HHS Policy for the Common Data Use Agreement (DUA) Structure and Repository

Document #: HHS-OCIO-CDO-2023-01-001
Version #: 1.0
Last Reviewed: January 2023
Next Review: January 2026
Owner: OCIO/CDO
Approved By: Karl S. Mathias, HHS CIO

Table of Contents

1. Nature of Changes
2. Purpose
3. Background
4. Scope
5. Authorities
6. Policy
7. Roles and Responsibilities
   • 7.1. Chief Information Officer
   • 7.2. Chief Data Officer
   • 7.3. OpDiv CDOs (or equivalent)
   • 7.4. Office of the General Counsel
8. Information and Assistance
9. Effective Date and Implementation
10. Approval

Appendix A: Procedures

Appendix B: Standards

Appendix C: Guidance

Appendix D: Forms and Templates

Glossary and Acronyms

---

1. Nature of Changes

This is a new policy issuance.

2. Purpose

The vision of a data-driven HHS relies on our programs’ ability to securely and ethically share data. One key tool to protect data when it is being shared is a Data Use Agreement (DUA), also referred to as a Data Sharing Agreement (DSA).

This policy defines a DUA as a document that establishes the terms and conditions under which the Data Provider will provide, and the Data Recipient will receive and use, the data covered under the Agreement, which is nonpublic, restricted HHS data shared for a limited government purpose. The DUA ensures adherence to guiding principles of accountability, privacy, confidentiality and security, stewardship, scientific practice, efficiency, and equity. Use and disclosure of the data must be consistent with the DUA and with applicable law.

The rules for when a DUA is required to protect a dataset; the content of a DUA; and the processes for how each DUA is developed are determined by legislative and regulatory requirements relevant to each dataset and the Operating Division (OpDiv) involved in data sharing. Operating Divisions, in consultation with the Office of the General Counsel (OGC), have responsibility for determining the requirements applicable to data sharing. In this context, the purpose of this policy is: 1) to set requirements for cataloging DUAs developed across the Department to make all DUAs searchable across the HHS enterprise, and 2) to provide a structure to which DUAs are required to align to promote efficiency, comparability, and comprehensiveness in developing new DUAs.

Effective use of this policy in conjunction with supporting processes, procedures and templates included here and from the OpDivs is expected to reduce unnecessary variability in the framework and content of DUAs, simplify the process for developing DUAs, decrease the time required to make data available for appropriate uses, and lessen the risks associated with variations in DUAs and poorly written legal language.

This policy aligns with the following principles:

• HHS is committed to making data available when appropriate.
• HHS data sharing will comply with applicable laws and regulations.
• HHS will ensure that data is protected from misuse.
• The DUA structure supports the following principles:
  • Accountability by having clear definitions of roles and responsibilities and specifying penalties for failure to comply with the terms of the DUA.
  • Preserving privacy and confidentiality by incorporating into DUAs protections that must be applied to data including security and applicable anonymization techniques.
  • Stewardship by making clear the allowed uses of the data and the restrictions on the use of the data.
  • Scientific practice by requiring that data users provide information to HHS on the purpose of the data analysis, the methods that will be used to perform the data analysis and indicating where HHS will have the right to review analysis prior to publication, if this right is requested by HHS and is consistent with existing laws and regulations.
  • Efficiency by using consistent terms for data use and consistent practices for ensuring compliance with the terms of DUAs.
  • Equity by consistently applying requirements for data use across all data use.

3. Background

The Foundations for Evidence-Based Policymaking Act of 2018 defines the function of a Chief Data Officer (CDO) to include coordination with any official in the agency responsible for using, protecting, disseminating, and generating data; reduction of barriers in making data assets accessible; and conformance with data management best practices. While the determination of the need for and the production of a DUA is the domain of the OpDiv providing the data, the CDO is obligated to steer the Department towards common data sharing practices.

