Second, it avoids misunderstandings on the part of the data provider and the organization receiving the data by ensuring that all questions about the use of the data are discussed. Prior to the data exchange, the provider and recipient must speak in person or by telephone to discuss data sharing and use issues and to reach a joint agreement, which is then documented in a data exchange agreement. A data sharing agreement is a formal contract that clearly documents what data is shared and how the data can be used. Such an agreement has two objectives. First, it protects the organization providing the data and ensures that the data is not misused. (c) the Parties seek to implement an agreement on data processing in accordance with the requirements of the applicable legal framework with regard to data processing and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). For simplicity, the entity requesting the data is called the recipient of the data, and the entity providing the data is called the data provider. The DUAs set the conditions for the use and disclosure of records by data providers and recipients of data. In addition, affected companies such as Stanford must take all reasonable steps to remedy a recipient`s violation of the DUA. For example, if Stanford learns that the data it has provided to a recipient is being used in a way that is not authorized under the DUA, Stanford must work with the recipient to resolve that issue. If these efforts fail, Stanford would be required to stop any further disclosure of PHI to the recipient under the DUA and report the matter to the Federal Office of Public Health and Social Affairs for Civil Rights. A DUA must be completed before a limited file is used or disclosed to an institution or external party.
There are different types of contractual agreements that are used for research at the university. You will find information and models below. Yes, you will need both a Data Use Agreement (DUA) and a Business Partnership Agreement (BAA), as the relevant entity (covered entity affiliated with Stanford University) provides the recipient with PSRs, which may contain direct or indirect identifiers. For this reason, a BAA may be required before we transmit the direct identifiers to the recipient outside of Stanford. Ideally, these additional concerns should be addressed in the data sharing agreement in order to facilitate clear communication and, if necessary, put in place additional safeguards: A Data Use Agreement (DUA) is a legally binding agreement between the University of Nevada, Reno (university) and an external body (e.B. another academic institution, a private company, a federal or state agency) that regulates the conditions under which data obtained from research is shared with that external body. in particular if the personal data is subject to legal data protection laws and regulations. The agreement sets out the confidentiality requirements of the judicial authority, which govern the university`s policies and procedures for the protection of privacy, protection and use of data.
The DUA serves both as a means of informing data users about these requirements and obtaining their consent to comply with these requirements. In addition, the DUA serves as a control mechanism to track the location of the university`s data and the reason for data sharing. This data processing agreement is based on the ProtonMail DPA, which can be found on this page. Organizations can use the following document as part of their GDPR compliance. A covered unit (like Stanford) can use a member of its own staff to create the “limited data set.” On the other hand, the recipient can also create the “limited registration” as long as the natural or legal person acts as a business partner of the registered entity. determine the permitted uses and disclosures of the limited data set; 11.1 The Processor may not transfer or authorise the transfer of data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Company. Where personal data processed under this Agreement are transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To do this, unless otherwise agreed, the parties rely on EU-approved standard contractual clauses for the transfer of personal data. 1.1.8.2 a transfer of the company`s personal data from a processor to a sub-processor or between two entities of a processor in all cases where such a transfer would be prohibited by data protection laws (or by the terms of data transfer agreements established to meet data transfer restrictions of data protection laws); Non-disclosure agreements (NDAs) pave the way for discussions on licensing, partnerships and the commercialization of research by protecting confidential information exchanged to assess the technical and commercial potential of the disclosed information. 8. Data Protection Impact Assessment and Prior Consultation The Processor shall provide the Company with appropriate assistance in data protection impact assessments and prior consultations with supervisory or other competent data protection authorities that the Company deems reasonably necessary under Article 35 or 36 of the GDPR or equivalent provisions of any other data protection law data.
in any case, only with regard to the processing of the company`s personal data by and taking into account the nature of the processing and the information available to the subcontractors. Limited records can only contain the following identifiers: here is a list of items that are typically included in a data sharing agreement. While this list may cover the basics, additional concerns may be relevant to a particular dataset or vendor agency. It is important to recognize that the process of setting up data exchange agreements varies from country to country, as well as the type of data shared and the agencies that share the data. (B) The Company wishes to subcontract certain services involving the processing of personal data to the Processor. Data exchange also promotes accountability and transparency and allows researchers to validate each other`s results. Finally, data from multiple sources can often be combined to allow comparisons between national and departmental boundaries. A data use agreement (or material transfer agreement) is required when researchers at the university or affiliate are planning research that involves sharing data/samples with an external entity (whether as a provider or recipient) if the data/samples contain protected personal data (protected PII) or protected health information. The Health Information Protection (HIPAA Privacy Rule) Regulations allow limited records for the use and disclosure of protected health information for research, public health, or health services. .