UI Research Data Policy and Data Use Agreement Guidance

I. Purpose  

Accurate and appropriate documentation of the results of research is an essential feature of any research project. The University of Iowa (UI) and its researchers share an interest in assuring that research data are accurately and appropriately recorded, used, retained, and available for review and sharing. In addition, increased mobility among academic researchers has resulted in the need to provide policies governing continued access to research data.   UI ownership and stewardship of research data are based on applicable laws and regulations, contractual agreements, UI policies, and sound management principles to ensure:  

  • alignment with the UI mission;  
  • the required preservation and accessibility of research data;  
  • the promotion of open science;
  • the commitment to providing benefit to the public;  
  • consideration for proprietary, confidential, and controlled information;
  • compliance with privacy laws and regulations; and • availability of data supporting research proposals and publications.  

II. Scope of policy  

This policy shall apply to all UI faculty, staff, students, and any other individuals involved in the design, conduct and reporting of research at or under the oversight of UI, and it shall apply to all research projects on which those individuals work, regardless of the type of research or the source of support for the project.     Oversight of policy. This is policy is overseen by the Vice President for Research.

 III. Definitions  

"Investigator" means a person, whether an employee or otherwise affiliated with UI, whose position responsibility statement, job description, employment assignment, and/or function within the UI is, either in whole or in part, to conduct Research, whether sponsored by external sources, internal sources, or unfunded. Such Investigators shall include, but not be limited to, faculty, staff, students, or others serving as members of a Research team.  

“Principal Investigator” or “PI” means an Investigator who has primary responsibility for a research project within the UI for the design, conduct, and reporting of Research.  

“Research” means a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge (basic research) or specific knowledge (applied research).  

“Research Data” means recorded information (in any media or format), factual material, and the associated processes (including protocols) that are commonly accepted in the scientific community as both necessary and sufficient to document and support research findings. Research Data Policy  Jan. 12, 2017; Rev.  April 14,2023 2   Examples of Research Data include, but are not limited to: documents, spreadsheets, databases, laboratory notebooks, field notebooks, diaries, questionnaires, transcripts, codebooks, audio recordings, video recordings, images, films, protein or genetic sequences, spectra, test responses, slides, artifacts, specimens, samples, collection of digital objects acquired and generated during the process of research, database contents (quantities and codes, text, video, audio, images, or other data objects), models, algorithms, scripts, contents of an application (input, output, logfiles for analysis software, simulation software, schemas), methodologies and workflows, standard operating procedures and protocols.  

 IV. Ownership  

In accordance with the UI’s Copyright Policy, the UI generally owns the Research Data generated from all Research, development, and related activities conducted under its oversight. The UI does not in this policy or in the Copyright Policy generally claim ownership of copyright in scholarly journal articles or other similar works       created by UI academic authors based on such Research Data.  The UI’s ownership of Research Data is derived in part from its role as a steward of public resources and extends from the UI’s obligation to be legally and financially accountable for issues related to Research Data. UI’s legal and financial obligations include the responsibility: • to investigate allegations of research misconduct;  • to protect the right of Investigators to access Research Data they collect; to ensure appropriate protections for human and animal subjects in Research;  • to secure and protect intellectual property rights; and  • to comply with the terms of sponsored Research agreements.  

V. Rights and Responsibilities  

On behalf of the UI, the Principal Investigator (PI) is the custodian of the Research Data and is ultimately responsible for the collection, management, and retention of Research Data. However, because other members of the Research team may have obligations for Research Data collection and retention, this policy uses the term “Investigator” to refer to all such team members.