The objectives of this policy are to create a common DUA structure and repository derived from authorities in the Foundations for Evidence-Based Policymaking Act of 2018, which establishes the responsibilities of a CDO, including oversight of data sharing and to work with the Statistical Official in support of priority data questions. This legislation also defines the scope of a repository maintained by the CDO, to include documentation that demonstrates best practices for data sharing.

Office of Management and Budget (OMB) Guidance also puts forth requirements relevant to this policy.  For example:

• OMB Memorandum M-14-06 "Guidance…for Statistical Purposes" (Feb. 14, 2014) discusses data stewardship principles for information handling which must be adhered to and explicitly stated in a DUA for a given dataset, when using administrative data for statistical purposes.

"OMB Memorandum M-01-05 "Guidance...Privacy" (Dec. 20, 2000) discusses privacy principles which must be adhered to when data sharing constitutes a "matching program" as defined in the Privacy Act of 1974, as amended (5 U.S.C. 552a) and is therefore conducted under a Computer Matching Agreement (CMA) instead of a DUA, and states that agencies should consider applying the principles in other data sharing contexts. This policy introduces basic enterprise-level requirements for OpDivs to adopt a common DUA structure to assure coverage of all required data sharing topics and to utilize a DUA repository that is searchable by authorized users. It is intended that a common DUA structure will reduce the overall time to complete a DUA, including review by the Office of the General Counsel. It is also intended that more readily available signed DUAs for review will help new authors, such as data stewards, emulate the prescribed common DUA structure.  Access to DUAs may also allow data providers to determine that a dataset may already be governed by a DUA and require no new agreements, reducing the level of effort required to share data.

4. Scope

This Policy applies to all components of the U.S. Department of Health & Human Services and all OpDivs and StaffDivs within the Department excluding the Office of the Inspector General (OIG), computer matching agreements, Cooperative Research and Development Agreements (CRADAs), Research Collaboration Agreements (RCAs), and Material Transfer Agreements (MTAs).

This Policy defines a DUA as a document that establishes the terms and conditions under which the Data Provider will provide, and the Data Recipient will receive and use, the nonpublic data covered under the Agreement.

This Policy pertains to all legal agreements, Memoranda of Agreement (MOAs), and Memoranda of Understanding (MOUs) that establish the terms and conditions under which HHS will provide and the Data Recipient will receive and use the data covered under the DUA covering data that is nonpublic, restricted HHS data shared for a limited government purpose.  These legal agreements, MOAs, and MOUs are referenced in the Policy as DUAs.  This Policy does not apply to agreements where HHS is receiving data from another party for its own use, including data purchased from a third party. 
This Policy specifies the requirements for final DUAs to be made transparent to the rest of HHS and to use a common DUA structure to the extent feasible.

This Policy does not specify the content of the DUA clauses or the process by which DUAs are developed and agreed upon.

This Policy covers DUAs when data is provided by HHS to the following parties:

• Other parties within an HHS organizational unit (OpDiv or StaffDiv)
• Other HHS organizational units (OpDivs and StaffDivs)
• Other Federal agencies
• Organizations outside the Federal government, including state and local government, contractors, grantees, academic organizations, researchers, organizations outside the United States and commercial entities seeking to use HHS data

This Policy does not supersede any applicable law or higher-level agency directive or Policy guidance.

The determination of when a DUA is needed is incumbent upon the OpDiv or StaffDiv stakeholders and not the HHS CDO or this policy. This Policy applies only if it is decided in the OpDiv or StaffDiv that a DUA is required.

5. Authorities

Authorities cited here are those that support the requirement to utilize DUAs, the accessibility of DUAs, and the authority of CDOs to issue this policy.
Authorities include:    

• Foundations for Evidence-Based Policymaking Act of 2018, 44 United States Code (USC) § 3520
• Foundations for Evidence-Based Policymaking Act of 2018, 44 United States Code (USC) § 3576
• OMB M-14-06, Guidance for Providing and Using Administrative Data for Statistical Purposes (2014)
• OMB M-01-05, Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy (2000)
• HHS Policy for Enterprise Data Management

6. Policy

This Policy requires that all final DUAs in which HHS is providing data to another party within or outside of HHS be submitted to a common repository to be made discoverable by authorized users as determined by the data owner.  Each DUA, when being drafted must reference the common DUA structure provided in this policy to support the efficient development of comprehensive and comparable DUAs across the Department.

