At a minimum, a Data Use Agreement (DUA) must be in place whenever there are restrictions for: Information Privacy, National Security, Protecting Commercial, Proprietary, or Confidential Interests in Data.
In some cases there are additional guidelines or requirements which must be followed before a DUA can be put into place. Review the following guidance on these topics for next steps and more information.
Topics Covered:
HIPAA protects the privacy of individually identifiable information, sets standards for the security of electronic PHI, and includes breach notification rules.
Researchers that will obtain and use protected health information (PHI) must obtain: (a) authorization from the participant; or (b) a waiver of authorization granted by an IRB, unless the PHI is:
Many 91探花researchers are also health care providers at a 91探花covered entity. These researchers follow all policies, procedures, and requirements about the research use of PHI, such as prior IRB approval and a waiver of authorization, even for one鈥檚 own patients, and following all 91探花Medicine Honest Broker requirements.
Please see GUIDANCE HIPAA from the UW’s Human Subjects Division (HSD) for additional information.
91探花Medicine maintains policies regarding use of 91探花Medicine clinical data in research.
Contact ritdatahelp@uw.edu with questions on the Honest Broker processor the Release of UWM Clinical Data for Research Purposes.
Information, including PHI, under a Certificate of Confidentiality, receives the following additional protections, under a Certificate of Confidentiality and sharing is not allowed:
Review: more guidance on Certificate of Confidentiality (CoC) from the UW鈥檚 Human Subjects Division.
The EU GDPR limits when and how organizations worldwide can collect, store, use, or otherwise process personal data of persons residing in the European Economic Area (EEA). Please review more information from 91探花IT on including how they may impact access and use. If you carry out a 91探花activity that involves sharing personal data subject to EU GDPR, you will need to consider a .
If you will be handling incoming personal data subject to the EU GDPR, as a processor or controller, the party providing such data may require certain contractual clauses. If a sponsored program, these terms would be placed in the sponsored research agreement or related DUA by the providing party
When routing an eGC1 to OSP and you are aware personal data subject to EU GDPR will be involved, please select the checkbox next to 鈥淥ther Sensitive Information鈥 under D-1. Ensure you are completing a privacy assessment with the 91探花Privacy Office if the data handling is considered .
Researchers who obtain records from schools are responsible for contacting the schools to make sure that the research will comply with FERPA requirements.
Please see more from the .
UW-Led Youth-Involved Research includes any study that involves:
Please see more information on Youth Research Requirements or contact the Youth Protection Coordinator.
The Dept. of Justice (DOJ) Data Security Protection (DSP) rule () is designed to prevent access to U.S. sensitive personal data & government related data by countries of concern or covered persons.
This rule applies to covered data transactions with or covered persons. The rule covers two main categories of data: bulk U.S. sensitive personal data and .
It is key for 91探花researchers to understand whether this rule may apply to their data transactions.
Contact the 91探花Privacy Office at uwprivacy@uw.edu for help identifying whether the Dept. of Justice Data Security Program applies before:
The following should be discussed with the Export Controls Office (eco-help@uw.edu) to ensure export compliance:
There may be restrictions or prohibitions on the sharing of data to foreign parties. Please see Foreign Interests and Sponsored Programs for more information.
There are restrictions and prohibitions for sharing classified federal contract information (FCI) or Controlled Unclassified Information (CUI). Typically assessed at the proposal stage, please review proposal stage guidance on Classified or Restricted Research.
In general all research data are considered open access and available in the public domain. See . However there are commercial and proprietary interests considered in sponsored research contexts.
Data from sponsors or third parties coming into the 91探花for use on a sponsored project often requires protection for proprietary purposes. Sponsors typically provide a license to us within a sponsored research agreement or will provide a data use agreement.
Review more information on Data Use Agreements and Agreement Types.
Research data are not typically considered intellectual property. However, all 91探花research data are owned by the UW, except as otherwise provided by an agreement, law, regulations, or policy, and in some cases protected by copyright. See GIM 37 Research Data.
Generally research data developed under a 91探花sponsored project are required to be open use or available in the public domain. See .
Certain sponsors include public access, open use, or requirements as a condition of award.
Some examples include:
Some sponsors may require terms in agreements for open source licensing of software. When this happens, your OSP reviewer will request the Principal Investigator to acknowledge and sign the 91探花IP Disposition Memo (also referred to as the GIM 40 Memo).
UW鈥檚 CoMotion also provides detailed guidance on at the UW.
Research data is not usually eligible to be protected as standalone commercial innovations. However, data can carry key information necessary to securing intellectual property protection. Additionally, it is important to understand how the parties to an agreement are defining 鈥渄ata鈥. If the agreement broadly defines data to include innovations, 91探花Intellectual Property policies apply. See for details: