Data Use Agreement Template

AttF_Data Use Agreement Template_01042022.pdf

Evaluating the Association between Serum Concentrations of Per- and Polyfluoroalkyl Substances (PFAS) and Symptoms and Diagnoses of Selected Acute Viral Illnesses

Data Use Agreement Template

OMB:

Document [pdf]
Download: pdf | pdf
CENTERS FOR DISEASE CONTROL AND PREVENTION (CDC)/AGENCY FOR TOXIC
SUBSTANCES AND DISEASE REGISTRY (ATSDR)
DATA USE AGREEMENT

This data use agreement (“Agreement”) is between the following parties:
Data Provider ("Provider"):
[Step 2: Add New Agreement Party (Provider)]
Data Recipient ("Recipient"):
[Step 2: Add New Agreement Party (Recipient)]
These parties will collectively be considered the "Parties," or individually, a "Party". This
Agreement will be effective as of the latest date signed below (“Effective Date”) by the Provider
and Recipient.
PURPOSE AND BACKGROUND
This Agreement establishes the terms and conditions under which the Provider will provide, and
Recipient will receive and use, the data covered under this Agreement. This Agreement ensures
adherence to guiding principles of accountability, privacy and confidentiality, stewardship,
scientific practice, efficiency, and equity. Use and disclosure of the data must be consistent with
this Agreement and with applicable law.
The Parties agree that the Recipient will use the data being shared for the purpose(s) of:

[Step 1: Basic DUA Information- Purpose & Background]
COVERED DATA
This section will provide information about the data being shared per this Agreement.
The Parties acknowledge that Covered Data are limited to those data specified in the
Attachment A, which identifies the complete set of data items that the Recipient will have access
to under this Agreement.
The Parties are permitted to transmit, access, receive, share and/or use any part of the Covered
Data listed below as specified in the agreed purpose and uses, as set out below:
[Step 4: Covered Data – Dataset Title]
Where CDC/ATSDR is the Recipient, the Parties acknowledge that in a public health
emergency (PHE) or if an event is significantly likely to become a PHE, as provided in 42 U.S.C.
§247b, certain data in the custody and control of CDC/ATSDR may be necessary to respond to
the PHE. In that event, CDC/ATSDR may use the Covered Data, consistent with CDC/ATSDR’s

authorities under applicable federal law. CDC agrees that any such use will be on a need-toknow basis, will be a minimum amount necessary to support a coordinated federal response,
and will protect individual privacy and confidential business or financial information to the fullest
extent allowed by federal law. CDC further agrees that it will notify Provider of the need to use
the Covered Data as soon as practicable prior to use of the data for this purpose and, where
practicable and appropriate, will work collaboratively with Provider throughout the response to
ensure appropriate coordination and access to developed analyses and reports.
AGREEMENT ADMINISTRATION
Unless otherwise designated and agreed upon by Parties, the Recipient will act as the “data
custodian” of the Covered Data once the data are transmitted. As data custodian, the Recipient
is responsible for ensuring that the Covered Data are kept secured and that access to and use
of the Covered Data is consistent with this Agreement and applicable law.
Where required, Recipient will ensure that the individuals within Recipient’s organization or
deemed authorized to access the Covered Data will receive appropriate security training and be
aware of the terms of this Agreement.
The Recipient designates the following individual as the primary Data Custodian point of
contact:
[Step 3: Add DUA Contact – (Data Recipient) First Name, Last Name, Position, Address,
Phone, Email]
Unless otherwise designated and agreed upon by Parties, the Provider will act as the “data
administrator” of the Covered Data being transmitted. As data administrator, the Provider is
responsible for the Covered Data being transmitted to the Recipient and/or granting appropriate
access to designated personnel for the Recipient.
To the extent allowed by law, Provider will ensure that the Covered Data may be transmitted to
Recipient’s organization consistent with the purposes set forth under this Agreement.
The Provider designates the following individual as the primary Data Administrator point of
contact:
[Step 3: Add DUA Contact (Data Provider)– First Name, Last Name, Position, Address, Phone,
Email]
Processes for Communication
All notices or any other communication provided for herein shall be provided in writing through
the following means:


To the above identified Data Administrator/Custodian by registered or certified mail,
return receipt requested; by receipted hand delivery; by courier or other similar and
reliable carrier.



To the above identified Data Administrator/Custodian by email.

