Difference between revisions of "Data License Agreement"

Jump to: navigation, search
 
(24 intermediate revisions by 2 users not shown)
Line 1: Line 1:
'''Data license agreements (DLA)''', or data use agreements (DUA) are documents that describe what kind of data is being shared with recipients. '''DLAs''' specify clearly the purpose and duration of access being provided to the recipient, along with restrictions and security protocols that the recipient of the data must follow. Other contracts, such as a '''non-disclosure agreement (NDA)''', may be used to guarantee [[De-identification|confidentiality]] of sensitive data.  
'''Data license agreements (DLA)''', or data use agreements (DUA) are documents that describe what kind of data is being shared with recipients. A '''DLA''' clearly states the purpose and duration of access being provided to the recipient, along with restrictions and security protocols that the recipient of the data must follow. Other contracts, such as a '''non-disclosure agreement (NDA)''', may also be used to guarantee [[De-identification|confidentiality]] of sensitive data.  


== Read First ==
== Read First ==
* A '''non-disclosure agreement (NDA)''' is an agreement signed by a member of the [[Impact Evaluation Team|research team]] stating clearly that they will not share any sensitive information with anyone outside the '''research team'''.
* A '''non-disclosure agreement (NDA)''' is an agreement signed by a member of the [[Impact Evaluation Team|research team]] stating clearly that they will not share any sensitive information with anyone outside the '''research team'''.
* A '''data license agreement (DLA)''' usually has two parties - one who provides the data, and the other who requests access to that data.
* A '''data license agreement (DLA)''' usually has two parties - one who provides the data ('''data provider'''), and the other who requests access to that data ('''data requestor''').
* Projects that have multiple sources of data will require multiple '''data license agreements'''.
* In a '''DLA''', the '''data provider''' retains full ownership of the dataset that is requested.
* Members of the [[Impact Evaluation Team|research team]] must follow certain best practices when developing a '''DLA'''.
* Projects that have multiple sources of data will require multiple '''DLAs'''.
* Members of the [[Impact Evaluation Team|research team]] must follow certain best practices when drafting a '''DLA'''.
* The [https://www.worldbank.org/en/home World Bank] uses the following '''DLA''' [https://worldbankgroup.sharepoint.com/teams/ddh/SiteAssets/SitePages/ddh/DataLicenseAgreementTemplate_v4.pdf?cid=68a54269-bbff-4b47-846d-cab248ad7de1 template].
* The [https://www.worldbank.org/en/home World Bank] uses the following '''DLA''' [https://worldbankgroup.sharepoint.com/teams/ddh/SiteAssets/SitePages/ddh/DataLicenseAgreementTemplate_v4.pdf?cid=68a54269-bbff-4b47-846d-cab248ad7de1 template].
== Overview ==
== Overview ==
The data provider is responsible for permitting data access on behalf of the collecting agency or data subjects. The data provider is bound by law, regulation, or policies that may be very specific regarding access to direct identifiers (name, date of birth, social security number) and sensitive information (health conditions, grades, or test scores). The data requestor is a researcher pursuing data access for a specific purpose. Researchers at universities must typically go through a review of the DUA by an Office of Research or Sponsored Programs or the Office of the General Counsel and possibly by university information security specialists.
Every '''data license agreement (DLA)''' involves at least two sides: one, the researcher or organization providing the data - the '''data provider''', and two, the researcher or organization requesting access to the data - the '''data requestor'''. The '''data provider''' is responsible for permitting access to the data as a representative of the [[Protecting Human Research Subjects|research subjects]] or the agency responsible for [[Primary Data Collection|data collection]]. The data provider is also bound by laws and policies that deal with providing access to [[Personally Identifiable Information (PII)|PII data]] and other sensitive data such as test scores, health conditions, etc. In some cases, the data provider can take the help of a '''data intermediary''' or a '''data custodian''' to share the data on their behalf. '''Custodians''' and '''intermediaries''' support access to data for the requestors. They also reduce the burden on data providers by ensuring compliance with laws, and coordinating between multiple requestors and providers.
 
