Experts offer guidance for navigating the choppy waters of data use agreements
Excerpted from the December 2021 issue of University-Industry Engagement Advisor. UIDP members can view the entire issue here.
“Data’s a big deal; the issues are constantly changing,” said Elaine L. Brock, JD, MHSA, president and senior partner in Contracts, Compliance, and Conflict of Interest Authority LLC (C3Authority), addressing participants in the recent “Data Use Agreements” UIDP Contracting Fundamentals Webinar. “It gets complicated when you’re trying to keep up with all these different things, like the privacy considerations and the implications for social media and other kinds of emerging types of date like biometrics identifiers.”
The key to keeping all of this information straight in the context of contracting with industry, she noted, stems from focusing on the basic questions all data providers and users much ask themselves. For example, if you’re a provider, you want to know whether the data can be used, shared, or retained by somebody else.
“So first, what is the data?” she posed. “This is my pet peeve — that almost 90% of the data-related contracts I see do not adequately define what the data is. Then, you want to know where it came from, because that may have affected the regulations under which it was gathered and how it can be used. So is it patient records, research tests, student data — all those kind of things have implications for what happens next with the data.”
Also important, said Brock, is to know who actually needs it, how they intend to use it, and for how long. “Are they going to use it for research? For surveillance? For student and educational records for curricula and things like that?” asked Brock. “And what is the status of the requester — is the person an employee of the organization you are contracting with? Are they asking for this as an individual, are they for-profit or non-profit, or are they a covered entity under HIPAA? The status of the requester has a lot to do with the laws and regulations as well,” she noted.
Brock added that you also need to know if the data is confidential and/or proprietary — if it’s not just generally available to anyone who wants to use it for any purpose. “And if it was acquired from a person, for instance, what does the consent say?” she posed. “Is the use that the person wants to make of it covered by the consent that a provider has from whoever the data subject was at that time?”
Other elements, she continued, might have to be included, depending on the format of the agreement. “Are the data clauses part of some larger project that has a sponsored project agreement, for instance, or are you just looking at the data in order to determine whether you want to enter into a relationship or are you doing it because you want to do research?” she asked.
In addition, said Brock, you can’t overlook website use in terms of data, and also some of the logistics of how the data will be transferred, stored, returned, or disposed of. “Don’t overlook that you need the other party to pay attention to those things,” she advised.
On the other hand, she continued, if you’re contracting to use rather than supply data, a number of other key questions arise. “Are you getting it from a primary source or from a secondary source, from some sort of a data repository, inter-institutional consortium, sociopolitical research or something like that?” Brock poses. “And then you also want to be careful to assess whether the data that you need for the project must be confidential, proprietary data or whether it can just be generalized unrestricted data. Obviously, the fewer conditions that the data was gathered under and fewer tags it has regarding its value, proprietary nature, and confidentiality, the easier it will be to exchange the data with fewer than 70 pages of agreement terms.”
If necessary, Brock added, you must secure the appropriate approvals, including IRB and whatever institutional or company approval you need to enter into an agreement regarding the use of the data. For public universities, that may include whether the data is in a location and subject to your state’s public records laws the Freedom of Information Act. “You want to be careful that institutional approvals are there,” she cautioned. “You want to make sure they’re signed through whatever channels there are, and not just by some random person who wants to use it and doesn’t have the authority to bind the institution that’s going to retain it.”
Data in sponsored projects
When looking at the data component of sponsored projects, said Brock, the Statement of Work (SOW) is a key consideration. “The bane of my existence is a two-line SOW,” she stated. “If you’re using pre-existing data, don’t overlook the data terms in the sponsored project agreement. You may need the data to develop the SOW, so you may need a precursor agreement of some kind, like an NDA. You need to look at confidentiality provisions: Is it business- sensitive data? Proprietary data? Is it personally identifiable, and can it be identified? Is it personal data under some sort of regulation, such as GDPR? And then, [consider] the possibility of the advantages of data aggregation and de-identification and data segregation. Can you do things that reduce the risk or limit the other terms that you need to think about because you changed the nature of the data that’s being exchanged?”
In addition, she advised, do not overlook the data that might be contained in deliverables, datasets, reports or search tools — “all those kind things that get lumped under something called IP, or results,” said Brock. “You might need to look at the data provisions more carefully depending on the nature of the data that you generated, compared with the nature of the data that you used to generate the results.”
There may be other factors affecting the SOW, Brock added, like a government funder’s rights and other kinds of requirements and restrictions. “Also, whether you intend to publish and what you’re going to publish. Are you going to publish the dataset itself someplace, like on a website, or even publish the analytical methods that you used to analyze the data?” she noted. “Are you looking at models derived from the data as opposed to the data, as models are more generalizable.”
