Download:
pdf |
pdfCENTERS FOR DISEASE CONTROL AND PREVENTION (CDC)/AGENCY FOR TOXIC
SUBSTANCES AND DISEASE REGISTRY (ATSDR)
DATA USE AGREEMENT
This data use agreement (“Agreement”) is between the following parties:
Data Provider ("Provider"):
[Enter name of the Organization Providing the Data]
Data Recipient ("Recipient"):
[Enter name of the Organization Receiving the Data]
These parties will collectively be considered the "Parties," or individually, a "Party". This
Agreement will be effective as of the latest date signed below (“Effective Date”) by the Provider
and Recipient.
PURPOSE AND BACKGROUND
This Agreement establishes the terms and conditions under which the Provider will provide, and
Recipient will receive and use, the data covered under this Agreement. This Agreement ensures
adherence to guiding principles of accountability, privacy and confidentiality, stewardship,
scientific practice, efficiency, and equity. Use and disclosure of the data must be consistent with
this Agreement and with applicable law.
The Parties agree that the Recipient will use the data being shared for the purpose(s) of:
[Purpose & Background or Executive Summary – what is the data being shared being
used to accomplish]
COVERED DATA
This section will provide information about the data being shared per this Agreement.
The Parties acknowledge that Covered Data are limited to those data specified in the Appendix A,
which identifies the complete set of data items that the Recipient will have access to under this
Agreement.
The Parties are permitted to transmit, access, receive, share and/or use any part of the Covered
Data listed below as specified in the agreed purpose and uses, as set out below:
[Enter the title of the Covered Data (Data set name or portion of the data set is being shared)]
Where CDC/ATSDR is the Recipient, the Parties acknowledge that in a public health emergency
(PHE) or if an event is significantly likely to become a PHE, as provided in 42 U.S.C. §247d,
certain data in the custody and control of CDC/ATSDR may be necessary to respond to the PHE.
1
�In that event, CDC/ATSDR may use the Covered Data, consistent with CDC/ATSDR’s authorities
under applicable federal law. CDC agrees that any such use will be on a need-to-know basis, will
be a minimum amount necessary to support a coordinated federal response, and will protect
individual privacy and confidential business or financial information to the fullest extent allowed by
federal law. CDC further agrees that it will notify Provider of the need to use the Covered Data as
soon as practicable prior to use of the data for this purpose and, where practicable and
appropriate, will work collaboratively with Provider throughout the response to ensure appropriate
coordination and access to developed analyses and reports.
AGREEMENT ADMINISTRATION
Unless otherwise designated and agreed upon by Parties, the Recipient will act as the “data
custodian” of the Covered Data once the data are transmitted. As data custodian, the Recipient is
responsible for ensuring that the Covered Data are kept secured and that access to and use of
the Covered Data is consistent with this Agreement and applicable law.
Where required, Recipient will ensure that the individuals within Recipient’s organization or
deemed authorized to access the Covered Data will receive appropriate security training and be
aware of the terms of this Agreement.
The Recipient designates the following individual as the primary Data Custodian point of contact:
[Enter the name of the person who is responsible for receiving and securing the data from the
Provider:
First Name, Last Name, Position, Address, Phone, Email]
Unless otherwise designated and agreed upon by Parties, the Provider will act as the “data
administrator” of the Covered Data being transmitted. As data administrator, the Provider is
responsible for the Covered Data being transmitted to the Recipient and/or granting appropriate
access to designated personnel for the Recipient.
To the extent allowed by law, Provider will ensure that the Covered Data may be transmitted to
Recipient’s organization consistent with the purposes set forth under this Agreement.
The Provider designates the following individual as the primary Data Administrator point of
contact:
[Enter the name of the person who is responsible for managing and sending the data to the
Recipient:
First Name, Last Name, Position, Address, Phone, Email]
Processes for Communication
All notices or any other communication provided for herein shall be provided in writing through the
following means:
2
�▪
To the above identified Data Administrator/Custodian by registered or certified mail, return
receipt requested; by receipted hand delivery; by courier or other similar and reliable
carrier.
▪
To the above identified Data Administrator/Custodian by email.
Effective Date, Term of Data Use, and Termination Date
The term of this Agreement shall be [Enter the number of years this DUA will be active] years,
commencing from the date of the final signature. The Agreement may be renewed upon mutual
written consent of the Parties.
Except as otherwise expressly provided herein, this Agreement may be amended only by the
mutual written consent of the signatory as the authorized representatives of each Party.
