Data License Agreement
Data license agreements (DLA), or data use agreements (DUA) are documents that describe what kind of data is being shared with recipients. DLAs specify clearly the purpose and duration of access being provided to the recipient, along with restrictions and security protocols that the recipient of the data must follow. Other contracts, such as a non-disclosure agreement (NDA), may be used to guarantee confidentiality of sensitive data.
- A non-disclosure agreement (NDA) is an agreement signed by a member of the research team stating clearly that they will not share any sensitive information with anyone outside the research team.
- A data license agreement (DLA) usually has two parties - one who provides the data, and the other who requests access to that data.
- Projects that have multiple sources of data will require multiple data license agreements.
- Members of the research team must follow certain best practices when developing a DLA.
- The World Bank uses the following DLA template.
Every data license agreement (DLA) involves at least two sides: one, the researcher or organization providing the data - the data provider, and two, the researcher or organization requesting access to the data - the data requestor. The data provider is responsible for permitting access to the data as a representative of the research subjects or the agency responsible for data collection. The data provider is also bound by laws and policies that deal with providing access to PII data and other sensitive data such as test scores, health conditions, etc. In some cases, the data provider can take the help of a data intermediary or a data custodian to offer data on their behalf. Custodians and intermediaries support access to data for the requestors. They also reduce the burden on data providers by ensuring compliance with laws, and coordinating between multiple requestors and providers.
Data license agreements (DLAs) can differ in terms of structure and the level of detail depending on the context. However, they must clearly cover the following aspects:
- The legal framework within which access to the data will be provided
- Scope of the study for which requestor needs access to the data
- Restrictions on what the requestor can do with the data
- Constraints on publishing sensitive information and PII data
NOTE: In addition to this, the data requestors must also submit their DLA to their organization's information security specialists for an internal review. In general, it is a good practice for the data requestor to prepare some form of documentation for data access, even if the data provider does not require it.
The process of drafting a data license agreement (DLA) can take up a lot of time. In some cases, negotiations between data providers and data requestors can also fall apart after months (or even years) of discussion. Therefore, advance planning can help both requestors and providers achieve secure agreements that ensure safety of subjects, as well as of the data and the study for which the data is required. Keep the following points in mind about preparing a secure DLA:
- Initiation: DLAs can be initiated by the provider, as well as the requester. # Established procedures: Data providers may have established procedures when sharing data with a requestor, or with an organization working on behalf of the requestor.
- Review: If a data provider has an established process for sharing data with requestors, the requesting organization must review their terms and requirements. The requestor should offer additions or edits where they consider appropriate. However, requestors should note that it might not always be possible for providers to modify data-sharing procedures.
- Legal framework: Data providers should be aware of the laws, regulations, and policies permitting use of their data. As soon as the providers receive a request, they should determine whether they already have established procedures for sharing data, and whether these procedures are legally valid.
- Public procedures: While procedures for providing access to data may not always be publicly available, some agencies and organizations post their established procedures on their websites. This can significantly speed up and simplify the process of fulfilling the request for data access.
While discussing the data license agreement (DLA), the data provider and the data requestor should carefully discuss the logistics like timelines and costs involved for both parties. This includes the following:
- Time of data delivery: That is, when the requestor will get access to the data.
- Method of extracting data: That is, how the data will be extracted from storage before being shared with the requestor.
- Expenses involved: That is expenses that might arise for the requestor and the provider while the data-sharing agreement is in effect. This includes fees charged by administrative agencies and intermediaries for ensuring the agreement is successfully completed.
In addition to this, both parties should keep in mind the following with regards to timeline and cost of preparing and carrying out a data-sharing arrangement:
- Negotiations: Negotiating agreements like the DLA can take up to a year, from the drafting stage to the execution stage, especially if there is no history of the two parties exchanging data before.
- Pending requests: Even if the requestor and the provider have previously exchanged data before, there could be pending requests with the provider that can cause delays.
- Interim: Even after signing a DLA, requestors should aaccount for the time after approval, but before data delivery, since the processes for fulfilling the request can take a significant amount of time to be completed. For example, data providers will need time to document and format the requested data. They may also need time to extract the data from multiple databases, or carefully encrypted storage
- Publication: The data requestor may also need to notify the data providers before any releasing any outputs or publications. This would take additional time.
- Transparency: Finally, if both parties are transparent about the timeline and costs, and focus on making the DLA as clear as possible, then it makes it easier to carry out the data-sharing arrangement.