Effective Date, Term of Data Use, and Termination Date
The term of this Agreement shall be three (3) [Step 1: Basic DUA Information – Duration] years,
commencing from the date of the final signature. The Agreement may be renewed upon mutual
written consent of the Parties.
Except as otherwise expressly provided herein, this Agreement may be amended only by the
mutual written consent of the signatory as the authorized representatives of each Party.
Amendments to this Agreement must be requested in writing through the means above and
must be signed by all Parties to be effective.
Either Party may terminate this Agreement at any time by giving thirty (30) days’ advance
written notice.
CONFIDENTIALITY, SECURITY, AND LEGAL REQUIREMENTS
The Parties will establish appropriate administrative, technical, procedural, and physical
safeguards to assure the confidentiality and security of Covered Data. The safeguards shall
provide a level and scope of security that is not less than the level and scope of security
established by applicable law for the type of data provided under this Agreement.
Recipient agrees to the following:
Confidentiality: Where Covered Data provided pursuant to this Agreement are
identifiable or potentially identifiable, Recipient agrees to maintain the confidentiality of
the Covered Data to the fullest extent required by applicable law. Recipient further
agrees to not disclose such Covered Data, including but not limited to names and other
identifying information of persons who are the subject of such Covered Data, either
during the term of this Agreement or longer, except as consistent with this Agreement or
as may be allowed or required by applicable law.
Where CDC/ATSDR is the Recipient, CDC/ATSDR will protect the privacy and
confidentiality of the Covered Data consistent, where applicable, with the following
federal laws: the Privacy Act of 1974; to the extent applicable, standards promulgated
pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and
the Freedom of Information Act (FOIA). Where other more specific federal laws apply to
the Covered Data; CDC/ATSDR as Recipient will comply with those laws, as well.
CDC/ATSDR will seek to assert relevant exemptions to disclosure available under
federal law, most critically, where applicable, for personal and/or private information, the
disclosure of which would constitute an invasion of privacy; trade secret and commercial
or financial information that is private and confidential; or information exempted from
release by federal statute.
Except as may be provided for in this Agreement, Recipient shall not use the information
from Covered Data to link to other data nor establish contact with the named person or
his/her family without prior written approval from the Provider.

Where required by law and/or where practicable, Recipient agrees to notify Provider
before releasing Covered Data to a third party pursuant to a judicial, governmental, or
other request under law, to allow Provider the opportunity to state any objection to the
disclosure of the Covered Data.
Security: Recipient will use all reasonable administrative, technical, and physical
measures to safeguard Covered Data once transmitted, and to protect Covered Data
from unauthorized access, disclosure, use, or modification. This includes setting
permissions to access or edit data commensurate with the level of sensitivity of the data.
Should there be a data breach and unauthorized disclosure of Covered Data, consistent
with applicable legal requirements, Recipient notify appropriate response teams and
Provider of the incident
Transfer: Where Covered Data provided pursuant to this Agreement are identifiable or
potentially identifiable or are privileged, sensitive, or confidential, transmission of the
Covered Data from the Provider to Recipient shall be done in accordance with
acceptable practices for ensuring the protection, confidentiality, and integrity of the
contents. The Parties may coordinate to implement methods to achieve these outcomes
consistent with procedures already in place for similar data exchanges. If encrypted
identifiable information is transferred electronically through means such as the Internet,
then said transmissions will be consistent with the rules and standards promulgated by
applicable legal requirements regarding the electronic transmission of identifiable
information.
Storage: Covered Data will be maintained and stored in compliance with the
Recipient’s security policies and procedures and consistent with applicable law. Where
Covered Data are identifiable or potentially identifiable or are privileged, sensitive or
confidential, such records and data shall be secured in an encrypted, passwordprotected electronic folder with access restricted to project personnel for purposes as set
forth in this Agreement.
Access: Where Covered Data provided pursuant to this Agreement are identifiable or
potentially identifiable or are privileged, sensitive, or confidential, Recipient and its
authorized users shall access Covered Data on secured devices only.
Recipient may provide Covered Data access to appropriate employees, contractors, and
other authorized users. Recipient agrees to establish appropriate administrative,
technical, and physical safeguards to prevent unauthorized access to the Covered Data.
Data Maintenance, Deletion or Storage Requirements after Termination
Unless explicitly stated otherwise in the Agreement, ownership of Covered Data shall
remain with the Provider. However, the Parties agree that the Covered Data provided
under this Agreement and in the custody and control of the Recipient is subject to the
laws applicable to the Recipient.
Accordingly, the Recipient agrees to maintain, store, protect, archive and/or dispose of
Covered Data in accordance with applicable law. Obligations under law to maintain and
secure Covered Data will survive termination of this Agreement. At a minimum, the

Provider agrees that an archival copy of the Covered Data may be retained by Recipient
to comply with relevant records retention requirements and/or for the purposes of
research integrity and verification.
When CDC and/or ATSDR act as Recipient, as federal agencies, the disposition of
records in their custody and control is governed by the Federal Records Act and may
only be accomplished in accordance with schedules for destruction as provided under
law.

