On request, ORI can provide guidance on the terms and conditions of the ACA in which GW participates. This recommended service allows the examiner to understand his rights and the responsibilities of the university as part of the agreement. As a general rule, any transfer of “restricted” or “regulated” data requires an agreement between the supplying party (data owner) and the receiving party (data user). Failure to comply with the terms of the AEA could result in significant debts, including possible criminal sanctions, and infringing on other rights of the parties concerned. The Personal Data Processing Agreement (PDPA) contributes to the UW`s data protection values and principles and addresses laws and regulations governing the protection of personal data. Many types of research and sponsored activity agreements are sent to Principal Investigators (PIs) and UW staff. A guide has been developed to determine which UW office they can turn to. Once an LDS has been created and a HIPAA-compliant DTUA has been implemented, the LDS can be used jointly according to dTUA. For more information, please see the UW-Madison Directive on creating a restricted data set. A copy of the agreement to use is available here: DTUA – HIPAA Limited Data Set.
Does the data relate to an active or outstanding sponsored project? Data Transfer and Use Agreements (DTUAs) are contracts established for the way data is transmitted. These agreements contain provisions to impose various legal requirements on HIPAA and also describe usage restrictions that protect the institutional data provider. A copy of the agreement is available here: DTUA – HIPAA. This type of agreement is used in situations where data has been de-introduced by removing certain identifiers. Under HIPAA, data that does not contain the following 18 identifiers is considered unidentified and may be disclosed and used without further compliance with HIPAA: For the purposes of the common rule, your data set contains personal data when the identity of the person concerned may be established by the examiner or may be associated with other information. Once the ACA review is complete, ORI will forward the agreement to the Institutional Official (IO) for signature. The director of the Office of Sponsored Projects within the OVPR is the IO that is delegated with the signed power for the execution of the DUAs. If your data contains data collected during human subject research, an important first step in the DTUA process is to confirm that your initial IRB protocol allows the data to be shared with the proposed recipient.
Often, during research, new uses are discovered for data that were not considered at the beginning of a study. If your IRB protocol does not allow the expected data sharing, you should start modifying the protocol process at the same time or before looking for a DTUA RSP. This will significantly speed up the process. Here you can find information on requesting to change an IRB protocol. ORI only verifies THE terms and conditions of DUA. It is the examiner`s responsibility to ensure that GW is able to meet the administrative, technical and physical security requirements of the data. ORI strongly recommends that auditors cooperate with their local IT units or with the Information Technology Division`s Office of Risk and Compliance to develop data management plans for data access, protection, storage and retention before DUAs are audited. Although DMPs are not required to perform DUAs, ORI and IA must be monitored to verify that a computer audit has been conducted. Data Transfer and Use Agreements (DTUAs) are contracts established for the way data is transmitted.
These agreements contain provisions to address several legal requirements of HIPAA or FERPA and also describe usage restrictions that protect the institutional data provider.