 A.  Collection and Retention  

Investigators are responsible for the orderly collection, retention, organization, description, proper storage, and security of Research Data. Investigators will also ensure retention of complete records to document the methods used; accuracy of the Research Data collected and interpreted; and compliance with contractual agreements and UI requirements, including appropriate protections for human and animal subjects in Research, safeguards for protecting privacy and confidentiality of human Research subjects, proprietary information, and information controlled by law or regulation.   Research Data must be retained for a minimum of six years if the study involved the collection of protected health information (as defined by HIPAA). For all other Research, Research Data must be retained for a minimum of five years after the final closeout of the funded project or resulting publication, whichever occurs later. Circumstances that may require that Research Data be kept for a longer period: include, but are not limited to, investigation of allegations regarding the integrity of Research, preservation of intellectual property rights, completion of Research Data Policy  Jan. 12, 2017; Rev.  April 14,2023 3  student graduation requirements, and requirements imposed by the federal government or Research sponsors.   Whenever possible, the original Research Data must be part of the Research Data records. Research Data will ordinarily be stored in the PI’s lab or the unit where the records were created, but in any event, in storage locations (physical or electronic) owned or managed by the      UI and consistent with any contractual agreements or applicable laws and regulations.  When required by laws, regulations, or other agreements, Investigators must destroy Research Data on or before a specified deadline and follow the applicable process for destroying Research Data.   UI requirements related to institutional data and data security are described in the Institutional Data Policy  and IT Security Policy respectively.  

B.  Access  

As owner of the Research Data, the UI has the right to access the original Research Data to ensure that UI meets its obligations of legal and financial accountability for the Research Data. PI(s) will provide access to Research Data to the UI upon reasonable request (e.g., duly designated research compliance staff needing access to Research Data in performance of oversight/investigation duties. PI(s) will also provide access to authorized representatives of extramural sponsors of the Research, to designated governmental officials, or to accrediting organizations where such access is deemed appropriate by the UI.   The PI will facilitate requests for access to Research Data by members of the Research team who were involved significantly in the design, conduct, or reporting of the Research Data.  

C.  Sharing of Research Data  

Unless otherwise controlled or restricted, Research Data should be shared upon request for non-commercial purposes in accordance with data sharing policies adopted by federal agencies or other funding sponsors. The PI is responsible for following the requirements imposed by any sponsors of Research and, as applicable, the informed consent document and conditions of Institutional Review Board (IRB) approval.  

D. Data Restrictions  

UI is subject to regulatory requirements that affect the acquisition and protection of Research Data. UI complies with all applicable agency policies and makes Research Data available as broadly as possible while also providing protection to data collected or acquired in the planning or conduct of Research that is specifically restricted or controlled under Federal laws and regulations.  

VI. Transfer of Research Data – Investigator Departure  

An Investigator who leaves the UI may request to transfer copies of Research Data for any part of a project in which they were significantly involved in the design, conduct, or reporting of Research. Prior to leaving the UI, the Investigator shall identify in writing to their departmental executive officer (or equivalent person) those Research Data records they have Research Data Policy  Jan. 12, 2017; Rev.  April 14,2023 4  in their custody at the time and those Research Data records the Investigator wishes to copy and transfer to the new institution.    The transfer of copies of Research Data to a new institution is subject to UI approval and may be restricted by the need to protect proprietary rights, by contractual confidentiality obligations, or as restricted by law (e.g., HIPAA) or regulation.   UI approval of a request to transfer copies of Research Data will be granted upon a written agreement between the UI and the Investigator’s new institution in which the new institution accepts custodial responsibilities for the Research Data and, if applicable, agrees to obtain its own IRB approval prior to using identifiable human subjects Research Data collected at UI.  Upon approval by the UI, and unless otherwise restricted as described above, the UI will provide the requested copies of the Research Data to the departing Investigator within a reasonable amount of time after the request. Any costs associated with the transfer of copies of Research Data shall be the responsibility of the departing Investigator or the new institution.  

Original Research Data  

Original Research Data may not be transferred to a new institution or otherwise removed from the UI without the express prior written approval of the Investigator’s departmental executive officer (or equivalent person). If the original Research Data has been collected while conducting human subjects research, the UI IRB must review and approve the transfer prior to approval. If the original Research Data is being transferred to a new institution, the new institution must accept custodial responsibility for the data and agree in writing to provide the UI with access to the original Research Data as necessary.  

VII. Dispute Resolution  

Any disputes arising under this policy, including disputes regarding requests to transfer copies of Research Data or original Research Data, shall be resolved by the Vice President for Research.  

