Skip Navigation

Data Use Agreements

Data Use Agreements (DUAs) are agreements that can restrict use or publication of data and/or impose data security measures in addition to addressing other legal issues.

What are Examples of Data that might be exchanged under a DUA?
  • records from governmental agencies or corporations
  • human subject research data
  • "limited data set" as defined by HIPAA
  • student record information
  • proprietary and confidential datasets that have commercial value
Two Types of DUAs and When They Are Used
  • Incoming DUA

    This is a DUA that you have received from another institution. The other institution requires the receiving institution to accept certain restrictions on the use of the Data before it will permit a transfer of the Data to Stony Brook University. This agreement requires a signature from someone who is authorized to legally bind Stony Brook University.

  • Outgoing DUA

    This is a DUA that would allow a transfer of Data from Stony Brook University to another institution. It is recommended that an outgoing DUA be put in place if one of the following circumstances exists:

    • Data constitutes protected health information (PHI), as defined in HIPAA, and is subject to restrictions because (i) Data is not de-identified, (ii) patient consent does not permit Data sharing, (iii) IRB-approved protocol does not permit Data sharing, and/or (iv) Data constitutes a “limited data set” as defined under HIPAA;
    • Data needs to be kept confidential because it has intellectual property implications (e.g., data would be included in a future patent application, dataset has been generated through efforts of Stony Brook University employees and has commercial value);
    • Data is subject to restrictions existing in a third party agreement including, but not limited to, a sponsored research agreement, clinical trial agreement, collaboration agreement, confidential disclosure agreement, or material transfer agreement.
When don’t I need a DUA?
  1. When data is available in the public domain.
  2. When data is exchanged that is not subject to a legal or other restriction on its use.
  3. When PHI is "de-identified" (as defined by HIPAA), its transfer is not barred by the applicable IRB-approved protocol or by associated consent PHI.
Who signs DUAs?

A DUA must be signed by someone who has the authority to sign on behalf of Stony Brook University. With the exception of Stony Brook Medicine, once a researcher receives a DUA from a data provider or plans to send out a DUA, he or she should submit the request, the DUA, along with a description of the proposed research or other activity to one of the following authorized administrative offices identified below.

For Stony Brook Medicine process and authorization, please click here.

Note that individuals are not authorized to negotiate or sign agreements on behalf of the University.  If an individual signs such an agreement on behalf of the University, the individual could be subjected to legal and financial risks. It is important, however, for the individual to read and understand the terms of a DUA to ensure individual’s ability to comply with its terms.

If there is no cost associated with generation of the Data and the Data being requested is either associated with a sponsored research project or to be used for academic research, direct your DUA request to the Office of Sponsored Programs by clicking below.
Office of Sponsored Programs

Direct all outgoing DUA requests that do not involve remuneration by clicking below.
Outgoing DUA Requests

If either incoming or outgoing Data is used for research or other purposes AND a payment is needed to secure access to the Data or if the Data will be used for purposes other than academic research, direct your DUA request to the Procurement Office by clicking below.
Procurement Office

Note: Concurrent with the Office of Sponsored Programs or Procurement Office review and negotiation process, the Information Security Officer will work with the researcher to review the security requirements of the DUA to determine whether any specific protections need to be employed to meet the requirements of the Data-Provider. 

Additional resources regarding Data Resources, Services and Policies can be accessed at services/

Beginning May 1, 2017, investigators are required to share key compliance information with the Office of Sponsored Programs whenever a federal flow through subaward is issued. If a subaward activity involves exchange of human subjects data, the Office of Sponsored Programs will work with the investigator to assess whether a Data Use Agreement will be required. Guidance on when a DUA is needed, glossary and templates can be accessed at

For a visual representation, an incoming process flowchart can be accessed here.