Overview
A Data Use Agreement (DUA) is a legal agreement that governs the sharing of data between Georgetown University and external entities. DUAs are essential for protecting data confidentiality, ensuring ethical research conduct, and complying with applicable legal, funding, and institutional requirements.
To request a DUA, the PI and/or a project team member, must initiate and submit their request through the DUA module in GU-Pass. The DUA Intake Form is submitted within the module, along with any supporting documents (e.g., draft agreement from external entity for incoming data, data description, IRB info). Guidance on how to submit a request for a DUA in the DUA module in GU-Pass can be found here.
If you have any questions about the DUA process or issues accessing the DUA module, please contact the Joint Office of Research Administration (JORA) at JORA@georgetown.edu and/or Robyn Sutton, Senior Pre-Award Grant Administrator for DUAs at robyn.sutton@georgetown.edu.
DUA Requirement Criteria
A DUA is typically needed when:
- Sharing or receiving data that is confidential, identifiable, or sensitive, including:
- Protected Health Information (PHI)
- Personally Identifiable Information (PII)
- Data that is subject to regulatory or contractual restrictions
- Accessing limited datasets or de-identified data
- Accessing restricted-use datasets (e.g. CMS, NCES, hospital or clinical data, non-public community health records)
IRB Considerations
If you plan to conduct human subjects research, you must submit to the Georgetown IRB and receive approval prior to beginning any research. Please refer to Georgetown’s IRB website for information on how to submit an IRB request. Please note, JORA cannot fully execute any DUAs until the GU IRB has been approved.
- Human Subjects Research: if the data involves human subjects, IRB review and approval are typically necessary
- Secondary Data Use: even for existing data, IRB oversight may be required, especially if the data is identifiable or it includes coded data that can be linked to specific participants
- Data Provider Requirements: some data providers mandate IRB approval regardless of the data’s identifiability
Common Data Types
- Protected Health Information (PHI): individually identifiable health information that can be linked to a person and is regulated under HIPAA.
- Personally Identifiable Information (PII) – HIPAA: information that can be used to distinguish or trace the identity of a person (e.g. name, address, date of birth, demographic combinations)
- Personally Identifiable Information (PII) – FERPA: information that can be used to distinguish or identify a student, directly or indirectly, within their education record (e.g. name, student ID number, date of birth, Social Security Number)
- Limited Data Set (LDS): a HIPAA-defined category of identifiable data that excludes specific direct identifiers but may contain zip codes, city, age under 90, year of birth or service, and other limited fields
- De-identified Data: data with all 18 direct identifiers removed per HIPAA Safe Harbor or expert determination
Frequently Asked Questions – FAQ
Q: When do I need to obtain a DUA?
A: A DUA should be requested and entered into before there is any use or disclosure of a data set to an external entity
Q: Do DUAs require IRB approval?
A: Typically, yes, especially if the project involves human subjects research or identifiable/coded data. Fully de-identified data that prevents the re-identification of the individual is not considered human subjects research and typically does not require IRB approval, however, please consult with the GU IRB office to make that determination. Also, please note that JORA cannot fully execute a DUA until the GU IRB has been approved, if required.
Q: How long does DUA review take?
A: Timelines vary depending on completeness of the GU-Pass record submission, complexity of DUA terms, and required internal stakeholder reviews that may be needed (University Information Services, Office of General Counsel, IRB, Office of Technology Commercialization, Office of Research Oversight)
Q: Can I sign a DUA myself?
A: No – only an authorized signatory official in JORA may execute DUAs on behalf of Georgetown.
Q: Can I start analyzing data before the DUA is fully executed?
A: No – data cannot be transferred or used until the DUA is fully executed.