Receiving or Transferring Restricted Data

Request help from UGA

When transferring or receiving restricted data, a Data Use Agreement (DUA) is used to document the data transfer. It includes terms and conditions specific to the data being transferred and will generally cover issues such as ownership, permitted uses, publication, further development of the data or resulting inventions, and disposal of the data at the end of the research.

Please note that UGA researchers are not authorized to sign DUAs on behalf of UGA. Whether you are transferring or receiving the data, please submit a Data Use Agreement request through SOPHIA to initiate the DUA process with Innovation Gateway’s contract team.


For all cases it is important to understand the type of restricted data that you will be receiving or transferring.

  1. Is the data related to humans?
    If so, please review the Human Subjects Office guidance for Data and Specimen Sharing. There is federal policy for the protection of human subjects known as the “Common Rule”. It is important to determine the type of human related data. If the data includes personally identifiable information or Protected Health Information (PHI), then HIPAA applies. The researcher will need to complete the “Bio-Medical Research” training that can be found at UGA’s Professional Education Portal. Upon completion, please submit the certificate to Innovation Gateway’s contract team. IRB approval will also be required for HIPAA related work. By removing certain types of PHI, the data can be classified as de-identified or Limited Data Set (note: HIPAA training and IRB approval required for LDS data).
  • A. De-identified human data
    HIPAA does not apply. Human data is considered de-identified if 18 identifiers have been removed:
    I. Name.
    II. All geographical information more specific than the state level, including street address, city, county, precinct, ZIP code, and equivalent geographical codes.
    III. Dates (except year) related to the individual, including birth date, admission date, discharge date, date of death. Ages or elements of dates indicative of age over 89 may be aggregated into a single category of 90 or older.
    IV. Telephone numbers.
    V. Facsimile numbers.
    VI. Electronic mail address.
    VII. Social Security numbers.
    VIII. Medical record numbers.
    IX. Health plan beneficiary numbers.
    X. Account numbers.
    XI. Certificate/license numbers.
    XII. Vehicle identifiers and serial numbers, including license plates.
    XIII. Device identifiers and serial numbers.
    XIV. Web universal resource locators (URLs).
    XV. Internet protocol (IP) address numbers.
    XVI. Biometric identifiers, including fingerprints and voiceprints.
    XVII. Full-face photographic images and any comparable images.
    XVIII.Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification.
  • B. Limited Data Set
    HIPAA does apply. Human data is considered Limited Data Set if it includes the following information:
    I. Some geographical information, including city, county, precinct, ZIP code, and equivalent geographical codes. It cannot include street address.
    II. Dates and ages (or elements of dates indicative of age) over 89.
    III. A Limited Data Set may include a link field to allow the provider to re-identify the individual.

HIPAA guidance can be found at the CDC and HHS

Personally identifiable data from education records fall under FERPA. Please indicate FERPA related data to the Innovation Gateway contracts team.

Receiving Data

For restricted data coming from an external entity, the policies and procedures of that entity will likely control the process. The receiving investigator’s IT department will need to be consulted on data security measures. Please provide the IT department a copy of the agreement and the “3rd Party DUA IT Approval Form”. Return the completed form to Innovation Gateway’s contract team.

Transferring Data

For any restricted data that a researcher wishes to send to an external entity, answers to the following questions will be required:

  1. What is the subject matter of the data to be provided?
    Provide a simple, brief description of the data. There is no specified format for sharing this information, but there needs to be enough detail so that everyone involved can identify the data that will be transferred.
  2. What are the allowed uses of the data and/or a description of the research to be performed?
    Again, there is no prescribed format to answer this question, but there needs to be enough detail so that the limitations on the use of the data are easily understood.
  3. Where is the data going, and who is the recipient professor/collaborator?
    Please provide contact information, preferably email, for the recipient. If there are multiple collaborators at the recipient institution or if you want to allow the recipient PI to share the data with other researchers at the institution, please indicate that.
  4. Is this data related to a sponsored project?
    Please provide the FP number for the research if this is related to a sponsored project