Other University of Iowa Policies Related to Research Data    

Institutional Data Policy  https://itsecurity.uiowa.edu/institutional-data  

IT Security Policy  https://itsecurity.uiowa.edu/security-policy   

  • When sharing University of Iowa data with a person or entity outside the University, it is generally required or recommended that the sharing be documented with a data use agreement.
  • If you are depositing data in a repository, individual repositories may have unique requirements for both the investigator and the institution.
  • For assistance with data transfer and use agreements, please contact the appropriate office listed at the end of this guidance.

Purpose

The purpose of this guidance is to assist its users in assessing whether a proposed outgoing transfer of data that is in the possession of UI and/or a UI investigator (developed in his or her work for UI) to a third party outside of the UI (i) is permissible; and (ii) if so, whether a DUA is necessary or recommended to affect the transfer. This guidance contemplates the outgoing transfer of data to third parties who have a bona fide research use or practical application for the data (e.g., collaborating research institutions, academicians, public policy makers, community service providers, etc.).  

Note: This guidance does not address incoming data to be accepted by UI, or a UI investigator, from a third party. Where incoming transfer of data is proposed, the data provider, subject to similar principles described herein, will ultimately determine the appropriate terms for sharing data.  This guidance does not address sharing data internally within the UI. 

Introduction

Data Use Agreements (DUAs) are contractual documents used for the transfer of non-public data that is subject to some restriction on its use. DUAs serve to outline the terms and conditions of the transfer. Specifically, DUAs address important issues such as limitations on use of the data, obligations to safeguard the data, liability for harm arising from the use of the data, publication, and privacy rights that are associated with transfers of confidential or protected data. The understanding established by a DUA can help avoid later issues by clearly setting forth the expectations of the parties (provider and recipient). Having a signed DUA in place may be a required precondition to transfers of certain data, or it may simply be a good idea. Determining whether a DUA is required is necessarily context dependent. When a DUA is required, it must be purpose specific – i.e., data cannot be transferred pursuant to “master” or blanket sharing agreements without a unique implementing letter identifying the specific data set and uses. 

 DUAs shall be signed by a University of Iowa (UI) official who has the appropriate delegated signature authority. DUAs to share data for research purposes shall be signed by the Vice President for Research or the Executive Director of the Division of Sponsored Programs. DUAs for UI Health Care data stored in the hospital's electronic medical record shall be signed by the Chief Executive Officer of University of Iowa Hospitals and Clinics or the Vice President for Medical Affairs. All other DUAs shall be signed by the appropriate authorized UI official depending on the type of data involved, such as the UI’s Business Manager, in accordance with the UI’s Policy Manual, Part V, Section 6.1. 

Is the proposed Data Sharing Permitted? (See Exhibit A for Flow Chart)

  1. If the data is derived from human subject research: 

Does the associated informed consent form that subjects signed upon entering the study, or the relevant IRB waiver of consent, permit disclosure for the contemplated DUA purpose?   Has the IRB or Privacy Board reviewed and approved the data sharing proposal underlying the potential DUA?

  • No to all of the above.  Sharing is not permitted as is.  Contact the Human Subjects Office to inquire about potential options that would allow data sharing. 
  • Yes to any of the above.  Proceed to #2.
  1. If the data was collected pursuant to a sponsored research project, has the sponsor placed restrictions on the subsequent transfer of the data? 
  • No.  Proceed to #3.
  • Yes.  Sharing is not permitted as is.  Contact the Division of Sponsored Programs to inquire about potential options that would allow data sharing.
  1. If the data was initially received from, or derived from data received from a third party pursuant to a contract, does that contract place restrictions on the subsequent transfer of the data? 
  • No.  Proceed to #4. 
  • Yes.  Sharing is not permitted as is.  Contact the Division of Sponsored Programs to inquire about potential options that would allow data sharing.
  1. Does any policy, law or regulation prohibit the proposed data sharing? (See also #3 in the following “When is a DUA Necessary” section). 
  • No.  Data sharing is permitted.  Contact the appropriate office listed below for assistance with a Data Use Agreement. 
  • Yes.  Sharing is not permitted as is.  Contact the appropriate office listed below to inquire about potential options that would allow data sharing.