APPLICABLE LEGAL AUTHORITIES
Applicable federal and/or state laws that govern the collection, use, disclosure, and
maintenance of the Covered Data may be cited as standard authorities related to the Covered
Data, which includes project-specific authorities and regulations. Parties acknowledge that CDC
and ATSDR, as federal agencies, are not subject to the application of state or local laws or
regulations or the internal policies and/or procedures of the other party, except where consistent
with federal law.
This Agreement is governed by applicable federal law.
Applicability of HIPAA
As applicable to the Covered Data and the Provider, CDC/ATSDR, as Recipient, is a “public
health authority” as defined at 45 C.F.R. §164.501 and as used in 45 C.F.R. §164.512(b),
Standards for Privacy of Individually Identifiable Health Information, promulgated under the
Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). CDC/ATSDR, as a public
health authority, is authorized by 45 CFR 164.512(b) to receive Protected Health Information
(“PHI”).
REPORTING OF DATA USED IN PUBLICATIONS AND PRESENTATIONS
Notification
Recipient agrees to allow Provider no more than thirty (30) days to review and provide comments for
consideration on papers, reports, publications, or presentations that Recipient plans to submit for
publication or presentation. If publication needs to occur sooner than 30 days, Recipient agrees to notify
Provider, who will expedite review consistent with the need to publish. However, notification shall not act
to prevent the publication of information if there is an emergency need to publish meaningful, real-time
information for a public health response. Appropriate privacy protections will be considered prior to any
such emergency need to publish.

Attribution
Recipient agrees to factually acknowledge Provider in any paper, publication or presentation
using the covered data.
Where CDC/ATSDR is the Provider, the citation must read as follows:
“Centers for Disease Control and Prevention/Agency for Toxic Substances and Drug Registry,
[Name of data file, year(s)], as compiled from data provided through [Program/Study Name] "

Representation
Recipient agrees to assume full responsibility for the analysis, interpretation of the data, and
provide a copy of the report, publication or presentation to Provider.
Use
Where CDC/ATSDR is the Recipient, per mutual agreement between Provider and Recipient
grants full permission and a royalty-free, non-exclusive, irrevocable license to HHS,
CDC/ATSDR to use, reproduce, publish, distribute, and exhibit materials arising from this
Agreement for use in education, training, and other purposes consistent with CDC/ATSDR’s
mission.
Disclaimer
Covered Data provided under this Agreement are provided on an ‘as is’ basis. Except as
expressly set forth herein, Provider makes no representations, of any kind, either express or
implied, with respect to the data set and expressly disclaims any and all representations of any
kind with respect thereto, including any representations of data quality or fitness for a particular
purpose. Intellectual property rights on material arising from the use of the data will be
determined by applicable federal law. In addition, interpretations, conclusions, and/or opinions
that are reached as a result of analyses of the data are the Recipient’s interpretations,
conclusions, and/or opinions, and do not constitute the findings, policies, or recommendations of
the Provider.

ADDITIONAL TERMS AND CONDITIONS
•

Entire Agreement: This Agreement, including any addenda related to data,
specifications, or operations incorporating this Agreement by reference, and as
amended from time to time, constitutes the entire agreement and understanding
between the Parties and supersedes all prior oral or written agreements and
understandings between them with respect to such services.

•

Assignment: No Party may assign or transfer any or all of its rights and/or obligations
under this Agreement or any part of it, nor any benefit or interest in or under it, to any
third party without the prior written consent of all Parties, which shall not be
unreasonably withheld.

•

Mutual Representations: Each party to this Agreement represents to the other
Party that, at all times during the term and at such other times as may be
indicated, it shall comply with, and as applicable, shall require its directors,
officers and employees to comply with its duties and obligations pursuant to
applicable law and this Agreement, including but not limited to duties and
obligations which survive the termination of this Agreement

•

Use of Electronic Signatures and Electronic Records: The Parties may elect to
establish processes for the use of Electronic Records in the management of and
compliance with this Agreement. This may include for the addition of published
policies, procedural information, notices, and any other documents arising from
or pertaining to this Agreement, including this Agreement itself. Any such
process must include the establishment of a mutually acceptable Electronic
Signature process, which complies with federal and state laws.

