Data Use Agreements

Who Can Sign a UW Contract?

Posted on

What is Signature Authority? 

Only a few select individuals are authorized to sign contracts on behalf of the UW. This is due to the UW’s status as a state agency.  Any contract or agreement that  binds the UW to a legal or financial obligation requires an official UW signature to be valid.  

What Falls Under this Policy? 

The actual title of the document is not important, as a “contract,” an “agreement” or a “memorandum of understanding” each have the potential to legally obligate the university to undertake certain actions or pay certain amounts. Therefore, it is important that the terms of the contract are reviewed, approved, and routed to the proper signature authority. By submitting a contract through the proper channels (RAMP, Shop UW, etc.), your agreement will be routed to the correct signature authority once review and negotiations are completed. 

IMPORTANT (if asked to sign please decline): If you receive a contract that asks for your individual signature, do not sign without consulting the SMPH Contracts Team. This often occurs when you are providing in-house consulting (i.e. consulting as part of your UW appointment).  These agreements are signed by the SMPH CFO.  

For more information on signature authority, see the most recent Memorandum published September 2024:

Signature Authority Memo

 Signature authority may be updated from time to time. This document is for reference purposes only.  

Data Use Agreement Process

Posted on

DTUA Workflow – Outgoing Data 

  • Determine if the investigator wishes to share data with an outside party for a research project. 
  • Determine if the outgoing data solely consists of UW data, or if data is sourced from a third party 
    • If the data set includes third party data, include the relevant DTUA or RAMP record, and consult with the SMPH Contracts Office on next steps  
  • If human subjects data is being transferred to a third party, a data agreement will be needed. 
    • If an investigator wishes to share non-human subjects data (e.g. bench data, animal data), such transfers can be addressed via a CDA (link) or a data agreement for general data. 
  • Fill out the outgoing data agreement checklist located here
    • A Dean’s Office representative will be in contact with you regarding the classification of data. 
  • Determine the appropriate data agreement template 
    • De-identified data
    • Limited Data Set  
    • Fully Identifiable Data exceeding a Limited Data Set  
      • Note that there needs to be a HIPAA basis for the disclosure of HIPAA data (exceeding a Limited Data Set) with a third-party research collaborator.
      • This is often addressed under a HIPAA authorization.  Under certain limited situations, the Health Sciences IRB may approve a waiver of authorization.  Please consult with the IRB at asktheirb@hsirb.wisc.edu to determine the appropriate steps if the study team wishes to share HIPAA data under a waiver. 
  • Set up a RAMP record for the outgoing data agreement, and follow RAMP instructions for submission 

Incoming DTUA Workflow 

  • Determine if SMPH investigator wishes to obtain data from a third party 
  • UW does not require data agreements for incoming data transfers, but a DTUA is recommended if the investigator intends to further share the data with another collaborator 
  • If the providing site requires a DTUA, recommend use of the FDP template, as that will expedite the signing of the DTUA  
  • Set up a RAMP record for the incoming data agreement, and follow RAMP instructions for submission. 
  • Indicate whether the agreement is associated with a pending project 

Other Templates 

  • Attachment 2 found here 
  • Transfers of Data and Materials may be addressed via a combination DTUA and MTA template 
  • Please consult with the SMPH Contracts Office to determine whether such a template would be applicable for your transfer 
  • Multi-site data transfers (please consult with the SMPH Contracts Office)
  • For repository agreements in which SMPH is the lead site, please consult with the SMPH Contracts Office, who can tailor a template suitable for the research team’s needs. 

Data Use Agreements (DUA or DTUA)

Posted on

Data Transfer and Use Agreements 

The School of Medicine and Public Health generates large volumes of data through our bench and human subjects research.  The exchange of such data allows for broader insights by tapping into larger and broader population pools, which in turn results in more reliable and meaningful research outcomes.  It may also help prevent duplication of efforts, and allow for greater collaborative comparisons of data.  SMPH facilitates such transfers in a way that complies with federal law and UW policy, which include HIPAA (which applies to Protected Health Information), and our UW-Madison Policy of Data Stewardship, Access, and Retention.  

What is a DTUA? 

Data Transfer and Use Agreements (DTUAs) are contracts used to govern how data can be shared between parties.  These agreements include provisions to address various legal requirements imposed by federal law, and also outline limitations that protect the provider of the data. SMPH uses the Federal Demonstration Partnership (FDP) Agreement, which was designed to increase consistency in the terms and format of DTUAs, and to simplify negotiation between research institutions.  The FDP templates allow for the sharing of multiple types of data, and for sharing with one or more parties.  Additionally, depending on the nature of the data and the recipients involved, compliance with international and national regulations such as the General Data Protection Regulation (GDPR) and the Family Educational Rights and Privacy Act (FERPA) may also be required. 

When is a DTUA Needed? 

An agreement should be used when transferring data to a third party. This could be done through an existing agreement, such as the funding agreement, or through a separate DTUA.  Campus policy dictates the need for such an agreement. 

Federal law may require the use of a data agreement, such as when Protected Health Information (PHI) is disclosed to a third party.  When PHI is disclosed, the Health Insurance Portability and Accountability Act (HIPAA) compels us to follow certain requirements in sharing that data, including having an agreement in place that imposes certain obligations before the data is shared. Failure to comply with HIPAA may result in penalties to the UW and its employees. 