If data sharing is permitted, when is a DUA Necessary? (See Exhibit B for Flow Chart)

  1. Is the data to be transferred derived from human subjects research? 
  • No.  If the data does not involve human subjects, privacy concerns may no longer drive the need for a DUA, but the data may still be subject to contractual restrictions (see #4 & #5 below) or constitute proprietary data (see #6 below). 
  • Yes.  Proceed to #2. 
  1. Does the data originate from a UI Health Care source?  
  • Yes.  Will the data be shared outside UI Health Care?  If yes, contact UI Health Care Data Governance Task Force to determine if UI approval is required to share the data. 
  • No.   Is the data personally identifiable or HIPAA-protected (i.e., clinical data belonging to a Covered Entity or to the clinical component of a Hybrid Entity)? 
  • No.  If it is completely de-identified with no remaining personally identifiable information within the meaning of HIPAA and is not disclosed with a code or other means to re-identify the data, proceed to #3.  

To qualify as completely de-identified, there must be no actual knowledge that the information to be shared could be used alone or in combination with other information to identify an individual, and the data must be stripped of the following elements: 

  • Names 
  • Geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes 
  • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, etc. 
  • Telephone numbers 
  • Fax numbers 
  • Email addresses 
  • Social security numbers 
  • Medical record numbers 
  • Health plan beneficiary numbers 
  • Account numbers 
  • Certificate/license numbers 
  • Vehicle identifiers and serial numbers 
  • Device identifiers and serial numbers 
  • Web URLs 
  • IP addresses 
  • Biometric identifiers, including finger and voice prints 
  • Photographic images 
  • Any other unique identifying number, characteristic or code 

Note:  OHRP (Office of Human Research Protections) does not consider research involving only coded private information or specimens to involve human subjects as defined under 45 CFR 46.102(f) if the following conditions are both met:

(1) the private information or specimens were not collected specifically for the currently proposed research project through an interaction or intervention with living individuals; and

(2) the investigator(s) cannot readily ascertain the identity of the individual(s) to whom the coded private information or specimens pertain because, for example:

(a)  the investigators and the holder of the key enter into an agreement prohibiting the release of the key to the investigators under any circumstances, until the individuals are deceased (note that the HHS regulations do not require the IRB to review and approve this agreement);

(b)  there are IRB-approved written policies and operating procedures for a repository or data management center that prohibit the release of the key to the investigators under any circumstances, until the individuals are deceased; or 

(c)  there are other legal requirements prohibiting the release of the key to the investigators, until the individuals are deceased.  

 Yes. 

  • Use of HIPAA protected data may also require UI Health Care Data Governance Committee approval.  Contact UI Health Care Data Governance Task Force to determine if UI approval is required to share the data. 
  • If the data contains identifiers (see above) or constitutes a Limited Data Set* (LDS) within the meaning of HIPAA proceed to (i) and (ii) below.

*A LDS is Protected Health Information that excludes all of the above identifiers except for dates and geographical information at the zip code, town or city level. 

  • (i)  If the data is being transferred pursuant to authorizations contained in a Business Associate Agreement (BAA) and in accordance with a signed underlying agreement stating what data will be transferred between the parties and how the receiving party will use the data to assist the sending party in a healthcare function, then a data use agreement is not required.  A BAA should not be used for data generated from a research project.  It is designed for protection of health care data transmitted to a provider’s business partner for execution of business responsibilities.
  • (ii) Otherwise, a data use agreement is required
  1. Does the data contain:

(i)“Identification Information” as defined by Iowa Code §715A.8—Iowa’s identity theft statute;

(ii) “Education Records” as defined by the Family Educational Rights and Privacy Act (FERPA);

“Customer Record Information” (CRI) as defined by the Gramm Leach Bliley Act;

 “Card Holder Data” as defined by the Payment Card Industry (PCI) Data Security Standard;

(v) employee personnel file information of the type mentioned in Iowa Code §91B.1—an Iowa statute protecting such information;

(vi) information deemed confidential in accordance with Iowa Code Chapter 22—the Iowa Public Records Law, including trade secrets; or

(vii)any other information that is protected by UI policy or federal or state law from unauthorized access, such as Level II Moderate Sensitivity or Level III High Sensitivity data as defined in the UI’s IT Security & Policy Office’s Policy on Institutional Data Access available here.