In some circumstances, the data provider may utilize a separate data custodian or data intermediary to offer data on their behalf, adhering to all required laws, regulations, and policies. Custodians and intermediaries support data access, reducing the burden for data providers by handling requests, reviews, and provisioning to researchers. Projects involving multiple information sources will require multiple DUAs, potentially involving a variety of terms and conditions. DUAs may also become more complex for multi-site research projects when different teams of researchers will need to access data and collaborate. Intermediaries can be particularly useful in these circumstances for facilitating data access, by coordinating between different data providers and researchers.
 
Depending on the data provider, other forms of documentation can be used. Examples include memoranda of understanding (MOU), data use agreements, and data exchange letters. These have different structures and levels of detail, but all of these instruments will state the legal framework for data access, what the requestor may do with the data (e.g., scope of the study, restrictions on redistribution), security controls, and constraints on publishing. The data requestor should always prepare some form of documentation for data access, even if the data provider does not require it.
 


* '''Costs'''
== Scope ==
Both parties should consider what is possible, and what is likely, in terms of the timeframe the agreement will cover. This includes when data delivery can occur, how data will be extracted from administrative systems, and what expenses might arise during the term of the data sharing arrangement. Agreements can take up to a year to negotiate from drafting to execution, especially if there is no history of the two parties exchanging data before. Even organizations with past data sharing relationships or with established processes may have a queue of requests, which may create delays. After achieving a signed agreement, researchers should anticipate for the time between approval and delivery: the processes for fulfilling the request may be intensive. For example, data providers will need time to document and format the requested data and additional time may be needed to pull data from multiple databases or from inactive storage. That process may be especially lengthy if the request is novel. Data providers may also require notification or approvals before any output releases or publications.
'''Data license agreements (DLAs)''' can differ in terms of structure and the level of detail depending on the context. However, they must clearly cover the following aspects:
* '''The legal framework''' within which access to the data will be provided
* '''Scope of the study''' for which requestor needs access to the data
* '''Restrictions''' on what the requestor can do with the data
* '''Constraints on publishing''' sensitive information and '''PII data'''


Many administrative agencies are resource constrained, needing to prioritize program needs over research requests. In this situation, they may decide to charge fees for data preparation and extraction. Being transparent about timeframe and cost and making the data use agreement as clear as possible helps set expectations between the parties.
'''NOTE:''' In addition to this, the '''data requestors''' must also submit their '''DLA''' to their organization's information security specialists for an internal review. In general, it is a good practice for the data requestor to prepare some form of '''documentation''' for data access, even if the '''data provider''' does not require it.


== Drafting DLAs ==
== Drafting ==
Creating DUAs can be time-intensive. In some cases, negotiations fall apart after months or years of discussions. Advance planning can help both researchers and data providers achieve sound DUAs. DUAs can be initiated by the researcher or data provider.36 Data providers may have different or expedited procedures when sharing data with a researcher, an evaluator, or contractor working on their behalf.
The process of '''drafting''' a '''data license agreement (DLA)''' can take up a lot of time. In some cases, negotiations between '''data providers''' and '''data requestors''' can also fall apart after months (or even years) of discussion. Therefore, advance planning can help both '''requestors''' and '''providers''' achieve secure agreements that ensure safety of [[Protecting Human Research Subjects|subjects]], as well as of the data and the study for which the data is required. Keep the following points in mind about preparing a secure '''DLA''':
# '''Initiation:''' DLAs can be initiated by the provider, as well as the requester.  
# '''Established procedures:''' Data providers may already have established procedures for sharing data with a requestor, or with an organization working on behalf of the requestor.
# '''Review:''' If a data provider has an established process for sharing data with requestors, the requesting organization must review the terms of these procedures. The requestor should offer additions or edits whereever they consider appropriate. However, requestors should note that it might not always be possible for providers to modify data-sharing procedures based on this feedback because of certain policies.
# '''Legal framework:''' Data providers should be aware of the laws, regulations, and policies permitting use of their data. As soon as the providers receive a request, they should determine whether they already have established procedures for sharing data, and whether these procedures are legally valid.
# '''Public procedures:''' While procedures for providing access to data may not always be publicly available, some agencies and organizations post their established procedures on their websites. This can significantly speed up and simplify the process of fulfilling the request for data access.


