Skip to Main Content

Guide for Data Use Agreements

Purpose of this guide is to help researchers navigate requirements to acquire data

Data Use Agreements and Data Protection Plans

sample office technology showing a computer and several laptopsData use agreements (DUAs) are legally binding contracts between data providers, users, and their institution that detail how data must be transferred, used, and disposed of.

Data Security/Protection plan is a separate, supporting document that usually must be submitted in addition to the DUA (plus any other supporting documents, such as IRB approval, research proposal, researcher CV, etc).  They include requirements for how the users' technology must be configured and how their work spaces must be regulated.  Before you apply to work with data from a provider, it is vitally important to work closely with IT services within your local department or college to determine if these requirements can be met and are consistent with University policy.

Why do you need help?

Applying to work with data from a provider

  • Providing necessary technical language and documentation for the application is vital
  • Adding and including the right people in the contract for the life cycle of the project is important
Ensuring compliance with a provider's DUA
  • Technology requirements can be highly technical
  • Space requirements may conflict with departmental policies 
Working with data from a provider
  • Your application to your data provider will need to be resubmitted and the compliance of your technology and work space will need to be verified...
  • if your work space changes
  • if your provider's DUA requirements change during the project

Examples of DUA Requirements

Requirements for Data Use Agreements will vary with providers.  These are just some samples of requirements that come from the examples cited below.
  • Data stored in password-protected, encrypted form
  • Access to analytical software in a secure environment.
  • Destroying and cleaning the data from technology after the project


  • Removable devices holding the data (CDs, diskettes, zip drive disks, etc.) stored in a locked compartment or room when not in use
  • Physical environment in which computer is kept (e.g., in room with public access, in room locked when not in use by research staff);
Example DUA's

Secure Data Enclaves

Secure Data Enclaves are spaces that have been constructed specifically for restricted data research.  Often they are constructed around the requirements of a specific set of data, because there are simply no standards.  
As a member of ICPSR, researchers can apply for access to a physical data enclaves for certain data sets on-site at the University of Michigan.  Researchers can also apply for access to the Federal Statistical Research Data Centers (FSRDC) located in various sites around the country and within the University Libraries at Penn State.  

The Population Research Institute has data enclaves available for it affiliated faculty.  However there is no centralized facility currently for unaffiliated researcher at Penn State. 

Virtual Data Enclave

Data providers are experimenting with virtual machine technology that will allow a researcher access to a virtual private network on a machine.  However, this still makes it necessary to make sure a secure environment exist to use the data.