“Once you do all that,” she continued, “do you need another party to look at the data? Do you need a subcontractor or a consultant that might need an NDA, a sublicense, or whatever?”
When addressing human data, Brock stressed, “you need to know the purpose for which the data may be used, so try be as expansive as you can or as is necessary to achieve your purpose. If you have consent from someone that gave you the data, the terms of the agreement under which someone else uses the data have to be consistent with the consent.”
The fact that this is not always the case is a real “bugaboo,” she continued. “Universities need to have comprehensive data use clauses, so not just data identification through the definitions but also tracking that to the confidentiality and the publication and the deliverables, and the export controls and confidentiality and privacy provisions — so all those things tie in together,” Brock explained.
She further advised looking at the data clauses and making sure that all the other clauses appropriately account for the data, and whether the data is primary or secondary use consistent with consent documents, applicable laws, and regulations.
Next, Brock addressed “can we?” and “should we?” considerations, such as weighing whether whatever risks are incurred by sharing this data are appropriate to the parties, and whether they are willing to share these risks, to avoid risks of breach of confidentiality even in cases that are difficult to anticipate — for example, due to an inadvertent identification of personal data through access to a different data set. Many of these privacy issues are dealt with in the GDPR legislations in Europe and the California Privacy Protection Act. “There may be restrictions and limits that you could impose in the agreement to protect data subjects and parties,” she said.
“Don’t overlook the costs to gather and prepare and curate and archive data,” Brock continued. “Are those in there? Do you have the time to do it appropriately? Then, of course, there are the liability risks, costs, avoidance, and societal and ethical concerns.”
There are a whole slew of regulations that address data, including not just GDPR but also the DHHS Common Rule, HIPAA, The 21st Century Cures Act, FERPA, and FDA rules.
The overarching goals for all data use in research is the concept of “de-identification plus,” she said. “This concept is not a universal concept,” she noted. “In the old days before GDPR, people used to think of de-identification as the solution to all data privacy and data security concerns. If data was de-identified, then you could do whatever you wanted with it — but those days are long gone. Part of the problem is there is no common definition of de-identified nowadays. Common Rule differs from HIPAA; HIPAA goes to actual knowledge, Common Rule says it’s readily ascertained, and GDPR is much higher — if anybody could try to find who the actual person the data is attributed to.”
Finally, Brock addressed mandates related to sharing data. “Sometimes, particularly with government but also things like certain foundations, there are data sharing requirements, so you have to take those into account if you use those sources of funds,” she noted. For example, FDA addresses the registration of clinical trials, and both NIH and NSF have obligations to come up with data management plans. “You need to know what those are, and the restrictions,” said Brock. “You can’t simply say you’re never going to share the data.” The Gates Foundation, she pointed out, has a Data Availability Statement that addresses the primary data, associated meta data, and original software.
To check the data sharing policies of funders, she directed participants to the “little handy-dandy” site Sherpa Juliet (https://v2.sherpa.ac.uk/id/funder/961), a UK-based searchable database that provides up-to-date information on research funders’ policies and their requirements on open access, publication, and data archiving.
Some journals, she added, also require that the data be accessible for validation of results by other researchers. (Very often data needs to be shared in a group with multiple partners, such as consortia, multiple-sponsored research, data “clubs,” centers, and so on. See the sidebar on page 179 for recommendations on data use in such organizations.)
So, how do you even get started on this complex process? Brock shared a form she created for organizing the process. (See Figure 1.) “What I find is the more of these boxes you need to check, the more terms you need in the agreement,” she said.
“Consider what you’re trying to do with the data — are you just generating it? Are you going to acquire it? Are you going to keep it private in some way, give access to somebody else to store it, retrieve it, share it, curate it? That’s the project-related stuff — the activity. Then you have all these issues you need to address at the same time, but then add on the technical aspects and the cost and the value aspects, and monitoring. Then, if you have some wacko situation you need to address, all those things as well. This is just a way to look at whether you have checked the right boxes and asked the right questions before negotiating the agreement.”
“One of the first go-to places is the UIDP Contract Accords. You can use them as the first stop in helping you organize your thoughts,” added Paul Lowe, CRA, associate vice president for research at Kansas State University, and a co-panelist with Brock. “These are common considerations that both industry and universities developed as common ground; we can all agree to these. These are the key principals, recently refreshed and updated by Elaine. They’re really a first step as you put together a framework agreement and visualize your initiative.”
Contact Brock at 734-330-3727 or email@example.com; contact Lowe at 785-532-6804 or firstname.lastname@example.org.
Posted December 15, 2021