Experts offer guidance for navigating the choppy waters of data use agreements
Excerpted from the December 2021 issue of University-Industry Engagement Advisor. UIDP members can view the entire issue here.
“Data’s a big deal; the issues are constantly changing,” said Elaine L. Brock, JD, MHSA, president and senior partner in Contracts, Compliance, and Conflict of Interest Authority LLC (C3Authority), addressing participants in the recent “Data Use Agreements” UIDP Contracting Fundamentals Webinar. “It gets complicated when you’re trying to keep up with all these different things, like the privacy considerations and the implications for social media and other kinds of emerging types of date like biometrics identifiers.”
The key to keeping all of this information straight in the context of contracting with industry, she noted, stems from focusing on the basic questions all data providers and users much ask themselves. For example, if you’re a provider, you want to know whether the data can be used, shared, or retained by somebody else.
“So first, what is the data?” she posed. “This is my pet peeve — that almost 90% of the data-related contracts I see do not adequately define what the data is. Then, you want to know where it came from, because that may have affected the regulations under which it was gathered and how it can be used. So is it patient records, research tests, student data — all those kind of things have implications for what happens next with the data.”
Also important, said Brock, is to know who actually needs it, how they intend to use it, and for how long. “Are they going to use it for research? For surveillance? For student and educational records for curricula and things like that?” asked Brock. “And what is the status of the requester — is the person an employee of the organization you are contracting with? Are they asking for this as an individual, are they for-profit or non-profit, or are they a covered entity under HIPAA? The status of the requester has a lot to do with the laws and regulations as well,” she noted.
Brock added that you also need to know if the data is confidential and/or proprietary — if it’s not just generally available to anyone who wants to use it for any purpose. “And if it was acquired from a person, for instance, what does the consent say?” she posed. “Is the use that the person wants to make of it covered by the consent that a provider has from whoever the data subject was at that time?”
Other elements, she continued, might have to be included, depending on the format of the agreement. “Are the data clauses part of some larger project that has a sponsored project agreement, for instance, or are you just looking at the data in order to determine whether you want to enter into a relationship or are you doing it because you want to do research?” she asked.
In addition, said Brock, you can’t overlook website use in terms of data, and also some of the logistics of how the data will be transferred, stored, returned, or disposed of. “Don’t overlook that you need the other party to pay attention to those things,” she advised.
On the other hand, she continued, if you’re contracting to use rather than supply data, a number of other key questions arise. “Are you getting it from a primary source or from a secondary source, from some sort of a data repository, inter-institutional consortium, sociopolitical research or something like that?” Brock poses. “And then you also want to be careful to assess whether the data that you need for the project must be confidential, proprietary data or whether it can just be generalized unrestricted data. Obviously, the fewer conditions that the data was gathered under and fewer tags it has regarding its value, proprietary nature, and confidentiality, the easier it will be to exchange the data with fewer than 70 pages of agreement terms.”
You also want to describe the scope of requested use “as broadly as possible to allow you to do what you need to do, but also specific enough for the data provider to assess whether they have the right to give that to you,” said Brock. “And then ultimately, you need to obtain the rights. You can obtain those through website terms of use, for example, federal data sets, a sponsored project/data use agreement. And they can be attached to funding for a project or not attached.”
If necessary, Brock added, you must secure the appropriate approvals, including IRB and whatever institutional or company approval you need to enter into an agreement regarding the use of the data. For public universities, that may include whether the data is in a location and subject to your state’s public records laws the Freedom of Information Act. “You want to be careful that institutional approvals are there,” she cautioned. “You want to make sure they’re signed through whatever channels there are, and not just by some random person who wants to use it and doesn’t have the authority to bind the institution that’s going to retain it.”
