Data License Agreement
Data license agreements (DLA), or data use agreements (DUA) are documents that describe what kind of data is being shared with recipients. DLAs specify clearly the purpose and duration of access being provided to the recipient, along with restrictions and security protocols that the recipient of the data must follow. Other contracts, such as a non-disclosure agreement (NDA), may be used to guarantee confidentiality of sensitive data.
- A non-disclosure agreement (NDA) is an agreement signed by a member of the research team stating clearly that they will not share any sensitive information with anyone outside the research team.
- A data license agreement (DLA) usually has two parties - one who provides the data, and the other who requests access to that data.
- Projects that have multiple sources of data will require multiple data license agreements.
- Members of the research team must follow certain best practices when developing a DLA.
- The World Bank uses the following DLA template.
The data provider is responsible for permitting data access on behalf of the collecting agency or data subjects. The data provider is bound by law, regulation, or policies that may be very specific regarding access to direct identifiers (name, date of birth, social security number) and sensitive information (health conditions, grades, or test scores). The data requestor is a researcher pursuing data access for a specific purpose. Researchers at universities must typically go through a review of the DUA by an Office of Research or Sponsored Programs or the Office of the General Counsel and possibly by university information security specialists.
In some circumstances, the data provider may utilize a separate data custodian or data intermediary to offer data on their behalf, adhering to all required laws, regulations, and policies. Custodians and intermediaries support data access, reducing the burden for data providers by handling requests, reviews, and provisioning to researchers. Projects involving multiple information sources will require multiple DUAs, potentially involving a variety of terms and conditions. DUAs may also become more complex for multi-site research projects when different teams of researchers will need to access data and collaborate. Intermediaries can be particularly useful in these circumstances for facilitating data access, by coordinating between different data providers and researchers.
Depending on the data provider, other forms of documentation can be used. Examples include memoranda of understanding (MOU), data use agreements, and data exchange letters. These have different structures and levels of detail, but all of these instruments will state the legal framework for data access, what the requestor may do with the data (e.g., scope of the study, restrictions on redistribution), security controls, and constraints on publishing. The data requestor should always prepare some form of documentation for data access, even if the data provider does not require it.
Creating DUAs can be time-intensive. In some cases, negotiations fall apart after months or years of discussions. Advance planning can help both researchers and data providers achieve sound DUAs. DUAs can be initiated by the researcher or data provider.36 Data providers may have different or expedited procedures when sharing data with a researcher, an evaluator, or contractor working on their behalf.
If a data provider has an established data request process, a researcher must review their terms and requirements, offering additions or edits as appropriate. Data providers should be aware of the laws, regulations, and policies permitting use of their data, and, upon receiving a first request, determine whether data request procedures already exist in their organization. Data providers (such as government agencies or private companies) may have Offices of General Counsel that have preferred templates or formats. Some data providers will be reluctant or unable to modify their request processes. Data request and access procedures may not always be publicly available, though some agencies and organizations have data request procedures on their websites, and this can significantly speed up and simplify the request process.