University of Pittsburgh
Office of Research


Data Use Agreement (DUA) Frequently Asked Questions (FAQ)


  1. Why sign a DUA?
  2. Who signs DUAs?
  3. What are Examples of Data that might be exchanged under a DUA?
  4. When do I need a DUA?
  5. When don't I need a DUA?

1. Why sign a DUA?

DUAs address important issues such as limitations on use of the data, liability for harm arising from the use of the data, publication, and privacy rights that are associated with transfers of confidential or protected data. The understanding established by the DUA can help avoid later issues and will ensure the appropriate use of data for a specific research project, protecting both the provider and the recipient.

       Establishing a Data Use Agreement Achieves the Following:

  • Protects the investment and reputation of both the investigator and the University
    • Access to important data makes an investigator more competitive in publications and grants; sharing of this data helps to foster collaboration with other leading scientists

  • Ensures that the investigator and University receive academic credit for their work
    • Appropriate acknowledgement of the data’s source in academic publications and presentations can be addressed in the DUA, although any determination of appropriate authorship designation must be based on actual contribution to the research, and cannot be agreed upon in a DUA.

  • Prevents the inappropriate use of intellectual property or protected or confidential information that could cause harm to research subjects, the investigator or the University

  • Helps to shelter the investigator and University from any liability or loss arising from a recipient’s use of University data

  • Assures that the recipients are using the data in accordance with applicable law
    • Contractually obligates the recipient to use the data only for the purpose described in the DUA
    • Where data may be subject to HIPAA, ensures that appropriate restrictions on use are maintained

2. Who signs DUAs?

The University of Pittsburgh's Office of Research is authorized to enter into research agreements, including DUAs, on behalf of the University.  Researchers are not authorized to negotiate or sign agreements on behalf of the University.  When a researcher signs such an agreement on behalf of the University, the researcher could be subjected to legal and financial risks. It is important for the researcher to read the terms of a DUA before forwarding it to the Office of Research for University signature. The Office of Research assumes that a researcher who transmits a DUA has read and agrees to conform to those terms, whether or not the researcher’s signature is required on the DUA itself ( The Office of Research will confer with General Counsel and IRB or other pertinent compliance offices as required in the evaluation of DUAs.

3. What are Examples of Data that might be exchanged under a DUA?

  • Records from governmental agencies or corporations
  • Human Research Subject Data
  • A limited data set
  • Genetic sequences
  • Models
  • Proprietary or valuable information or material that does not fit the profile of a tangible physical material

4. When do I need a DUA?

       For Human Subject Data

  1. Disclosure of data for research purposes and
  2. Individual authorization for disclosure to this recipient is not/has not been obtained (from human subject, as through use of a subject-signed informed consent authorization) and
  3. Disclosure is permitted under an IRB-approved protocol (for human subject research) or
  4. The researcher is disclosing or receiving a “limited data set” of personal health information, as defined under HIPAA.  For more information on limited data sets under HIPAA, see:

Please note that when a University researcher is receiving a limited data set for research purposes from UPMC, UPMC has approved a form of DUA that is acceptable to the University. Please see this link for further details before submitting to the Office of Research: (

      For Non-Clinical Data

  1. When no other form of contract concerning the data transfer exists between the provider and the recipient and
    • When data is not in the public domain, and the disclosing party wishes to limit the further use or distribution of the data in some way, and
    • The recipient intends to use the data for research purposes

5. When don't I need a DUA?

  1. When data is exchanged that is not subject to a legal or other restriction on its use.
  2. If a research subject signs a consent authorization form that authorizes data sharing with the recipient, a DUA is not needed.
  3. When de-identified data is exchanged for research purposes under a subcontract or other form of agreement with the recipient.  “De-identified data” as used here has the meaning attributed in HIPAA.