When a DUA is utilized OpDivs must implement the following requirements:

• Incorporate the applicable sections in the Data Use Agreement Outline included in Appendix D.
• Be submitted to the HHS Data Use Agreement repository or an organization specific repository that can be referenced by and linked to the HHS Data Use Agreement repository.

7. Roles and Responsibilities

7.1. HHS Chief Information Officer

1. Oversees the implementation of this Policy.
2. Ensures alignment of this Policy with other OCIO policies.

7.2. HHS Chief Data Officer

1. Provides guidance to HHS OpDivs and StaffDivs on DUAs.¹
2. Maintains a repository of DUAs.
3. Consults with HHS OpDivs and Staff Divs on DUA Policy and practices.
4. Reviews and revises this policy as needed.
5. Shares with the Data Governance Board information on DUA practices and challenges.  
6. Assists HHS OpDivs and StaffDivs in improving their DUAs.

7.3. OpDiv Chief Data Officers (or equivalent)

1. Disseminates this Policy to staff engaged in the development of DUAs.
2. Ensures alignment of OpDiv policies with this policy.
3. Provides guidance within the OpDiv on the applicability of the policy to OpDiv DUAs.
4. Conducts periodic reviews to identify opportunities to improve DUA practices.
5. Provides feedback to the HHS CDO on opportunities to improve DUA practices, proposed revisions to this Policy, and assistance needed to enable staff to improve DUA practices.

7.4. Office of the General Counsel

1. Reviews DUAs as required to assure that HHS and OpDivs enter sound legal agreements on data sharing.

8. Information and Assistance

HHS Office of the Chief Data Officer is responsible for the development and management of this Policy.  Questions, comments, suggestions, and requests for information about this Policy should be directed to: CDO@hhs.gov     

9. Effective Date and Implementation

This Policy will apply to DUAs signed six months after the Policy effective date.  DUAs signed prior to the effective date of this policy will be exempted from the policy until there are substantive changes to the DUA or the DUA needs to be renewed or extended.  HHS data providers are encouraged but not required to submit DUAs to the repository or provide links to DUAs in effect prior to the policy effective date.
The effective date of this Policy is the date on which the Policy is approved.  This Policy must be reviewed, at a minimum, every three (3) years from the approval date.  The HHS CDO has the authority to grant a one (1) year extension of the Policy.  To archive this Policy, approval must be granted, in writing, by the HHS CDO.

10. Approval

/S/
Karl S. Mathias, Ph.D., HHS CIO
01/23/2023

Appendix A: Procedures

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

Requirement:   DUAs will be submitted to the HHS Data Use Agreement repository

1. Once signed, the completed DUAs will be submitted or linked to: https://hhsgov.app.box.com/f/407d3092612743609befd32331facf5f.
2. In instances where DUA templates are implemented and applied across multiple agreements, OCDO can authorize the OpDiv or Staff Div to submit the template and provide supplemental data on the entities that have DUAs using the template.

Appendix B: Standards

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.
No standards are applicable to this Policy.

Appendix C: Guidance

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.
Requirement:  DUAs will incorporate the applicable sections in the Data Use Agreement Template included in Appendix D. 

1. Early in the development of the DUA the author should review the Data Use Agreement template and identify the applicable sections.
   1. OpDivs that have existing processes and templates related to DUAs should start from OpDiv resources.
2. The DUA author should map the sections of the template to their DUA and retain the template structure to the extent possible.
3. Prior to signing the DUA the author should conduct a review of the DUA against the template to confirm that all applicable sections are covered.

