I will obtain the consent of the Data Controller before transferring data from [System Name] to a person who has not accepted the terms of this Data Access Agreement. Data protection in this system is subject to the following laws, policies and regulations:— Such an agreement strives to protect all parties by establishing the conditions of access and use of data. DUAs are risk mitigation tools that clarify expectations between the parties. Data providers are often reluctant to enter into data exchange agreements because they may be afraid of responsibilities arising from the use of the data that could harm their program, agency or data subjects. DUAs allow data providers to establish controls for data processing and notification measures in case of data mismanagement. DUAs also strengthen the roles and responsibilities of researchers and their institutions, clarifying issues of responsibility in advance. Legal Issues for IDS Use: Finding a Way Forward (Petrila et al. 2017) is an expert report that informs state and local governments that wish to integrate data. This report explains why policy and relationships are important and reviews the legal considerations for preparing a letter of intent or data use license.
The document contains links to a model agreement with two states and one county, as well as a data licensing model from a federal health and welfare agency. Depending on the data provider, other forms of documentation may be used. Examples include Memoranda of Understanding (MOUs), Data Use Agreements, and Data Clearing-House Letters. These have different structures and levels of detail, but all of these tools provide the legal framework for access to the data, which the applicant can do with the data (e.g. B scope of study, restrictions on redistribution), security controls and restrictions on publication. The data requester must always prepare some form of documentation for data access, even if the data provider does not need it. At a high level, a DUA should be on the five safes. It should include the intended uses of the data to define the secure project; the conditions of access and processing of data for a secure environment; and terms for publishing outputs and publishing for secure editions. DUAs are essential for defining acceptable data uses, links, and topics for analysis. Agreements may also detail the roles and responsibilities of the data provider and researchers (definition of safe persons) and cover secure data by including a list of data elements and any reporting or disposition requirements.
There are many permutations to such restrictions;20 all requirements as well as penalties for non-compliance should be included in the DUA. Uniquely identify the data owner (by name and/or role) and identify the data you can access. Also capture or specify (depending on the connection) the user`s name as well as their position and responsibilities that require access to the recording. When using the data, the researcher should keep in mind that this is a contractual agreement and an opportunity to build trust between the parties. Working with the data provider to understand the data helps build this relationship. Administrative data was not originally collected for research purposes, so researchers should ask questions if the data do not appear to meet expectations. Seeking clarifications or corrections may prevent misuse of the data and involve the data provider. Many management organizations have limited resources and must prioritize program needs over research requests. In this case, they may decide to charge a fee for the preparation and extraction of the data.
Transparency in terms of timelines and costs and the clearest possible data use agreement help set expectations between the parties. Both sides should consider what is possible and what is likely in terms of the timeframe that the agreement will cover. This includes when the data can be delivered, how the data is extracted from the management systems and the costs that may arise during the term of the data exchange agreement. Negotiation of agreements can take up to a year between development and execution, especially if there is no history of data exchange between the two parties. Even organizations with previous data sharing relationships or established processes can have a request queue, which can lead to delays. After reaching a signed agreement, researchers must anticipate the time between approval and delivery: the processes to meet demand can be intense. For example, data providers need time to document and format the requested data, and additional time may be required to retrieve data from multiple databases or inactive storage. .