  • No.  Proceed to #4. 
  • Yes. A data use agreement is required

4.Was the data collected pursuant to a sponsored research project? 

  • No.  Proceed to #5.
  • Yes.  Does the sponsor require data sharing, claim ownership of or licensing rights to the data, or restrict disclosure and use of the data? Check the terms and conditions of the grants, contracts, agreements, etc. governing the sponsored research project. Sponsor may require a data use agreement, institutional certification, or deposit in a repository. Contact the Division of Sponsored Programs with questions. 

5.Are there other restrictions on the contemplated data transfer? Was the data initially received from, or derived from data received from a third party or other source that restricts use or disclosure?

  • No.  Proceed to #6.
  • Yes.  Data use agreement may be required or recommended to flow through the limitations and restrictions placed on UI’s use and disclosure of the data. 

6.Even if not required, is a data use agreement recommended? 

a. Does the principal investigator (PI) consider the data to be “proprietary” to the PI (i.e., internally generated, not publicly available, and containing technical or other types of information that the PI would like to safeguard to protect his/her/UI’s competitive edge)?  UI’s default position is that the work product of faculty is not proprietary to UI.  Unless the data was collected under a sponsored research agreement that allocates ownership of the data and/or imposes restrictions on use (see #4 above), UI is willing to share, and the question of “proprietary” becomes one for the principal investigator.

b. Does the PI wish to restrict use of the data, secure publication review and acknowledgement rights, or otherwise direct and control use of the data post-transfer?

c. Does the PI want to obtain a determination that IRB approval is not required for use of deidentified data?   OHRP does not consider research involving only coded private information or specimens to involve human subjects as defined under 45 CFR 46.102(f) if the following conditions are both met:

  1. (1) the private information or specimens were not collected specifically for the currently proposed research project through an interaction or intervention with living individuals; and (2) the investigator(s) cannot readily ascertain the identity of the individual(s) to whom the coded private information or specimens pertain because, for example: (a)  the investigators and the holder of the key enter into an agreement prohibiting the release of the key to the investigators under any circumstances, until the individuals are deceased (note that the HHS regulations do not require the IRB to review and approve this agreement);
  • Yes to either (a) or (b).  Data use agreement is recommended to clarify the expectations, rights and responsibilities of the data recipient.  Contact the appropriate office listed below for further assistance. 
  • No to either (a) or (b).  DUA is not required or recommended. 

 For more information regarding: 

  • Data use agreements related to research, contact the Division of Sponsored Programs, dsp-contracts@uiowa.edu or 335-2123. 
  • Data sharing related to human subjects research, contact the Human Subjects Office, irb@uiowa.edu or 335-6564. 
  • Data use agreements related to UI Health Care data, contact the UI Health Care Legal, 356-4760. 
  • UI Health Care Data Governance Task Force, icts-bmiconsulting@healthcare.uiowa.edu
  • Other data use agreements, contact the Office of the General Counsel, general-counsel@uiowa.edu or 335-3696. 
  • Citing and creating references in publications to datasets shared via DUAs, contact Library Data Services, lib-data@uiowa.edu or 467-0069. 

Flowchart

Data Management and Sharing Plans

University of Iowa Partners in Data Management and Sharing

For questions regarding… Contact:
  • Proposal submission
  • Budgeting and allowable costs
  • NIH requirements for DMS
  • Data sharing and use agreements
 Division of Sponsored Programs at nih@uiowa.edu
  • Creating a DMS plan
  • Selecting a data repository
  • Managing data during research projects
  • Publishing and preserving research data
 UI Libraries Research Data Services at lib-data@uiowa.edu
  • Informed consent related to DMS
  • Documenting and obtaining IRB approval for the data sharing plan
 Human Subjects Office at irb@uiowa.edu
ITS Research Services at research-computing@uiowa.edu
  • Secure information technology systems
  • Identification of architectural requirements
  • Best practices
 Information Security and Policy at it-security@uiowa.edu
  • Protecting your inventions while sharing data
  • Will data sharing impact your ability to patent inventions
 University of Iowa Research Foundation at uirf@uiowa.edu 

 

These UI offices have extensive experience in assisting researchers with grant proposals and research compliance, facilitating data management and sharing, and tracking the impacts of research. 