Frequently Asked Questions (FAQ):

This section addresses anticipated questions regarding policy implementation.

1. Does my organization have to follow the outline exactly?
   
   A:  Organizations should incorporate the template sections that are appliable to their specific DUA.  Organizations are encouraged to follow the order and section headings to provide a consistent structure to DUAs across HHS.
2. Does this impact existing DUAs?
   
   A:  This Policy applies to DUAs signed six months after the policy effective date and does not impact existing DUAs unless substantive changes are made.  Organizations are encouraged to submit or link existing DUAs to the HHS repository to provide a single point of reference for DUAs.
3. Are DUAs required to share data collected under the Open Government Data Act 3561 (2)?
   
   A:  DUAs are not required for data collected under the Open Government Data Act 3561 (2)
4. What is the role of General Counsel with respect to this Policy?
   
   A:  This Policy does not change the role of the General Counsel in the development and approval of DUAs.
5. What about special legal and regulatory requirements applicable to my organization?
   
   A:  This Policy does not supersede any legal or regulatory requirements.  The Policy is intended to provide the flexibility needed to comply with legal and regulatory requirements.
6. How is a DUA Related to the Privacy Impact Assessment
   
   A:  Where data being shared is from an HHS IT system the DUA should be documented in the Privacy Impact Assessment (PIA).
7. What is considered a substantive change to a DUA?
   
   A:  A substantive change to a DUA includes the following types of modifications:  parties to the agreement, scope of data, purpose/use case, usage of data, roles and responsibilities, disclosure and use, data sharing, data linkage, data reuse, data redisclosure, data disposition, security, and applicable laws and regulations.
8. Who is an authorized user of the DUA repository?
   
   A:  Access to the DUA repository will be limited HHS employees and contractors who have been approved to access HHS Connect.  Access to specific DUAs will be controlled by the DUA owner who will specify these access controls when they upload a DUA to the repository. 
9. Who should I contact if I have questions about this policy?
   
   A:  Questions regarding this policy should be directed to the OCDO at the following email address: CDO@hhs.gov      
10. Where can I find information on the process for submitting my DUAs to the HHS repository?
    
    A:  The DUA Repository is under development.  Once the repository is in place this section will be updated with the location and other related instructions.

Appendix D: Forms and Templates

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.
The Data Use Agreement template should be used by DUA developers to ensure that all topics applicable to the DUA are covered.  To the extent possible DUAs should apply the section structure in the template.   

1.0 General Terms

1.1Parties to Agreement 

• Identifies the organizations and individuals entering into the agreement. 

1.2 Period of Agreement 

• Specifies the start and end dates of the agreement and renewal. 

1.3 Scope of Agreement 

• High level description of the purpose of the agreement and data to be shared. 

1.4 Authority to Share Data (as applicable)  

• References to legislation and/or regulation that authorize the data provider to share data with the data recipient, as applicable. Note that many programs do not have an explicit authority in statute to share data; it is more common for a program to have the presumed authority to share data subject to the broad privacy, confidentiality, and security requirements and standards common to all Federal data, unless further restricted in statute or regulation. 

1.5 Modification 

• Clarifies the types of changes that require modification of the agreement, e.g., changes to regulatory authorities, research plans or computing environments and the process for making a modification.  

1.6 Termination 

• Timeframe for termination notice without cause and with cause, e.g., data breach, breach of other terms of the agreement. 
• Requirement and timeframe for returning and/or destroying data upon termination. 

1.7 Violation of Terms 

• Requirement to report violation of terms of agreement including timeframe for reporting. 
• Right of parties to take action when terms of the agreement are violated. 

1.8 Indemnification 

• Specifies that each party is responsible for any claims arising from their actions under the agreement. 
• Clarifies that the application of the provision is subject to Federal and State law. 

1.9 Acknowledgements 

• Authorization to sign.
• Affirmation of understanding of the agreement and to abide by terms of the agreement. 
• Confirmation that the plans for use of the data are accurate. 

