Data Use Agreements in Research: Requirements and Compliance
A data use agreement (DUA) is a legal agreement that governs how data can be accessed, used, and shared for research purposes. It defines who may use the data, for what purpose, under what conditions, and what happens to the data when the research concludes.
As research becomes more data-intensive and cross-border, DUAs are a core part of responsible data governance. Whether you are a principal investigator receiving a restricted dataset, a data protection officer reviewing an incoming agreement, or an Office of Sponsored Programmes (OSP) managing hundreds of active research contracts, getting the DUA right matters.
This guide covers when you need a DUA, what it should include, how major data protection frameworks apply, and how to manage DUAs effectively at scale.
When Do You Need a DUA?
Not every data exchange requires a formal agreement. A DUA becomes necessary when the data carries restrictions on access, use, or disclosure, particularly when personal data or sensitive research data is involved.
Common scenarios that require a DUA include:
- Receiving or sharing datasets containing personal data such as health records, survey responses, behavioural data, or any information that can identify a living individual directly or indirectly.
- Accessing restricted government or institutional databases where the data custodian mandates formal use agreements before granting access.
- Sharing data across institutions for collaborative research, even when each party has its own ethical approvals. A DUA ensures alignment on permitted use, security, and publication rights.
- When a funding body requires formal data governance as a condition of the grant. Many public funders now mandate data management plans and DUAs for projects involving human subjects data.
- Receiving de-identified data that could be re-identified through linkage with other datasets. If there is any reasonable re-identification risk, a DUA should address it explicitly.
When You Do Not Need One
A DUA is generally not required when:
- The dataset is publicly available with no access restrictions or use limitations.
- The data is fully anonymized with no reasonable prospect of re-identification, meaning no direct identifiers, no indirect identifiers that could be linked, and no key file connecting the data to individuals.
If you are unsure, err on the side of putting a DUA in place. The administrative effort of negotiating a simple agreement is far less than the institutional risk of a data misuse finding.
DUA vs Other Research Agreements
Research offices manage several types of agreements that can overlap with DUAs. Understanding where each one applies prevents duplication and ensures nothing falls through the gaps.
| Agreement | When to Use |
|---|---|
| Data Use Agreement (DUA) | Sharing datasets with restrictions on access, use, or disclosure |
| Non-Disclosure Agreement (NDA) | Protecting confidential information in discussions or evaluations, not specifically governing data access for research |
| Material Transfer Agreement (MTA) | Transferring tangible research materials (biological samples, chemical compounds, physical media) between institutions |
| Research Collaboration Agreement (RCA) | Governing a joint research project. A DUA may be incorporated as a component or schedule |
| Data Processing Agreement (DPA) | When a third party processes personal data on your behalf. A GDPR-specific requirement, but increasingly expected under other frameworks |
In many multi-institution research projects, a DUA will sit alongside or within a broader RCA. The key distinction is that the DUA is specifically about data (its permitted use, security requirements, and lifecycle), while the RCA covers the broader collaboration terms including IP, publication rights, and funding allocation.
Key DUA Clauses
A well-drafted DUA should address the following areas. If your Research Office processes DUAs regularly, consider building these as standard modules in your contract clause library.
Permitted purposes and scope of use. Define precisely what the data recipient is allowed to do with the data. Avoid broad language like “for research purposes.” Instead, specify the research project, the approved analyses, and any restrictions on secondary use. If the data may only be used for a specific study protocol, say so.
Data security requirements. Specify minimum security standards: encryption at rest and in transit, access controls, multi-factor authentication, secure storage environments, and incident response procedures. Reference recognized frameworks (ISO 27001, NIST) where possible. Many data custodians will require completion of a security questionnaire before granting access.
Re-identification prohibition. Explicitly prohibit any attempt to re-identify individuals from de-identified or limited datasets. This clause is a standard expectation across data protection frameworks. Include a requirement to notify the data provider immediately if re-identification occurs inadvertently.
Sub-sharing restrictions. Restrict or prohibit the recipient from sharing the data with third parties, including collaborators, sub-contractors, or students, without prior written consent. If sub-sharing is permitted, require equivalent DUA protections to flow down to any downstream recipient.
Data retention and destruction requirements. Specify how long the data may be retained, whether retention of a de-identified version is permitted after the study concludes, and the method of destruction (certified deletion, secure disposal of physical media). Include a certification requirement: the recipient should confirm in writing that data has been destroyed.
Breach notification obligations. Require the data recipient to notify the data provider within a fixed timeframe (typically 24-72 hours) of discovering a suspected breach or unauthorized access, and to cooperate in any investigation or regulatory notification.
Audit rights. Reserve the data provider’s right to audit the recipient’s compliance with the agreement, including their security arrangements, access logs, and data handling practices.
Return or destruction upon termination. Specify that upon expiry or termination of the agreement, all data (including copies, derivatives, and backups) must be returned or securely destroyed. Define what “derivatives” means in context. Does it include aggregate statistics or only individual-level data?
Publication provisions. Address whether research results can be published, whether the data provider has a right to review manuscripts before submission, and whether underlying data may be deposited in public repositories. For sensitive datasets, publication restrictions may include prohibiting the release of any data that could enable re-identification.
Data Protection Frameworks and DUAs
Research data does not stay within jurisdictional boundaries. A clinical dataset from Singapore may be analysed by a collaborator in Kuala Lumpur and linked with registry data from an institution in Europe. Each jurisdiction brings its own data protection requirements, and your DUA needs to account for all of them.