The National Institutes of Health (NIH) announced the Final NIH Policy for Data Management and Sharing, NOT-OD-21-013NOT-OD-21-014.

The effective date of the DMS Policy is January 25, 2023.

The new Policy for Data Management and Sharing places a strong emphasis on the sharing of scientific data to expedite the translation of research results into knowledge, products, and procedures to improve human health. Under the new policy, scientific data should be made accessible as soon as possible, and no later than the time of an associated publication, or the end of the performance period, whichever comes first.

The new guidelines apply to all awards that generate scientific data regardless of funding mechanism. This includes:

  • Grants
  • Contracts
  • Subgrants/Subcontracts
  • Other transaction authority agreements (OTAs)

 

Data Management and Sharing (DMS) Policy FAQs

UI DMS Reference Guide

NIH Institutes and Centers guidelines and FAQs:

NIGMS recently issued a feedback loop blog post,
NCI developed guidance for their grantees,
NIA released data sharing resources for their researchers and NIA data sharing guidelines,
NIAID issued guidance for contracts under the DMS Policy,
NICHD’s Office of Data Science and Sharing compiled a list of DMS Policy resources for their staff and researchers,
NIDCR answered DMS Policy FAQs, and
NINDS provided an interpretation of the NIH Genomic Data Sharing Policy and NINDS researcher guidance.

A comprehensive list of data sharing policies from NIH Institutes and Centers can be found here.

Tools for Creating a DMS Plan

Creating Data Management Plans with DMPTool

The DMPTool is a free tool that walks users through creating comprehensive data management plans. This webinar will guide attendees through data management plan basics, creating a DMPTool profile, and exploring available templates and planning resources.

CCOM Scientific Editing and Research Communication DMS Resources

NIH sample DMS Plans

Educational Opportunities

Data Sharing Presentations from 2023 NIH Grants Conference Available

NIH Data Management and Sharing (DMS) Policy Readiness Webinar, January 17, 2023

Recording ((COGR Member Portal Log in Required))

Slide Presentation

University of Iowa NIH DMS Webinar, August 30, 2022, 1:15 – 2:00 p.m.

Webinar Slide Presentation

Webinar Recording

 

 

 NIH Scientific Data Sharing website: https://sharing.nih.gov/ (includes FAQs)
Find resources and training opportunities for NIH sharing policies. NIH will continue to post additional resources, so check back frequently.

From the link above you can access “Learning” options including resources and training opportunities for NIH sharing policies.   

Webinar recordings and slide decks

 

National Library of Medicine NIH Data Management and Sharing Requirements Webinar Series  – The recorded webinar series introduces the basics of data management and the new requirements for data management and sharing that will be in place beginning in 2023. The introduction is followed by three webinars providing “practitioner perspectives” – i.e., data librarians sharing their opportunities, barriers, methods, and successes as they work toward improving data management practices at their institutions, and a recap/Q&A session. Select “Previous Classes” from the link at the beginning of this paragraph in order to access the recorded webinars and slides.

Related Research Administration Dispatches (RAD) and NIH  Notices: 

Notice of Guidance for Data Management and Sharing Plans for the National Institute of Alcohol Abuse and Alcoholism (NIAAA)

Notice of NIAAA Data-Sharing Information for Human Subjects Grants Research Funded by the National Institute on Alcohol Abuse and Alcoholism (NIAAA) [5th Revision]

Preparing for the 2023 Data Management and Sharing Policy

12 Days of Data Management and Sharing Tips & Resources

Free Crash Course in NIH Funding: 2023 NIH Grants Conference on Feb. 1-2

FORMS-H: Instructions, Forms, and a Handy Checklist

NIMH Expectations for Data Management and Sharing Plans

NIMH Sample Data Management and Sharing Plans

NIH Notice Announcing the Expectations for the Collection of Common Data Elements for HIV-Funded Research at the National Institute of Mental Health

NIH Data Management and Sharing (DMS) Policy Implementation

Change to AHA Open Data Policy

https://new.nsf.gov/funding/data-management-plan

UI Libraries Data Management & Sharing