1.10 Roles and Responsibilities 

• Identifies specific individuals, their contact information, and their responsibilities under the contract.   
• Roles may include project officer, point of contact, data custodian, data users, system manager. 

1.11 Funding 

• Descriptions of payments to be made between the parties to the agreement. 

1.12 Other 

• Clauses covering common contractual requirements, such as, assignment, dispute resolution, captions, choice of law, costs and damages, counterparts, entire DUA, flow-down, order of precedence, independent entities, severability, survival, prohibition on 3rd Party beneficiaries, public availability of the document, references to the contract that the DUA is associated with. 

2.0 Purpose/Use Case  

• Description of the context for the use of the data, e.g., research, legislative requirement, program improvement. 
• Description of the objective, issues to be studied, benefits, and methods for analysis of the data. 
• Description of any other data that will be linked, matched, or otherwise used as part of the analysis

3.0 Scope of Data

3.1 Data Description 

• High level description of the data set with indications of whether the data is PII, PHI, BII or a limited data set.   
• Federal program that is the source of the data. 
• Detailed description or reference to appendix which contains a description of the data files to be shared under the agreement, including, system source(s), file name, data elements, time period covered, file format, and other parameters on the data included.  

3.2 Data Ownership 

• Specifies the party that has ownership of the data and rights of the data owner. 

3.3 Service Level  

• Frequency of data file sharing, method of transmission. 
• Provision of resources to support users including platforms, tools, data exchange standards, and technical assistance.  

3.3.2 Data Quality  

• Indication of any assurances or limitations on the quality of the data including limitations that may result in bias, especially with respect to health equity or health disparities.
• Description of steps taken by the data provider to ensure data quality. 
• Suggested methods to ensure that data analysis aligns with the quality and completeness of the data. 
• Processes for resolving/handling inconsistent or poor-quality data or errors when transmitting data.

4.0 Data Controls

4.1 Disclosure and Use 

• Requirements to use the data only for the purposes allowed by the DUA, e.g., specific research study.  
• Federal or State laws that apply to the use of the data. 
• Requirements for individuals to consent to disclosure of the data. 
• Specific prohibitions on the use of the data, e.g., contacting individuals, commercial purposes. 
• Limitations on the roles of persons who may access the data and training required for these individuals. 
• Requirements to maintain records of authorized users of individual level, identifying, or otherwise further-protected data. 
• Notification requirements if disclosure of the data is compelled by legal action. 
• IRB approval requirements for studies that require IRB approval.

4.2 Control of Identifiable Data 

• Prohibitions on the sharing of identifiable data including ensuring that the detail provided in reports would not enable identification of individuals. 
• Description of circumstances under which identifiable data might be shared, e.g., public health emergency. 

4.3 Data Deidentification

4.3.1 Person 

• Standards for de-identification of individual data. 
• Requirements to prevent re-identification. 

4.3.2 Organization 

• Definition of de-identification requirement of individual establishments, e.g., hospitals with data included in the data set. 
• Requirements to prevent re-identification.

4.4 Data Sharing

4.4.1 Data Linkage 

• Prohibition on data linkage beyond the scope of the agreement or with permission of the data provider. 

4.4.2 Data Reuse 

• Prohibition on reuse of the data beyond uses specified in the DUA. 
• Process for requesting permission to reuse data. 

4.4.3 Data Redisclosure 

• Prohibition on redisclosure of data. 
• Permitted standard redisclosures, including FOIA. 
• Permitted redisclosures, including the required terms of redisclosure and the process for requesting to redisclose data and notification and documentation to the data owner.
• Process for notification of data provider that a prohibited redisclosure has occurred and actions to be taken. 

4.4.3.1 Identifiable data as de-identified data 

• Requirements to ensure that recipients of data sets with identifiable data do not publish or release the data in a form that would allow others to identify individuals included in the data set. 

4.5 Data Disposition 

• Period for which the data may be retained and the process for disposition or return of the data. This may be the same as the period of agreement in section 1.02 above.
• Requirement to certify the disposition of the data. 
• Reference to required documentation for certifying data disposition.

