What is a Data Use Agreement?
A Data Use Agreement (DUA) outlines the terms and conditions for the sharing of sensitive or proprietary data between parties. DUAs vary in complexity but often delineate minimum data security requirements, establish usage limitations, highlight applicable legal, regulatory, or ethical requirements, and summarize liability/consequences for misuse or mishandling.
Who Reviews DUAs?
Several offices at Boise State review DUAs, depending on the data involved:
- Office of General Counsel (OGC): Ensures agreements comply with legal requirements.
- Office of Information Technology (OIT): Evaluates and implements necessary IT security measures.
- Office of Research Compliance (ORC): Reviews for ethical research practices, especially with human subjects.
- Office of Sponsored Programs (OSP): Ensures agreements meet sponsor requirements.
The Process
Investigator Submits Intake Form (Initial Assessment)
Investigators must submit a Research Data Classification Form to provide details about the data, intended use, users, etc.
The offices noted above will determine if they need to be involved in any next steps for the DUA based upon the information provided.
Office Review and Follow Up
Relevant offices determine their involvement and if additional information is required or further action is required by the investigator. This may include:
- OIT assessing minimum security requirements
- Investigator submitting the DUA through OGC Contract Routing
- Committee approval for human subjects research through ORC
- OSP review for specific sponsor requirements/restrictions
Investigator Receives Applicable Office Approvals
All offices involved in the DUA review must approve prior to the DUA and associated documents being signed.
Investigator and Offices Address Terms and Conditions
Prior to signing and data transfer, offices may need to work with the investigator to ensure the terms and conditions of the DUA can be met. Some examples include:
- User specific access agreements
- User training
- Physical security requirements – restrict room access to applicable data users
- Cybersecurity – air gapped (no network) computer, specific IT storage requirements
- Committee approvals
Review and Implementation Timeline
Review and implementation times vary by complexity and requirements. Some examples:
- OGC requests a minimum of 10 business days for contract/agreement reviews.
- Human subjects research reviews typically take 2-6 weeks depending on the risk.
- OIT may need to setup an air-gapped computer or establish a new secure environment with special user permissions.
- A work order may be needed to rekey an office.
Investigators should submit as soon as possible and work with the offices on a timeline based the unique situation.
Contact Us
Need assistance? Contact:
- Office of Research Compliance (ORC): orc@boisestate.edu
- Office of Information Technology (OIT): ciso@boisestate.edu
These offices can answer questions and guide you to the appropriate resources.