Amendments to this Agreement must be requested in writing through the means above and must
be signed by all Parties to be effective.
Either Party may terminate this Agreement at any time by giving thirty (30) days’ advance written
notice.
CONFIDENTIALITY, SECURITY, AND LEGAL REQUIREMENTS
The Parties will establish appropriate administrative, technical, procedural, and physical
safeguards to assure the confidentiality and security of Covered Data. The safeguards shall
provide a level and scope of security that is not less than the level and scope of security
established by applicable law for the type of data provided under this Agreement.
Recipient agrees to the following:
Confidentiality: Where Covered Data provided pursuant to this Agreement are
identifiable or potentially identifiable, Recipient agrees to maintain the confidentiality of the
Covered Data to the fullest extent required by applicable law. Recipient further agrees to
not disclose such Covered Data, including but not limited to names and other identifying
information of persons who are the subject of such Covered Data, either during the term of
this Agreement or longer, except as consistent with this Agreement or as may be allowed
or required by applicable law.
Where CDC/ATSDR is the Recipient, CDC/ATSDR will protect the privacy and
confidentiality of the Covered Data consistent, where applicable, with the following federal
laws: the Privacy Act of 1974; to the extent applicable, standards promulgated pursuant to
the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Freedom
of Information Act (FOIA). Where other more specific federal laws apply to the Covered
Data; CDC/ATSDR as Recipient will comply with those laws, as well. CDC/ATSDR will
seek to assert relevant exemptions to disclosure available under federal law, most
critically, where applicable, for personal and/or private information, the disclosure of which
would constitute an invasion of privacy; trade secret and commercial or financial
information that is private and confidential; or information exempted from release by
federal statute.
3
�Except as may be provided for in this Agreement, Recipient shall not use the information
from Covered Data to link to other data nor establish contact with the named person or
his/her family without prior written approval from the Provider.
Where required by law and/or where practicable, Recipient agrees to notify Provider
before releasing Covered Data to a third party pursuant to a judicial, governmental, or
other request under law, to allow Provider the opportunity to state any objection to the
disclosure of the Covered Data.
Security: Recipient will use all reasonable administrative, technical, and physical
measures to safeguard Covered Data once transmitted, and to protect Covered Data from
unauthorized access, disclosure, use, or modification. This includes setting permissions to
access or edit data commensurate with the level of sensitivity of the data. Should there be
a data breach and unauthorized disclosure of Covered Data, consistent with applicable
legal requirements, Recipient notify appropriate response teams and Provider of the
incident.
Transfer: Where Covered Data provided pursuant to this Agreement are identifiable or
potentially identifiable or are privileged, sensitive, or confidential, transmission of the
Covered Data from the Provider to Recipient shall be done in accordance with acceptable
practices for ensuring the protection, confidentiality, and integrity of the contents. The
Parties may coordinate to implement methods to achieve these outcomes consistent with
procedures already in place for similar data exchanges. If encrypted identifiable
information is transferred electronically through means such as the Internet, then said
transmissions will be consistent with the rules and standards promulgated by applicable
legal requirements regarding the electronic transmission of identifiable information.
Storage: Covered Data will be maintained and stored in compliance with the Recipient’s
security policies and procedures and consistent with applicable law. Where Covered Data
are identifiable or potentially identifiable or are privileged, sensitive or confidential, such
records and data shall be secured in an encrypted, password-protected electronic folder
with access restricted to project personnel for purposes as set forth in this Agreement.
Access: Where Covered Data provided pursuant to this Agreement are identifiable or
potentially identifiable or are privileged, sensitive, or confidential, Recipient and its
authorized users shall access Covered Data on secured devices only.
Recipient may provide Covered Data access to appropriate employees, contractors, and
other authorized users. Recipient agrees to establish appropriate administrative, technical,
and physical safeguards to prevent unauthorized access to the Covered Data.
Data Maintenance, Deletion or Storage Requirements after Termination
Unless explicitly stated otherwise in the Agreement, ownership of Covered Data shall
remain with the Provider. However, the Parties agree that the Covered Data provided
under this Agreement and in the custody and control of the Recipient is subject to the laws
applicable to the Recipient.
4
�Accordingly, the Recipient agrees to maintain, store, protect, archive and/or dispose of
Covered Data in accordance with applicable law. Obligations under law to maintain and
secure Covered Data will survive termination of this Agreement. At a minimum, the
Provider agrees that an archival copy of the Covered Data may be retained by Recipient to
comply with relevant records retention requirements and/or for the purposes of research
integrity and verification.