4.6 Publication 

• Authority of the data provider to approve dissemination of results of the analysis of the data. 
• Process for obtaining authorization from the data provider for the data recipient to disseminate the results of the analysis of the data, if applicable. 
• Acknowledgements to be included in publications using the data provided under the DUA including use of data provider’s name and logo. 

5.0 Security

5.1 General 

• Broad requirements for the data recipient to establish appropriate administrative, technical and physical safeguards to protect the confidentiality of the data and prevent unauthorized use or access to the data. 

5.2 Data Access Controls 

• Requirements for the data recipients to control and monitor user access to data. 
• Security requirements for users with remote access to the data. 
• Specification of individuals permitted to access the data, reason for access, data they will access, where the data will be stored and contact information. 

5.3 Network Access 

• Requirement to implement network access controls that ensure that remote devices and users comply with security policies. 

5.4 Physical Access 

• Requirements for controls on access to facilities that house equipment where data is stored, including limiting facility access, secure storage of paper and electronic copies of data. 

5.5 Transmission and Storage 

• Requirements for encryption of data during transmission and on storage devices 
• Other requirements related to data transmission and storage.

5.6 Authority to Operate (where applicable) 

• Requirement to demonstrate that that security controls meet requirements equivalent to those applicable to Federal systems. 

5.7 Cloud Computing (where applicable) 

• Requirement for data recipients using cloud platforms to document that the cloud service provider is certified as compliant with Federal Risk and Authorization Management Program (FedRAMP). 
• Requirement for approval of the use of a cloud platform by the data provider. 

5.8 Incidents Including Reporting 

• Definition of an actual or suspected breach or security incident. 
• Requirements for the data recipient to report security incidents or privacy incident breaches to the data provider including timeline, data provider contact for submitting incident reports, information and system documentation to be provided related to the incident. 
• Requirements for the data recipient to maintain records for investigations. 
• Requirement for the data recipient to take action to mitigate the impact of the incident including notifying individuals. 
• Requirements for the data recipient to take action to prevent future incidents. 

5.9 Audit 

• Requirements for the data recipient to allow the data provider to have access to conduct on-site inspections to confirm compliance with security requirements. 

6.0 Reporting Requirements 

• Specifies reports that will be prepared and submitted under the agreement, e.g., annual progress reports 

7.0 Applicable Law and Regulations 

• Itemization of the laws and regulation applicable to the agreement with a description of the aspect of the agreement impacted by the law or regulation, e.g., data security, identifiable data, de-identified data, data sharing. 

8.0 Signatures 

• Signatures by persons identified in the roles and responsibilities section as authorized to sign the DUA.  Should include name, title, organization, and date of signature.  

Appendices and Exhibits (where applicable)

Glossary and Acronyms

Definitions:

