lays out the data provider’s requirements around how the data must be stored, used, shared, and secured.

Why DUAs Are Important

  •  Clarity and Accountability: DUAs establish clear expectations around data ownership, permitted uses, publication rights, and liability. They help avoid misunderstandings after a project has started.
  • Protect participant privacy and intellectual property: Data subject to DUAs often involves information about human subjects or data that has intellectual property concerns. DUAs outline security controls that the data provider requires to keep their data safe and confidential as you use it. They also sometimes specify specific state/federal laws or regulatory frameworks like the HIPAA security rule or NIST SP 800-171.
  • Protection for All Parties: They safeguard both the data provider and data user by defining responsibilities, security measures, and what to do in case of breaches or unauthorized use.

Researcher Responsibilities Under a DUA

Principal Investigators (PIs) have several duties before a DUA is in place:
  • Review and Understand the Terms: Before asking University officials to sign a DUA, read each section carefully. Look for any frameworks, federal regulations, security controls, confidentiality measures, and data handling protocols that are required. Anyone with access to the data must fully understand and be ready to comply with all terms of the DUA as an essential part of responsible data stewardship and accountability.
  • Classify Your Data: Identify any sensitive data you will be receiving, such as human subjects data (even if it’s de-identified), human subject with PHI, Controlled Unclassified Information (CUI), a limited clinical data set, etc. The classification affects what protections the DUA requires.
  • Align Security and Data Protection: Match any specified or implied requirements (e.g., encryption, restricted access, secure storage, auditing) with your systems and workflows. Ensure that the technical safeguards are in place, and the people involved can follow any non-technical (administrative) controls specified. In some cases, the ability to meet these requirements may be unreasonable for a research group to handle on their own. See Available Options for Regulated Research
  • Ensure Proper Institutional Review and Signature: Confirm that the agreement is reviewed and signed by the appropriate institutional official using established submission channels.
  • Confirm IRB Coverage: Ensure that an IRB-approved protocol is in place when the work involves directly or indirectly identifiable information about human subjects, including limited clinical datasets, including facilitating amendments to existing protocols if necessary to cover the incoming data.
  • Acknowledge PI and Team Responsibilities: Approve the final language of the agreement by co-signing and acknowledging all responsibilities assigned to the PI and other research team members.

Researchers also have several responsibilities once a DUA has been signed:

  • Ensure Team Awareness and Compliance: Make certain that all research team members understand and comply with their responsibilities under the DUA both at the beginning of the project and through any researcher staffing changes.
  • Administer Required Training: Provide, notify, or arrange for any training required by the DUA and retain documentation of completion for all applicable team members, both current and future.
  • Implement Security and Data Protections: Identify the data risk level and work with IT support, as needed, to apply required controls and configurations to adhere to all DUA-specified requirements for security, storage, and destruction.
  • Notify of Staffing Changes: Promptly notify the appropriate IT support contact or systems administrator of any changes in study team composition that may affect data access.
  • Notify of Security Breaches: Promptly notify the appropriate parties of any breaches of security or unauthorized data access.

How Northwestern Supports You

  • Assistance with Negotiation and Reviewing: The Office of Sponsored Research can assist in negotiating DUAs, walking through clauses, and ensuring that risks are identified and mitigated. About DUAs.
  • Process for Submitting DUAs: Use CERES to initiate DUA requests. Sponsored Research will review the request and coordinate with the other institution to finalize the agreement.
  • Signature Authority: Note that PIs cannot sign DUAs on behalf of Northwestern University. Only authorized officials who can legally bind the institution may sign. PIs and lab members may be asked to sign “Read and Understood” forms.
  • Data Classification and Data Protections: Northwestern IT offers a portfolio of services designed to align with most compliance frameworks. Research Computing and Data Services can help match your data protection needs to the appropriate services based on data classification. See Choosing Appropriate Storage