When CDC and/or ATSDR act as Recipient, as federal agencies, the disposition of
records in their custody and control is governed by the Federal Records Act and may only
be accomplished in accordance with schedules for destruction as provided under law.
APPLICABLE LEGAL AUTHORITIES
Applicable federal and/or state laws that govern the collection, use, disclosure, and maintenance
of the Covered Data may be cited as standard authorities related to the Covered Data, which
includes project-specific authorities and regulations. Parties acknowledge that CDC and ATSDR,
as federal agencies, are not subject to the application of state or local laws or regulations or the
internal policies and/or procedures of the other party, except where consistent with federal law.
This Agreement is governed by applicable federal law.
Applicability of HIPAA
As applicable to the Covered Data and the Provider, CDC/ATSDR, as Recipient, is a “public
health authority” as defined at 45 C.F.R. §164.501 and as used in 45 C.F.R. §164.512(b),
Standards for Privacy of Individually Identifiable Health Information, promulgated under the Health
Insurance Portability and Accountability Act of 1996 (“HIPAA”). CDC/ATSDR, as a public health
authority, is authorized by 45 CFR 164.512(b) to receive Protected Health Information (“PHI”).
REPORTING OF DATA USED IN PUBLICATIONS AND PRESENTATIONS
Notification
Recipient agrees to allow Provider no more than thirty (30) days to review and provide comments
for consideration on papers, reports, publications, or presentations that Recipient plans to submit
for publication or presentation. If publication needs to occur sooner than 30 days, Recipient
agrees to notify Provider, who will expedite review consistent with the need to publish. However,
notification shall not act to prevent the publication of information if there is an emergency need to
publish meaningful, real-time information for a public health response. Appropriate privacy
protections will be considered prior to any such emergency need to publish.
Attribution
Recipient agrees to factually acknowledge Provider in any paper, publication or presentation
using the covered data.
Where CDC/ATSDR is the Provider, the citation must read as follows:
“Centers for Disease Control and Prevention/Agency for Toxic Substances and Drug Registry,
[Name of data file, year(s)], as compiled from data provided through [Program/Study Name] "
5
�Representation
Recipient agrees to assume full responsibility for the analysis, interpretation of the data, and
provide a copy of the report, publication, or presentation to Provider.
Use
Where CDC/ATSDR is the Recipient, per mutual agreement between Provider and Recipient
grants full permission and a royalty-free, non-exclusive, irrevocable license to HHS, CDC/ATSDR
to use, reproduce, publish, distribute, and exhibit materials arising from this Agreement for use in
education, training, and other purposes consistent with CDC/ATSDR’s mission.
ADDITIONAL TERMS AND CONDITIONS
•
Entire Agreement: This Agreement, including any addenda related to data, specifications,
or operations incorporating this Agreement by reference, and as amended from time to
time, constitutes the entire agreement and understanding between the Parties and
supersedes all prior oral or written agreements and understandings between them with
respect to such services.
•
Assignment: No Party may assign or transfer any or all of its rights and/or obligations
under this Agreement or any part of it, nor any benefit or interest in or under it, to any third
party without the prior written consent of all Parties, which shall not be unreasonably
withheld.
•
Mutual Representations: Each party to this Agreement represents to the other
Party that, at all times during the term and at such other times as may be indicated,
it shall comply with, and as applicable, shall require its directors, officers and
employees to comply with its duties and obligations pursuant to applicable law and
this Agreement, including but not limited to duties and obligations which survive the
termination of this Agreement
•
Use of Electronic Signatures and Electronic Records: The Parties may elect to
establish processes for the use of Electronic Records in the management of and
compliance with this Agreement. This may include for the addition of published
policies, procedural information, notices, and any other documents arising from or
pertaining to this Agreement, including this Agreement itself. Any such process
must include the establishment of a mutually acceptable Electronic Signature
process, which complies with federal and state laws.
•
Disagreements: Disagreements between the Parties arising under or relating to this
Agreement will be resolved by consultation between the Parties and referral of the dispute
to appropriate management officials of the Parties whenever possible.
•
Public Document: This Agreement may be made publicly available.
6
�•
Funding: This Agreement is not an obligation or a commitment of funds, or a basis for the
transfer of funds, and does not create an obligation or commitment to transfer data, but
rather is a statement of understanding between the parties concerning the sharing and use
of covered data. Expenditures by each party are subject to its budgetary processes and to
the availability of funds and resources pursuant to applicable laws, regulations, and
policies.”
