Responding to data requests
Having an established protocol for responding to a request for data will save you time and effort (see Develop a data request process). The following suggestions will help you respond smoothly to different types of requests.
Ask key questions up front.
Establish a process for how key questions are asked, answered, and documented. We’ve included a detailed list of questions to ask in the section above about developing a request process, but here are the main areas to cover:
- What’s the purpose of the request?
- How does the requester plan to use the data?
- Who’ll have access to the data?
- What’s the specific data they are requesting and what are the specific parameters?
If the requester is planning to combine data with another dataset, this will require careful review and consideration from both teams. This could be a complex process and we’ve included some discussion of data linking in Appendix B.
Identify the type of legal data sharing agreement you will need.
Legal counsel will advise you on the specific type of legal agreement needed to share data. However, the information below can help frame productive conversations with your data-sharing partners.
The type of agreement you will need depends on factors like:
- Whether the data contains personally identifiable information (PII)
- The sensitivity of the data requested
- The type of organization requesting the data
- How the data will be used
- The scope and duration of the request
There are multiple types of data-sharing mechanisms available to state agencies. Each of them is governed by unique requirements and legal considerations.
But first: Do you even need an agreement?
Sharing data that’s open to the public doesn’t require an agreement. If the requesting party doesn’t need to identify specific individuals, it may be preferable to release the data to the public.
Common types of agreements
The following section provides a brief description of these common types of agreement and when to use them:
- Memorandum of Understanding (MOU)
- Data Use Agreement (DUA)
- Enterprise Memorandum of Understanding (E-MOU)
- Data Sharing Agreement (DSA)
- Business Associate Agreement (BAA)
- Statement of Work (SOW)
- Non-Disclosure Agreement (NDA)
While each of these agreements has a specific function (and a context in which they are appropriate to use), it isn’t necessarily the case that an agency looking to share data can solely choose any one of these agreements and move forward. These agreements often work together to provide the full details of the nature of a data sharing agreement (for example, the E-MOU, DSA, and DUA tend to work together rather than operating alone).
Memorandum of Understanding (MOU)
MOUs are best suited for ongoing data transfers that have consistent and formalized parameters. An MOU:
- Identifies the roles and responsibilities of the involved groups
- Describes why an agreement is required
- Specifies the terms and conditions for the partnership
MOUs are especially important when the basis for a data sharing relationship is grant funding or a service contract. The process of establishing an “MOU enables potential partners to identify similarities and differences in their priorities and goals, available resources (time, money, and expertise), project timelines, and expected outcomes prior to collaboration.”
Data Use Agreement (DUA) or Data Use Licenses (DUL)
Data Use Agreements (DUAs) or Data Use Licenses (DULs) are best suited for individual data sharing transactions. DUAs precisely specify the parameters for the data transfer, who’ll have access to the data, the intended use of the data, and how the requester should destroy data.
They may also “include specific time parameters for data use or provide special provisions for data disclosure or requirements for the data holding agency to review resulting research before its publication.”
Enterprise Memorandum of Understanding (E-MOU)
An E-MOU is a long-term agreement signed by multiple parties in order to facilitate multiple and diverse data sharing requests. E-MOUs usually:
- Describe involved parties
- Set up governance boards
- Define codified request procedures
- Highlight the rights and responsibilities of data stewards and requesters
E-MOUs are mostly used to facilitate government agency to government agency data sharing and have been implemented in multiple states.
Data Sharing Agreement (DSA)
Data Sharing Agreements are best suited for establishing long-term data sharing relationships that involve multiple transfers with different parameters. Data Sharing Agreements identify the involved parties and the terms and conditions for the partnership. They can stand independently or be an addendum to an MOU or E-MOU.
Since it defines an ongoing relationship for multiple transfers, a DSA may also define a process for authorizing data requests along with requirements for storing, protecting, and disposing of shared data.
Business Associate Agreement (BAA)
A Business Associate Agreement is a written arrangement that specifies each party’s responsibilities when it comes to PHI (personal health information). HIPAA requires covered entities to only work with business associates who assure complete protection of PHI.
Statement of Work
The Statement of Work is a detailed overview of the project in all its dimensions. It’s also a way to share what the project entails with those who are working on the project, whether they’re collaborating or contracted to work on the project. This includes vendors and contractors who are bidding to work on the project.
Non-Disclosure Agreement (NDA)
A non-disclosure agreement is a binding contract between two or more parties that prevents sensitive information from being shared with any others.
Types of data sharing relationships
Below is a list of data sharing relationship types along with guidance on the types of agreements that might best facilitate data sharing. We’ll cover:
- Government organization to government organization
- Government to external company
- Government to public
Government organization to other government organizations (interagency data sharing)
We recommend that agencies develop more flexible, durable agreements by:
- Signing a policy agreement among the participating agency leaders to achieve an integrated data sharing process.
- Setting up an Enterprise Memorandum of Understanding (E-MOU) to avoid drafting individual MOUs for data sharing purposes.
- Using Data Sharing Agreements (DSAs) to establish individual data sharing relationships between specific data providers and requesters.
- Creating Data Use Agreements (DUAs) for individual data sharing transactions.
Government to external company
Data sharing between a government organization occurs when a government organization:
- Contracts an external company to process data for its operations
- Contracts an external company to collect data on its behalf
In these cases, the SOW contract, BAA, or MOU forces the contractor to abide by the same privacy and legal responsibilities as a government organization. When designing these agreements, government agencies should take special care to establish themselves as the data owners and the contractors as data stewards and custodians.
Government to public
Releasing data to the public doesn’t require a special agreement. However, it does require that the government organization:
- Aggregate or anonymize the data to prevent misuse. For an example, see the public data on Data.gov.
- If the agency determines the data must be anonymized or aggregated, they should follow cell suppression techniques according to the regulations that govern the data. Cell suppression is an important means of masking attributes of personally identifying or protected health information that could become damaging to an individual if the data were used (possibly in combination with other datasets) to identify them.