If a data provider has an established data request process, a researcher must review their terms and requirements, offering additions or edits as appropriate. Data providers should be aware of the laws, regulations, and policies permitting use of their data, and, upon receiving a first request, determine whether data request procedures already exist in their organization. Data providers (such as government agencies or private companies) may have Offices of General Counsel that have preferred templates or formats. Some data providers will be reluctant or unable to modify their request processes. Data request and access procedures may not always be publicly available, though some agencies and organizations have data request procedures on their websites, and this can significantly speed up and simplify the request process.
== Logistics ==
While discussing the '''data license agreement (DLA)''', the '''data provider''' and the '''data requestor''' should carefully discuss the '''logistics'''. This includes the following:
* '''Time of data delivery:''' That is, when the requestor will get access to the data.
* '''Method of extracting data:''' That is, how the data will be extracted from [[Encryption|storage]] before being shared with the requestor.
* '''Expenses involved:''' That is, the expenses that might arise for both the requestor and the provider while the data-sharing agreement is in effect. This includes fees charged by administrative agencies and intermediaries for ensuring the agreement is successfully completed.
In addition to this, both parties should keep in mind the following with regards to '''timeline''' and '''cost''' of drafting and carrying out a data-sharing arrangement:
* '''Negotiations:''' Negotiating agreements like the '''DLA''' can take up to a year from the drafting stage to the execution stage, especially if there is no history of the two parties exchanging data in the past.
* '''Pending requests:''' Even if the requestor and the provider have exchanged data in the past, there could be pending requests with the provider that can cause delays.
* '''Interim steps:''' After signing a '''DLA''', requestors should allocate additional time after approval, but before data delivery, since the processes for fulfilling the request can take a significant amount of time to be completed. For example, data providers will need time to [[Data Documentation|document]] and [[Data Cleaning|format]] the requested data. The providers may also need time to extract the data from multiple databases, or from carefully [[Encryption|encrypted storage]]
* '''Publication:''' The data requestor may also need to notify the data providers before any releasing any outputs or [[Publishing Data|publications]], and therefore additional time should be allocated to allow for these approvals.
* '''Transparency:''' Finally, if both parties are transparent about the timeline and costs, and focus on making the '''DLA''' as clear as possible, then it makes it significantly easier to carry out the data-sharing arrangement.
In conclusion, no matter how big the project is, or how large the requested dataset is, both parties should invest time and effort into preparing a sound '''data license agreement'''.


== Related Pages ==
== Related Pages ==
Line 29: Line 46:


== Additional Resources ==
== Additional Resources ==
* JPAL, [https://admindatahandbook.mit.edu/book/testing/index.html Handbook on Using Administrative Data for Research and Evidence-based Policy]]
* JPAL, [https://admindatahandbook.mit.edu/book/v1.0/index.html Handbook on Using Administrative Data for Research and Evidence-based Policy]
* World Bank, [https://worldbankgroup.sharepoint.com/teams/ddh/SiteAssets/SitePages/ddh/DataLicenseAgreementTemplate_v4.pdf?cid=68a54269-bbff-4b47-846d-cab248ad7de1 World Bank's Data License Agreement]
* World Bank, [https://worldbankgroup.sharepoint.com/teams/ddh/SiteAssets/SitePages/ddh/DataLicenseAgreementTemplate_v4.pdf?cid=68a54269-bbff-4b47-846d-cab248ad7de1 World Bank's Data License Agreement]
[[Category: Research Design]]

Latest revision as of 16:27, 21 June 2021

Data license agreements (DLA), or data use agreements (DUA) are documents that describe what kind of data is being shared with recipients. A DLA clearly states the purpose and duration of access being provided to the recipient, along with restrictions and security protocols that the recipient of the data must follow. Other contracts, such as a non-disclosure agreement (NDA), may also be used to guarantee confidentiality of sensitive data.

Read First

  • A non-disclosure agreement (NDA) is an agreement signed by a member of the research team stating clearly that they will not share any sensitive information with anyone outside the research team.
  • A data license agreement (DLA) usually has two parties - one who provides the data (data provider), and the other who requests access to that data (data requestor).
  • In a DLA, the data provider retains full ownership of the dataset that is requested.
  • Projects that have multiple sources of data will require multiple DLAs.
  • Members of the research team must follow certain best practices when drafting a DLA.
  • The World Bank uses the following DLA template.