•
Provider Specific Requirements: [Enter any additional terms and conditions that an
external partner has requested in order to release data to the CDC]
DISCLAIMERS
Disclaimers for Entity Providing the Data
It should be noted that as a Federal agency, CDC/ATSDR cannot agree to indemnification
provisions. However, representations or disclaimers on the accuracy of the data may be
appropriate.
•
•
Intellectual property rights on material arising from the use of the data will be determined
by applicable federal law.
Interpretations, conclusions, and/or opinions that are reached as a result of analyses of
the data are the Recipient’s interpretations, conclusions, and/or opinions, and do not
constitute the findings, policies, or recommendations of the Provider.
The data provided and covered under this Agreement are provided on an ‘as is’ basis. Except as
expressly set forth herein, the data provider makes no representations, of any kind, either express
or implied, with respect to the data set and expressly disclaims any and all representations of any
kind with respect thereto, including any representations of data quality or fitness for a particular
purpose. Metadata documents have been reviewed for accuracy and completeness. Unless
otherwise stated, all data and related materials are considered to satisfy the quality standards
relative to the purpose for which the data were collected. However, neither the author nor any part
of the federal government can assure the reliability or suitability of the data for a particular
purpose. The act of distribution shall not constitute any such warranty, and no responsibility is
assumed for a user's application of t data or related materials.
7
�SIGNATORIES
The undersigned individuals represent that they have competent authority on behalf of their
respective agencies to enter into the obligations set out in this Agreement. Signature indicates
that an understanding of the terms of this Agreement and an agreement to comply with its terms,
to the extent allowed by law.
PROVIDER
Signature: (Blank)
Printed Name: [Enter the First and Last Name
of Signatory for the Data Provider]
Title: [Enter the official title of the Signatory]
Organization: [Enter the name of the
Organization of the Data Provider]
Date:(Blank)
RECIPIENT
Signature: (Blank)
Printed Name: [Enter the First and Last
Name of Signatory for the Data Recipient]
Title: [Enter the official title of the Signatory]
Organization: [Enter the name of the
Organization of the Data Recipient]
Date:(Blank)
8
�APPENDIX A: DATA USE AGREEMENT DEFINITIONS
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Terms used, but not otherwise defined, in this agreement shall have the same meaning as
those terms in applicable laws and regulations, unless specifically stated otherwise.
“Agreement” means this data use agreement, as amended from time to time in accordance
with the terms and conditions set forth below.
“Effective date” is the date this agreement becomes valid, either on the date specified or the
last date of signature.
“Data Provider” or “Provider” refers to the party providing the data outlined in this Agreement.
“Data Recipient” or “Recipient” refers to the party receiving the data outlined in this
Agreement.
“Data administrator” is the data provider’s individual who is responsible for the data and
granting appropriate access to agreement parties.
“Data custodian” is the individual from a recipient agreement party responsible for the
maintenance and protection of the data for their party.
“Covered Data” shall mean the data provided to the Recipient by the Provider and any
associated records, reports, copies, or databases.
“Limited data set (LDS)”, to the extent the term is used to define data elements being shared,
is consistent with the term as defined in the Privacy Rule at 45 CFR Section 164.514(e).
"Applicable law" means all laws, statutes and regulations promulgated by all regulatory
authorities and all governmental authorities.
“Project” refers to the specific research or analysis outlined in the purpose section of this
agreement.
“Results” means all normalized data and results generated in the performance of the Project.
“Required by law” means as applicable federal laws require.
“Protected health information (PHI)” is information is considered to be individually identifiable
information relating to the past, present, or future health status of an individual that is created,
collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision
of healthcare, payment for healthcare services, or use in healthcare operations.
“Personally identifiable information (PII)” is any information about an individual maintained by
an agency, including (1) any information that can be used to distinguish or trace an
individual‘s identity, such as name, social security number, date and place of birth, mother‘s
maiden name, or biometric records; and (2) any other information that is linked or linkable to
an individual, such as medical, educational, financial, and employment information.
“Agreement party” / “parties” or “signatory” refers to the representative for both the data
provider and data recipient with the authority to sign this agreement into place.
“Completed work” refers to any draft or final product of analysis, research, or project findings
gleaned from the covered data set.
9
�LIST OF SUPPORTING DOCUMENTS
1. Enter the title of additional documents that will be attached to this DUA
10
�| File Type | application/pdf |
| File Modified | 2021-11-18 |
| File Created | 2021-11-18 |