Types of Data 

  1. De-identified means that the health information or data set does not identify an individual and that there is no reasonable basis to believe that the information in the data set can be used to identify an individual. Under HIPAA, health information is considered “de-identified” if 18 criteria are removed from the data set. These criteria include direct identifiers, such as name and address, but also include other indirect identifiers, such as dates directly related to the individual (e.g. date of birth, admission date, discharge date) and zip code. For more information, see UW-Madison’s policy on de-identification. 
  2. A Limited Data Set (LDS) can contain dates related to the individual (birth date, death date, etc.) and dates of services as well as geographic information at the level of town or city, state and 5-digit zip code. A LDS is PHI that excludes the following direct identifiers of the individual or of relatives, employers, or household members of the individual: 
    1. Names 
    2. Postal address information (other than town or city, state, and 5-digit zip code) 
    3. Telephone numbers 
    4. Fax numbers 
    5. Electronic mail addresses 
    6. Social security numbers 
    7. Medical record numbers 
    8. Health plan beneficiary numbers 
    9. Account numbers 
    10. Certificate/license numbers 
    11. Vehicle identifiers and serial numbers, including license plate numbers 
    12. Device identifiers and serial numbers 
    13. Web Universal Resource Locators (URLs) 
    14. Internet Protocol (IP) address numbers 
    15. Biometric identifiers, including finger and voice prints 
    16. Full face photographic images and any comparable images 
  3. For purposes of HIPAA, your dataset includes personally identifiable information covered by HIPAA if one or more of the eighteen HIPAA direct or indirect identifiers remain in the dataset. These identifiers are: 
    1. Names 
    2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census: 
    3. The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people; and 
    4. The initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people are changed to 000. 
    5. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older. 
    6. Telephone numbers 
    7. Facsimile numbers 
    8. Electronic mail addresses 
    9. Social security numbers 
    10. Medical record numbers 
    11. Health plan beneficiary numbers 
    12. Account numbers 
    13. Certificate/license numbers 
    14. Vehicle identifiers and serial numbers, including license plate numbers 
    15. Device identifiers and serial numbers 
    16. Web universal resource locators (URLs) 
    17. Internet protocol (IP) address numbers 
    18. Biometric identifiers, including fingerprints and voiceprints 
    19. Full-face photographic images and any comparable images 
    20. Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification 

DTUAs and the IRB 

If data was gathered from a human subjects study, the study team should review the IRB protocol to confirm whether the application allows for the disclosure of such data with the anticipated recipient.  The study team should consult with the Health Sciences IRB for clarity on this matter.  If a change of protocol is needed, the study team should begin the process prior to submitting the DTUA in RAMP. 

Information on requesting a change to an IRB protocol can be found here. Additional guidance on sending and receiving individual level human subjects research data can be found here (for sending) and here (for receiving). 

Purchasing Software, Services, and Materials for Research

Posted on

You will often need to work with the UW purchasing department to help you acquire software, services, or materials for your research.  These agreements are processed through Shop UW+ and signed by representatives from Purchasing Services.

KEY POINTS

Department Finance Team sets up requisition.

Include any agreement attached to the purchase.

Additional reviews for data and sample sharing might be necessary.

The close connection between your research and these software, services, or materials often means that there will be specific research related terms.  For example, if you are sharing data with the vendor, you will want to make sure there are appropriate data use provisions covering how the vendor may use your data.  If you are acquiring Business Associate Services, you will need to ensure a Business Associate Agreement is signed.

Research purchases are often considered sole source acquisitions.  Thus, you should be prepared to submit a sole source justification as part of your requisition.

Your Department’s finance team will help you with creating the requisition in Shop UW+.  The Contracts Team will help you determine what additional agreements, terms, or additional reviews may be necessary to ensure compliance with University Policy.

Using the Outgoing DUA Tool

Posted on

The SMPH DUA intake tool greatly reduces the time needed to prepare your outgoing datasets for sharing.  The tool consists of two parts.  The first is a forward-facing Qualtrics Survey that gathers information about your project.  The second is a back-end management program used by the Contracts Team to quickly assess your needs, gather additional information when necessary, and track the project through completion.  The tool can be used for any SMPH project that includes a data sharing component.

The tool is not a replacement for the RAMP record; the DUA tool streamlines the SMPH review, while RAMP manages the RSP component.

The Qualtrics Survey guides you through a series of questions about your project, your dataset, and your proposed sharing.  After you complete the Survey, a series of targeted tickets are created to alert the involved parties (such as IT or the Privacy Officer) that your request has been entered and you are in need of assistance.  This ensures that the various reviews necessary before datasets can be shared occur simultaneously rather than consecutively.

Before beginning the Survey, it is important to have the following items handy for upload when applicable:

  • Prior agreements (both incoming and outgoing) related to the dataset.
  • A spreadsheet (WITHOUT DATA) showing the data elements to be shared.
  • A completed copy of the DTUA you were planning on using.
  • A copy of your IRB Protocol showing the data sharing is authorized.

The Survey can be accessed by clicking the button below.