Data User Agreement

A DUA does not provide a legal basis to share personal data (the consent does). A DUA allows controlling what happens to the data when it is shared. A DUA can be a legal instrument if the data are shared for further processing with similar purposes as the original research project (it gives a legal basis to the secondary data user).

This template is based on the Donder’s Institute DUA Version RU-DI-HD-1.0. Given that brain imaging data can be used to identify individuals, it is safe to consider them as ‘personal data’ under the GDPR, even after using a pseudo-anonymization procedure like defacing (see our information on de-identification tools.

To allow sharing of such personal data, it is recommended to use a Data User Agreement (DUA) over a license. The term “license” is more general than DUA, but both are “contracts” between a licensor and licensee.

Not all licenses that are commonly used online (like GPL, MIT, CC-BY) are appropriate for data or for databases. A “data use agreement” is a specific form of license (or contract) that is designed for data and can take into account that besides the rights of the licensor (e.g. the researcher or the university) there may also be rights of the participants whose data is included, for example relating to re-identification. You could call an “agreement” or a “contract” between data provider and data downloader a “license”, but calling it a “data use agreement” makes it more explicit that it is not about the (re)use of a creative work (like written text or code by an author) but reuse of measured/observed data.

General considerations for a Data User Agreement

This DUA is meant to be sufficiently restrictive to publicly sharing biomedical data, which under GDPR should be seen as personal data. If a direct collaboration for data sharing is in place we recommend to be less restrictive.

  • If applicable, the agreement must specify how to deal with subject confidentiality issues.
  • Point 4 on secondary and derived data redistribution is contentious - and careful consideration should be taken to include this or not.
  • Related to point 4, you could specify how credits and acknowledgements are to be handled. For instance, if someone uses a template that was built by a researcher or group of researchers who used your data, do you want to be acknowledged as well.


Data user agreement for accessing identifiable human data

Version: OBC-GDPR-DUA 1.0.0

I request access to the data collected in the digital repository of the <DEPARTMENT>, part of the <INSTITUTION>, established at <CITY>, <COUNTRY> (hereinafter referred to as the <INSTITUTION SHORTNAME>).

By accepting this agreement, I become the data controller (as defined under the GDPR) of the data that I have access to, and am responsible that I access these data under the following terms:

  1. I will comply with all relevant rules and regulations imposed by my institution and my government. Rules established in this agreement thus take place in addition to existing general data protection regulations that are applicable in my country.
  2. I will not attempt to establish or retrieve the identity of the study participants. I will not link these data to any other database in a way that could provide identifying information. I shall not request the pseudonymisation key that would link these data to an individual’s personal information, nor will I accept any additional information about individual participants under this Data Use Agreement.
  3. I will not redistribute these data or share access to these data with others, unless they have independently applied and been granted access to these data, i.e., signed this Data Use Agreement. This includes individuals in my institution.
  4. [OPTIONAL] When sharing secondary or derivative data (e.g. group statistical maps or templates), I will only do so if they are on a group level, and cannot be deduced information from individual participants.
  5. I will reference the specific source of the accessed data when publicly presenting any results or algorithms that benefited from their use: (a) Papers, book chapters, books, posters, oral presentations, and all other presentations of results derived from the data should acknowledge the origin of the data as follows: “Data were provided (in part) by <Research centre/University Department> <University, Country>”. (b) Authors of publications or presentations using the data should cite relevant publications describing the methods developed and used by the <Research centre/University Department> to acquire and process the data. The specific publications that are appropriate to cite in any given study will depend on what the data were used and for what purposes. When applicable, a list of publications will be included in the collection. (c) Neither the <Research centre/University Department> or <University>, nor the researchers that provide this data will be liable for any results and/or derived data. They shall not be included as an author of publications or presentations without consent.
  6. Failure to abide by these guidelines will result in termination of my privileges to access these data.