• Accessibility - Data are made available in convenient, modifiable, and open formats that can be retrieved, downloaded, indexed, and searched.  Formats should be machine-readable (i.e., data is reasonably structured to allow automated processing).  Data structures do not discriminate against any person or group of persons and should be made available to the widest range of users for the widest range of purposes, often by providing the data in multiple formats for consumption.  To the extent permitted by law, these formats should be non-proprietary, publicly available, and no restrictions should be placed upon their use.  (Source: Office of Management and Budget M-13-13 Link: Office of Management and Budget M-13-13)
• Availability - Timely, reliable access to data and information services for authorized users. (Sources: Committee on National Security Systems Instruction 4009-2015 and National Institute of Standards and Technology Special Publication 800-70 Rev. 2 Link: National Institute of Standards and Technology Special Publication 800-70 Rev. 2)
• Breach -   The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or (2) an authorized user accesses or potentially accesses personally identifiable information for another than authorized purpose.  (Source:  Office of Management and Budget (OMB) Memorandum M-17-12 Link: OMB M-17-12)
• Business Identifiable Information - Business Identifiable Information is information that is defined in the Freedom of Information Act (FOIA) as “trade secrets and commercial or financial information obtained from a person [that is] privileged or confidential.” (Source: 5 U.S.C. 552(b)(4) Link: 5 U.S.C. 552)
• Clause - A unit of organizational text referencing a specific DUA subject matter.
• Confidentiality - The property that sensitive information is not disclosed to unauthorized entities.  (Source: National Institute of Standards and Technology Special Publication 800-175A Link: National Institute of Standards and Technology Special Publication 800-175A)
• Data Governance Board - The highest data governance authority for the Department that works to partner, coordinate, and integrate data management efforts across HHS.
• Data - Recorded information, regardless of form or the media on which the data is recorded
• Data Protection - Implementation of appropriate administrative, technical or physical means to guard against unauthorized intentional or accidental disclosure, modification, or destruction or non-availability/non-accessibility of data (Source: ISO/IES 2382:2015 definition 2121404 Link: ISO/IES 2382:2015)
• Data Provider - An organization that produces or manages data or metadata (i.e., is the source of data) disclosed to a data recipient.".
• Data Recipient - A “natural or legal person, public authority, agency or any other body to whom data are disclosed.” (Source: National Institute of Standards and Technology Internal Report 8053, quoting ISO/TS 25237:2008 Link: ISO/TS 25237:2008)
• Data Recipient (ALT) - Trusted Data Recipient: an entity that has limited access to the data that it receives as a result of being bound by some administrative control such as a law, regulation, or data use agreement. (Source: National Institute of Standards and Technology Internal Report 8053 Link: National Institute of Standards and Technology Internal Report 8053)
• Data Sharing Agreement - Synonymous with a Data Use Agreement (DUA)Data Use Agreement - A Data Use Agreement establishes the terms and conditions under which the Data Provider will provide, and the Data Recipient will receive and use, the data covered under the Agreement. The Data Use Agreement ensures adherence to guiding principles of accountability, privacy and confidentiality, stewardship, scientific practice, efficiency, and equity. Use and disclosure of the data must be consistent with the Data Use Agreement and with applicable law.  For purposes of this Policy, Data Use Agreements do not include Computer Matching Agreements (CMAs)
• Dataset - A collection of separate sets of information that is treated as a single unit by a computer:
• Information Technology - “IT” is defined as any services, equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. (Source: OCIO)
• Memorandum of Understanding/ Agreement - Synonymous with Data Use Agreement.
• Personal Health Information - Individually identifiable health information (1) Except as provided in paragraph (2) of this definition, that is (i) Transmitted by electronic media; Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium. (2) Protected health information excludes individually identifiable health information in (i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and Employment records held by a covered entity in its role as employer.
• Personally Identifiable Information - Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.  (Sources: Office of Management and Budget (OMB) M-17-12 and OMB Circular A-130)
  
  Note:  Per National Institute of Standards and Technology Special Publication 800-122, this includes any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. (Link: Office of Management and Budget (OMB) M-17-12)
• Policy - A policy is a set principles, rules, and guidelines formulated or adopted by an organization to reach its long-term goals. (Source: OCIO)
• Transmission - The state that exists when information is being electronically sent from one location to one or more other locations.

Acronyms:

• BII – Business Identifiable Information
• CDO – Chief Data Officer
• CIO – Chief Information Officer
• DSA – Data Sharing Agreement
• DUA – Data Use Agreement
• IT – Information Technology
• MOA – Memorandum of Agreement
• MOU – Memorandum of Understanding
• OCDO – Office of the Chief Data Officer
• OCIO – Office of the Chief Information Officer
• OpDiv(s) – Operating Division(s)
• PHI – Personal Health Information
• PII – Personally Identifiable Information
• StaffDiv(s) – Staff Division(s)

---

Endnotes

¹  The guidance referenced here is broad and the CDO will not be responsible for approving or providing tailored guidance on individual DUAs.