Skip to main content

Data Use (DUA) Guidelines

The purpose of this guidance is to assist users in determining whether the transfer of data, which is in the possession of a University of Houston (UH) Principal investigator, is permitted and/or requires a Data Use Agreement (DUA) for the transfer. This guidance also contemplates both outgoing and incoming transfer of data. The chart below summarizes the routing and approval process.  Under normal circumstances the estimated time, from receipt of an agreement to a fully executed document, is 7-10 business days.  Although each office may take up to 3-5 business days for its review, this can be done simultaneously since one review is not dependent on the other. 

Action Responsible Party Time Line

Submit the DUA with completed DUA compliance questionnaire via email to

Principal Investigator

Congruency check and approvals for  Human Subjects, Animal care, and Conflicts of Interest review  

Office of Research Integrity and Oversight (RIO) ~ 5 business days, May be longer if approved protocol is not in place

System security review when the agreement provides UH Information Technology (IT) security standards for safeguarding data

Information Technology Office ~ 5 business days

Review for Protected Health Information (PHI) as defined by the Health Insurance Portability and Accountability (HIPAA) including but not limited to health and financial information, education records, and other protected information

UH General Counsel ~ 5 business days

Review of general legal terms and conditions by contracting officers.  Negotiation may be needed

Office of Contract and Grants 3-5 business days

Approval for exception to standard terms and conditions that normally cannot be accepted by UH

Vice President for Research Additional 2-3 business days

Finalize agreement, obtain signatures (execute) and distribute to relevant parties

Office of Contract and Grants 2-3 business days

Reason for Establishing a Data Use Agreement:

  1. Protects the investment and reputation of both the investigator and the University
  2. Access to important data makes an investigator more competitive in publications and securing future grants; sharing of this data helps to foster collaboration with other leading scientists
  3. Ensures that the investigator and University receive academic credit for their work
  4. Appropriate acknowledgement of the data's source in academic publications and presentations (although any determination of appropriate designation must be based on actual contribution of the research, and cannot be agreed upon in a DUA)
  5. Prevents the inappropriate use of intellectual property, protected health information or other confidential information
  6. Helps to shelter the investigator and UH from any liability or loss arising from a recipient's use of university data
  7. Assures that the recipients are using the data in accordance with applicable law
  8. Contractually obligates the recipient to use the data only for the purpose described in the DUA. Where data may be subject to Health Insurance Portability and Accountability Act (HIPAA), it ensures that the appropriate restrictions on use are maintained

Types of Data That May Require an Agreement

  1. Data derived from human subject or animal research as defined by the UH Internal Review Board (IRB) and Office of Research Integrity and Oversight (RIO)
  2. Data protected under the Health Insurance Portability and Accountability Act of 1996 Privacy rule (HIPAA)
  3. Data that contain any of the following:
    1. Personally identifable information (PII)
    2. Protected Health Information (PHI) as defined by HIPAA
    3. Education Records as defined by the Family Educational Rights and Privacy Act (FERPA)
    4. Customer Record Information (CRI) as defined by the Gramm Leach Bliley Act;
    5. Confidential Personnel Information (CPI) as defined in the Texas Public Information Act or otherwise protected under applicable law
    6. Personal data received from a country in the European Economic Area subject to the General Data Protection Regulation (GDPR)
    7. Proprietary data relating to trade secrets, intellectual property, or other proprietary data that requires additional protection and where the confidential nature of the information may lead to economic or other disadvantage to UH or the PI if disclosed
  4. Non-human data where there is a restriction on the use and disclosure of the data set. This may include but is not limited to data related to patent, inventions and commercialization of University research

FDP Data Transfer and Use Agreement (“Agreement”)

The University of Houston is a member of the Federal Demonstration Partnership (FDP). A DUA template was created for use by members to allow for consistency in terms and format, to reduce associated administrative burden and help institutions comply with sponsors’ data sharing requirements. The template can be used for sharing de-identified data about human subjects or Limited Data sets.

Ordering Data From a Repository

Some repositories require registrations, review and an institutional approval. If you are registering to use a repository, or if you are ordering a specific data, and the repository requires an institutional signature, then documentation must be submitted to the Division of Research for review. Some common repositories are the following:

  • Bureau of Labor Statistics (BLS) Restricted Data Access Letter of Agreements
  • NIH database of Genotypes and Phenotypes (dbGaP) Data Access

Transferring Export Controlled Material

Under U.S. export control laws, a license may be required from the Bureau of Industry and Security of the Department of Commerce for the export of certain data. Anyone who is planning to transfer controlled material by the Department of Commerce or the Department of State outside of the United States, should work with the UH Export Control Officer, Sandy Ulmer, to obtain the required license.

Conflict of Interest Consideration

DUAs where the decision to undertake the research is based on receiving access to the material(s) from a non-governmental or industrial provider must follow Conflict of Interest (COI) Committee requirements for financial disclosure.

HIPAA Covered Entities

HIPAA covered entities must take all reasonable steps to cure a recipient's breach of the DUA. For example, if UH or a PI learns that data it provided to a recipient is being used in a manner not authorized under the DUA, the PI must contact General Counsel to determine how best to proceed . In most situations, UH will work with the recipient to correct this problem. If these efforts are unsuccessful, UH would be required to cease any further disclosures of PHI to the recipient under the DUA and report the matter to the federal Department of Health and Human Services Office for Civil Rights.