Overview

Every data license agreement (DLA) involves at least two sides: one, the researcher or organization providing the data - the data provider, and two, the researcher or organization requesting access to the data - the data requestor. The data provider is responsible for permitting access to the data as a representative of the research subjects or the agency responsible for data collection. The data provider is also bound by laws and policies that deal with providing access to PII data and other sensitive data such as test scores, health conditions, etc. In some cases, the data provider can take the help of a data intermediary or a data custodian to share the data on their behalf. Custodians and intermediaries support access to data for the requestors. They also reduce the burden on data providers by ensuring compliance with laws, and coordinating between multiple requestors and providers.

Scope

Data license agreements (DLAs) can differ in terms of structure and the level of detail depending on the context. However, they must clearly cover the following aspects:

  • The legal framework within which access to the data will be provided
  • Scope of the study for which requestor needs access to the data
  • Restrictions on what the requestor can do with the data
  • Constraints on publishing sensitive information and PII data

NOTE: In addition to this, the data requestors must also submit their DLA to their organization's information security specialists for an internal review. In general, it is a good practice for the data requestor to prepare some form of documentation for data access, even if the data provider does not require it.

Drafting

The process of drafting a data license agreement (DLA) can take up a lot of time. In some cases, negotiations between data providers and data requestors can also fall apart after months (or even years) of discussion. Therefore, advance planning can help both requestors and providers achieve secure agreements that ensure safety of subjects, as well as of the data and the study for which the data is required. Keep the following points in mind about preparing a secure DLA:

  1. Initiation: DLAs can be initiated by the provider, as well as the requester.
  2. Established procedures: Data providers may already have established procedures for sharing data with a requestor, or with an organization working on behalf of the requestor.
  3. Review: If a data provider has an established process for sharing data with requestors, the requesting organization must review the terms of these procedures. The requestor should offer additions or edits whereever they consider appropriate. However, requestors should note that it might not always be possible for providers to modify data-sharing procedures based on this feedback because of certain policies.
  4. Legal framework: Data providers should be aware of the laws, regulations, and policies permitting use of their data. As soon as the providers receive a request, they should determine whether they already have established procedures for sharing data, and whether these procedures are legally valid.
  5. Public procedures: While procedures for providing access to data may not always be publicly available, some agencies and organizations post their established procedures on their websites. This can significantly speed up and simplify the process of fulfilling the request for data access.

Logistics

While discussing the data license agreement (DLA), the data provider and the data requestor should carefully discuss the logistics. This includes the following:

  • Time of data delivery: That is, when the requestor will get access to the data.
  • Method of extracting data: That is, how the data will be extracted from storage before being shared with the requestor.
  • Expenses involved: That is, the expenses that might arise for both the requestor and the provider while the data-sharing agreement is in effect. This includes fees charged by administrative agencies and intermediaries for ensuring the agreement is successfully completed.

In addition to this, both parties should keep in mind the following with regards to timeline and cost of drafting and carrying out a data-sharing arrangement:

  • Negotiations: Negotiating agreements like the DLA can take up to a year from the drafting stage to the execution stage, especially if there is no history of the two parties exchanging data in the past.
  • Pending requests: Even if the requestor and the provider have exchanged data in the past, there could be pending requests with the provider that can cause delays.
  • Interim steps: After signing a DLA, requestors should allocate additional time after approval, but before data delivery, since the processes for fulfilling the request can take a significant amount of time to be completed. For example, data providers will need time to document and format the requested data. The providers may also need time to extract the data from multiple databases, or from carefully encrypted storage
  • Publication: The data requestor may also need to notify the data providers before any releasing any outputs or publications, and therefore additional time should be allocated to allow for these approvals.
  • Transparency: Finally, if both parties are transparent about the timeline and costs, and focus on making the DLA as clear as possible, then it makes it significantly easier to carry out the data-sharing arrangement.

In conclusion, no matter how big the project is, or how large the requested dataset is, both parties should invest time and effort into preparing a sound data license agreement.

Related Pages

Click here for pages that link to this topic.

Additional Resources