•

Disagreements: Disagreements between the Parties arising under or relating to this
Agreement will be resolved by consultation between the Parties and referral of the
dispute to appropriate management officials of the Parties whenever possible.

•

Public Document: This Agreement may be made publicly available.

•

Funding: This Agreement is not an obligation or a commitment of funds, or a basis for
the transfer of funds, and does not create an obligation or commitment to transfer data,
but rather is a statement of understanding between the parties concerning the sharing
and use of covered data. Expenditures by each party are subject to its budgetary
processes and to the availability of funds and resources pursuant to applicable laws,
regulations, and policies.”

•

Partner Specific Requirements: [Step 1: Basic DUA Information – Partner Specific

Requirement]

---------- PAGE BREAK-------------

SIGNATORIES
The undersigned individuals represent that they have competent authority on behalf of their
respective agencies to enter into the obligations set out in this Agreement. Signature indicates
that an understanding of the terms of this Agreement and an agreement to comply with its
terms, to the extent allowed by law.

PROVIDER
Signature: (Blank)
Printed Name: [Step 3: Add DUA Contact
(Provider)- First Name Last Name]
Title:
[Step 3: Add DUA Contact (Provider) – Signature
Title]
Organization: [Step 2: Add Agreement Party
(Provider)– Agreement Party)]
Date:(Blank)

RECIPIENT
Signature:(Blank)
Printed Name: [Step 3: Add DUA Contact (Recipient)
-CDC staff member]
Title: [Step 3: Add DUA Contact (Recipient)Signature Title]
Organization: [Step 2: Add Agreement Party
(Recipient)– Agreement Party)]
Date:(Blank)

APPENDIX A: DATA USE AGREEMENT DEFINITIONS
•
•
•
•
•
•
•
•

•

•
•
•
•
•

•

•

•

Terms used, but not otherwise defined, in this agreement shall have the same meaning as
those terms in applicable laws and regulations, unless specifically stated otherwise.
“Agreement” means this data use agreement, as amended from time to time in accordance
with the terms and conditions set forth below.
“Effective date” is the date this agreement becomes valid, either on the date specified or the
last date of signature.
“Data Provider” or “Provider” refers to the party providing the data outlined in this
Agreement.
“Data Recipient” or “Recipient” refers to the party receiving the data outlined in this
Agreement.
“Data administrator” is the data provider’s individual who is responsible for the data and
granting appropriate access to agreement parties.
“Data custodian” is the individual from a recipient agreement party responsible for the
maintenance and protection of the data for their party.
“Covered Data” shall mean the data provided to the Recipient by the Provider and any
associated records, reports, copies, or databases.
“Limited data set (LDS)”, to the extent the term is used to define data elements being
shared, is consistent with the term as defined in the Privacy Rule at 45 CFR Section
164.514(e).
"Applicable law" means all laws, statutes and regulations promulgated by all regulatory
authorities and all governmental authorities.
“Project” refers to the specific research or analysis outlined in the purpose section of this
agreement.
“Results” means all normalized data and results generated in the performance of the
Project.
“Required by law” means as applicable federal laws require.
“Protected health information (PHI)” is information is considered to be individually
identifiable information relating to the past, present, or future health status of an individual
that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation
to the provision of healthcare, payment for healthcare services, or use in healthcare
operations.
“Personally identifiable information (PII)” is any information about an individual maintained
by an agency, including (1) any information that can be used to distinguish or trace an
individual‘s identity, such as name, social security number, date and place of birth, mother‘s
maiden name, or biometric records; and (2) any other information that is linked or linkable to
an individual, such as medical, educational, financial, and employment information.
“Agreement party” / “parties” or “signatory” refers to the representative for both the data
provider and data recipient with the authority to sign this agreement into place.
“Completed work” refers to any draft or final product of analysis, research, or project findings
gleaned from the covered data set.

LIST OF SUPPORTING DOCUMENTS

1. Supporting File 1 [Step 5: Add New File – File Name(custom)]
2. Supporting File 2 [Step 5: Add New File – File Name(custom)]


File Typeapplication/pdf
AuthorBarnes, Jamie J. (CDC/DDPHSS/OS/OSQ) (CTR)
File Modified2022-01-04
File Created2020-11-28

© 2024 OMB.report | Privacy Policy