PDPA (Singapore)
Singapore’s Personal Data Protection Act applies whenever personal data is collected, used, or disclosed by an organization in Singapore. The PDPA does include a research exemption, but it is narrower than many Research Offices assume. It requires the research to be in the public interest, consent to be impracticable to obtain, and adequate safeguards to be in place.
For cross-border data transfers, the PDPA requires the receiving jurisdiction to provide comparable protection, or for contractual safeguards to be in place. In practice, this means your DUA needs to bind the overseas recipient to data protection obligations that mirror the PDPA.
Other ASEAN Frameworks
Research collaborations within ASEAN frequently touch multiple data protection regimes. Malaysia’s Personal Data Protection Act 2010 (amended in 2024), Thailand’s Personal Data Protection Act 2019, the Philippines’ Data Privacy Act 2012, and Indonesia’s Personal Data Protection Law 2022 each impose their own requirements on the cross-border transfer, consent, and protection of personal data.
While the specifics vary, the common themes are clear: lawful basis for processing, purpose limitation, security safeguards, breach notification, and cross-border transfer controls. A DUA covering a multi-country ASEAN research project should address each of these areas in a way that satisfies the most stringent applicable regime.
GDPR (EU)
The General Data Protection Regulation applies to any processing of personal data of EU residents. For research, the GDPR recognizes several lawful bases including consent and public interest. It provides important safeguards for research use, including exemptions from certain data subject rights where those rights would seriously impair the research objectives.
Cross-border transfers out of the EU require a valid transfer mechanism, typically Standard Contractual Clauses (SCCs) incorporated into or annexed to the DUA. Singapore is not covered by an EU adequacy decision, so contractual safeguards are essential for any Singapore-EU research collaboration.
Framework Comparison for Research Data
| Area | PDPA (Singapore) | GDPR (EU) |
|---|---|---|
| Research exemption | Yes: public interest, impracticable consent, safeguards required | Yes, with appropriate safeguards and subject rights derogations |
| DUA specifically required | Not mandated by statute, but best practice | Not mandated by name, but DPA/data sharing agreement expected |
| Cross-border transfers | Comparable protection or contractual safeguards | Adequacy decision, SCCs, or BCRs required |
| De-identification standard | Not defined in statute; guidance from PDPC | Pseudonymization recognized; full anonymization outside scope |
| Breach notification | 3 calendar days to PDPC (if notifiable) | 72 hours to supervisory authority |
If your research involves collaborators in the United States, you may also need to address HIPAA requirements for protected health information. HIPAA specifically requires a DUA before a limited data set can be shared, and imposes additional de-identification standards (Safe Harbor or Expert Determination) for any data considered outside its scope.
The critical point for multi-jurisdictional collaborations: when your research spans multiple frameworks, your DUA must comply with all applicable regimes simultaneously. The most practical approach is to draft to the highest common standard and layer in jurisdiction-specific additions as needed.
Managing DUAs at Scale
For Research Offices handling dozens or hundreds of active DUAs, ad hoc management quickly becomes unsustainable. A single spreadsheet cannot reliably track which datasets you hold, where they came from, what restrictions apply, and when they need to be destroyed.
Track all DUAs centrally. Every active DUA should be recorded in a central system with key metadata: the data provider, the dataset description, permitted uses, security requirements, expiry dates, and destruction obligations. You need to be able to answer the question “what data do we hold and under what terms?” at any point.
Set renewal reminders. Many DUAs have fixed terms, whether one year, three years, or aligned with the research project timeline. If a DUA expires before the project concludes, you lose the legal basis to continue using the data. Automated reminders tied to expiry dates ensure renewals are initiated in time.
Monitor compliance obligations. DUAs create ongoing obligations: data destruction deadlines, annual reporting requirements, breach notification commitments, audit cooperation. These obligations need to be tracked and assigned to responsible individuals within your institution.
Use playbooks for standard DUA provisions. If your Research Office negotiates DUAs regularly, build standard positions into your review playbooks. Define your preferred clauses for security, retention, re-identification, and publication rights. This reduces negotiation time, improves consistency, and ensures nothing is missed.
Build data protection clauses into your clause library. Standard PDPA and GDPR-aligned data protection clauses should be pre-approved and available for contract managers to pull into new agreements. This is far more efficient and reliable than drafting from scratch each time. If you have not yet set up a clause library, the process described in our guide on building a university contract clause library applies directly to DUA provisions.
Centralize your contract portfolio. When DUAs sit alongside RCAs, MTAs, and other research agreements for the same project, being able to view all related agreements in one place prevents gaps and conflicts. A contract lifecycle management platform designed for this purpose makes cross-referencing straightforward.
Conclusion
Data use agreements protect researchers, institutions, and, most importantly, the individuals whose data is being used. A well-drafted DUA ensures that data is used for legitimate purposes, protected to an appropriate standard, and handled responsibly throughout its lifecycle.
Getting DUAs right requires attention to the specific clauses that matter, an understanding of how data protection frameworks apply to your research context, and systems to manage obligations across your portfolio. It is worth the investment. The alternative, relying on informal arrangements, generic confidentiality clauses, or outdated templates, creates risks that no Research Office should accept.
If you are looking to streamline how your institution manages DUAs and other research agreements, book a demo to see how Pactly can help.
See it in action
Turn contract chaos into a streamlined workflow
Join legal teams who cut contract turnaround time by 60%. Book a 15-minute demo to see how.
