Uniquely identify the data owner (by name and/or role) and identify the data you can access. Also capture or specify (depending on the connection) the user`s name as well as their position and responsibilities that require access to the recording. Ministry of Education`s Data Sharing Tool for Communities This toolkit is designed to simplify the complex concepts of FERPA. It covers three main areas of focus: understanding the importance of data collection and sharing, understanding how best to protect student privacy when sharing personal data from FERPA-protected student school records, and understanding how shared data is managed with embedded data systems. It contains a sample letter of intent and a sample consent form. The following sections describe how to (1) prepare for a data sharing agreement, (2) negotiate a robust agreement, and (3) comply with the signed agreement based on the review of guidelines and best practices in several areas.21 Some of these relate to a researcher negotiating a DUA with a data provider for the first time. but the considerations for this case contain clues to establish good processes and to develop models and examples for subsequent DUAs. Intended and Permitted Use of Data. I agree to use [SystemName] only for legitimate business purposes and to limit my use to my established business responsibilities. Organizations that do not have existing data sharing systems may reject an application because they do not have clear internal roles and responsibilities or resources to manage contract development, data sharing, and relationship monitoring. Fundraising or external resources can help support the process.
Both sides should consider what is possible and what is likely in terms of the timeframe that the agreement will cover. This includes when the data can be delivered, how the data is extracted from the management systems and the costs that may arise during the term of the data exchange agreement. Negotiation of agreements can take up to a year between development and execution, especially if there is no history of data exchange between the two parties. Even organizations with previous data sharing relationships or established processes can have a request queue, which can lead to delays. After reaching a signed agreement, researchers must anticipate the time between approval and delivery: the processes to meet demand can be intense. For example, data providers need time to document and format the requested data, and additional time may be required to retrieve data from multiple databases or inactive storage. This process can be particularly lengthy if the application is new. Data providers may also require notification or approval before publishing publications or publications.
If a data provider has an established data request process, a researcher should review its terms and requirements and propose additions or modifications if necessary. Data providers should be aware of the laws, regulations and policies that allow the use of their data and, upon receipt of an initial request, determine whether data request procedures already exist in their organization. Data providers (para. B government agencies or private corporations) may have general counsel offices that have preferred models or formats. Some data providers are hesitant or unable to change their requirements processes. Data request and access procedures are not always publicly available, although some agencies and organizations have data request procedures on their websites, which can greatly speed up and simplify the application process. The secondary storage/system cannot be created from the [system name] data without the prior consent of the data owner and the registration and release of the secondary storage/system with the CIO office. The review of the legal framework helps researchers formulate realistic expectations regarding the scope and conditions of the DUA. In addition, it is important that researchers (or their institutions) are aware of the legal framework in order to be able to ensure compliance with all applicable laws, especially if the data provider has limited legal experience in approving the sharing and use of data by researchers.
I will obtain the consent of the Data Controller before transferring data from [System Name] to a person who has not accepted the terms of this Data Access Agreement. Data protection in this system is subject to the following laws, directives and regulations: — Creation of DUA can take a long time. In some cases, negotiations fail after months or years of discussions. Planning ahead can help researchers and data providers achieve strong DUAs. DUAs can be initiated by the researcher or data provider.22 Data providers may have different or accelerated procedures when sharing data with a researcher, evaluator or contractor working on their behalf. National League of Cities Data Sharing Guide for Better Results Created with stewards of Change, this guide was written for public servants, agency managers and managers. It highlights their incentives to share data, what information can be shared, and who can get the information with specific examples in areas such as education, health, mental health, addiction, social services, and criminal justice. They contain examples of memoranda of understanding from two counties, a city and a state, and have an appendix that lists the most important federal laws and regulations. See Yates et al. (2018) for a checklist from the point of view of the data provider.︎ ↩Incomplete and inconsistent formal agreements on terms and conditions can lead to negligence on the part of employees and subcontractors in the processing and distribution of sensitive data. The purpose of the Data Access Agreement is to establish the conditions under which Users will have access to the data provided and to obtain a User`s express consent to these Terms before granting access to the Data. Here`s a template for a standalone data access agreement.
The template and sample text are provided for illustrative purposes only and should be tailored to the specificities of each system/dataset. California Accountable Communities for Health Data-Sharing Toolkit This toolkit is created by the Center for Organizational Research and Innovation in Healthcare at the University of California, Berkeley and sponsored by the California Health and Human Services Agency and the University of California, Berkeley, School of Public Health. This report summarizes seven metrics for data sharing, purpose/purpose, relationship/membership, funding, data governance and protection, data and data sharing, technical infrastructure, and analytics infrastructure, while observing that parts of these categories have different levels of maturity and expertise. National Governors Association, Improving Human Services Programs and Outcomes Through Shared Data This letter is aimed more at policymakers than practitioners and provides brief examples of how data sharing has helped states and their residents in Indiana, Kentucky, Maryland, Massachusetts, North Carolina, Pennsylvania, Rhode Island, South Carolina, Virginia and Washington. It is helpful to think about the interests of the organization as well as the interests of individual decision-makers such as the program manager, agency manager, chief information security officer, etc.26 Think about what the organization needs to do: improve program management, increase efficiency, reduce costs, and help program participants. What can the research team produce for the data provider? This can be own data, documentation, code, a report, or a dashboard. Researchers should ask themselves what the unanswered questions and needs of the data provider are. The researcher should periodically review the terms of the contract to ensure that the necessary data is accessible and that the project is on track to be completed within the specified scope and schedule. If the researcher identifies a need for additional data elements, extension or wider scope, he or she must make an amendment to the agreement. Since these changes are common, the data provider may consider developing a model. Resource owners should establish data access agreements that define the appropriate use of and access to the data covered, as well as procedures for obtaining approval for deviations from restrictions.
There are at least two parties to such agreements: the data provider and the data requester. The data provider is responsible for allowing access to the data on behalf of the purchasing agency or data subjects. The data provider is bound by laws, regulations or guidelines that may be very specific in terms of access to direct identifiers (name, date of birth, social security number) and sensitive information (health status, grades or test results). The data requester is a researcher who seeks to access the data for a specific purpose. University researchers typically have to pass a DUA exam by an Office of Research or Sponsored Programs or the Office of the Attorney General, and possibly by academic information security specialists. This collection of agreements comes from a variety of sectors, including labour and social services, the Ministry of Motor Vehicles, criminal justice, education, housing, health and health care. It also includes generic agreements and other documents. B for example, an information security incident log, a breach plan, and a confidentiality commitment template. Guides that provide templates are available in different areas. Annex A to this chapter contains a model. Other examples are listed below: Depending on the data provider, other forms of documentation may be used. Examples include Memoranda of Understanding (MOUs), Data Use Agreements, and Data Clearing-House Letters.
These have different structures and levels of detail, but all of these tools provide the legal framework for access to the data, which the applicant can do with the data (e.g. B scope of study, restrictions on redistribution), security controls and restrictions on publication. . . .