IRB Guidance: Data Release Agreements
This page addresses requirements when receiving research data or other information covered by a contract, MOU, data sharing and/or data use agreement.
Many research projects include a contract or other legal agreement as part of the proposed application. These agreements, while presented with a number of different acronyms and titles - Data Use Agreements (DUA), Data Transfer Agreements (DTUA), Memorandums of Understanding (MOU), Business Associate Agreement (BAA) - all fall under the umbrella of Data Release Agreements. For the purposes of this document, Data Release Agreement is used. However, please note that the same or similar provisions are applicable to all of the agreements (and others) mentioned above.
A Data Release Agreement is a contractual document used for the transfer of non-public or restricted use data. Examples include records from governmental agencies or corporations, student records information, existing human research subjects data, and limited data sets.
Importance of Data Release Agreements
Data Release Agreements address important issues such as limitations on use of the data, liability for harm arising from the use of the data, publication, and privacy rights that are associated with transfers of confidential or protected data. These agreements also assure that the recipients are using the data in accordance with applicable law, as they contractually obligate the recipient to use the data only for the purpose described in the Data Release Agreement. Data Release Agreements prevent inappropriate use of protected or confidential information that could cause harm to research subjects, the investigator, or the university.
Data Release Agreements Required
For human subject data, a Data Release Agreement is typically required when:
- Disclosure of data is for research purposes;
- Individual authorization for disclosure to this recipient is not/has not been obtained (i.e. through use of a subject-signed informed consent authorization);
- When no other form of contract concerning the data transfer exists between the provider and the recipient (i.e. sub-award agreement or a contracted services agreement).
Data that might be exchanged under a Data Release Agreement:
- Records from governmental agencies or corporations;
- Student record information;
- Existing, identifiable human subject data;
- A limited or restricted use data set.
FERPA & Data Release Agreements
The Family Educational Rights and Privacy Act (FERPA) requires a written agreement to disclose Personally Identifiable Information (PII) from educational records without consent. These written requirements must meet CFR 99.31(1)(6)(iii)(C) or 99.35(a)(3).
Data Release Agreements Not Required
For human subjects research data, a Data Release Agreement is NOT typically required when:
- When data is publicly available in public domain;
- When data is exchanged that is not subject to a legal or other restriction on its use;
- If a research subject signs a consent authorization form that authorizes data sharing with the recipient;
- When another agreement, such as such as a sub-award agreement or a contracted services agreement is in place;
- Data transfer as part of such a collaborative research project is often addressed in the study protocol or in the funding agreement terms and conditions (i.e. grant, contract, sub-award, contracted services agreement, etc.). In these cases, a separate Data Release Agreement is generally not necessary.
IRB Requirements for Data Release Agreements
If a Data Release Agreement is a part of the project you are submitting to the IRB, the IRB may request for it to be included in the protocol application. However, regardless of whether the IRB requests it or not, any language in these agreements in regards to data protection, storage, access, and/or destruction should be mirrored in the protocol application, likely in the Privacy & Confidentiality section.
UW’s Office of Research and Sponsored Programs (RSP) serves as a campus signatory for Data Release Agreements. Data Release Agreements must be routed through RSP* or through another signatory for final sign-off and approval. Signatories are charged with reviewing the agreements and signing on behalf of the institution, ensuring compliance with appropriate policies and regulations.
For human subjects research purposes, only official campus signatories are authorized to enter into contractual agreements, including Data Release Agreements, on behalf of the university. Researchers are NOT authorized to sign (including electronic signature) Data Release Agreements on behalf of the institution. Data Release Agreements should not be signed by university faculty or staff members.
*All questions regarding Data Release Agreements routed through RSP should contact that office at firstname.lastname@example.org. Further information may also be found on their website - https://www.rsp.wisc.edu/contracts/dtua.cfm.
- It is important for researchers to read the terms of a Data Release Agreement before forwarding it to a signatory for review and approval. It is the researcher’s responsibility to understand and follow the terms of the agreement and to only use data for purposes specified. Campus signatories assume that a researcher who transmits a Data Release Agreement has read and agrees to conform to those terms, whether or not the researcher’s signature is required (in addition to campus signatory) on the agreement itself.