Attention A T users. To access the menus on this page please perform the following steps. 1. Please switch auto forms mode to off. 2. Hit enter to expand a main menu option (Health, Benefits, etc). 3. To enter and activate the submenu links, hit the down arrow. You will now be able to tab or arrow up or down through the submenu options to access/activate the submenu links.

Minneapolis VA Health Care System Research Service

Quick Links
Veterans Crisis Line Badge
My healthevet badge

Data Use Agreements

How do I obtain approval for a Data Use Agreement?

Research data originating in VA-approved studies are the property of the VA. Investigators must seek approval from the VA before sharing VA data with other institutions. When sharing data, investigators should initiate a Data Use Agreement (DUA) to ensure the data recipient agrees to any terms and conditions expected by VA. A DUA typically defines how the data will be used, who may access and use the data, how the data must be stored and secured, and how the recipient will dispose of the data after completion of the research. Without a DUA, no limits are placed on the data, and VA cannot ensure the data are protected, that VA is credited as the originator of the data, or place limits on any further sharing of data.

A DUA is required when sharing identifiable human subjects data outside of the VA, unless the subjects explicitly agreed to this data sharing in the study HIPAA authorization. While not strictly required by VA regulations, a DUA is strongly encouraged by the VA Office of Research & Development (ORD) when sharing de-identified datasets outside of VA. Note that for de-identified datasets, inclusion of the data recipient on a HIPAA authorization does not remove need for a DUA.

A DUA is not required to share data between VA facilities when sharing the data is required to complete the study, and data sharing is described in an IRB-approved study protocol for each site. For example, in a multi-site VA study approved by VA Central IRB, sending data to the lead VA site as described in the approved protocol does not require a DUA. A DUA may not be required in cases where another existing agreement such as a VA-approved contract or CRADA specifies terms and limits for data sharing.

Determining whether any specific transfer of data requires a DUA is not necessarily straightforward. Investigators planning to share VA data should always consult with the Research Privacy Officer (PO) prior to any action. It is the expectation of the Minneapolis VA Research Service that DUAs will be implemented as recommended by ORD for all data shared from this facility.

When initiating a DUA, the Research PO must have a full picture of the goal of the request. You must provide the name and contact information of the person or entity recieving the data. You must also be able to explain the purpose of the request: Why does the recipient need the data? What will the recipient do with the data?

Because most DUAs executed for our program involve sharing de-identified data, this FAQ focuses specifically on the de-identification process and subsequent DUA. For other cases, such as sharing of identifiable data or when you are asked to complete a DUA as the recipient of data from an outside organization, contact the Research PO for guidance. Remember, you as the investigator should not sign any agreements that have not been reviewed and approved by an authorized representative of the VA.

Basic Process for a DUA

The following steps for a DUA are outlining the process for typical data sharing requests, involving VA investigators sharing de-identified data only. If your data sharing request involves identifiable data or a limited data set, contact the Research PO for guidance.

  1. Investigator completes a PHI De-Identification Certification Form
  2. Investigator contacts the Research PO via encrypted VA email. Email must include:
    1. Purpose of the request (e.g., statistical analysis)
    2. Name of the individual/entity requesting the data
    3. Completed PHI De-Identification Certification Form
    4. Copy of the de-identified dataset
  3. The Research PO reviews the materials and responds in one of the following ways:
    1. Confirming the data set is de-identified; or
    2. Specifying corrections need to be made by the study team to ensure the data set is de-identified
  4. Once the dataset has been determined to be deidentified, the Research PO will inform the investigator which DUA form they will need to complete.
  5. Investigator completes the DUA form and returns it to the Research PO for final verification
  6. After review by the Research PO, the investigator routes the DUA for signatures:
    1. Data recipient signs first
    2. Minneapolis investigator signs second
    3. VA ISSO signs third
    4. ISSO will route the DUA to the Research PO
    5. Research PO will route form to the Deputy ACOS for the final signature
  7. After the final signature, the Deputy ACOS will send a copy of the fully executed DUA to the investigator. Study team is clear to send the de-identified data to the recipient only after receipt of the fully executed DUA.

References and Links

For more information, please refer to RDC SOP "Transfer of Research Data or Materials".