What is a data use agreement (DUA)?

• A. A marketing plan for data availability.
• B. A legal contract specifying permissible data uses and protections.
• C. An informal email outlining data handling.
• D. A technical specification for de-identification.

Answer: (B)

A data use agreement is a legally binding contract between the data provider and the recipient that spells out how the data can be used and what protections must be in place. It specifies what research or purposes are allowed, who may access the data, and any restrictions on sharing or re-identification. It also outlines required data security measures (like encryption and access controls), breach reporting duties, data retention and destruction timelines, and compliance with applicable laws and policies. This formal agreement ensures the data is handled responsibly and only for approved purposes, with clear consequences if terms are violated.

The other options don’t fit because they describe more informal or less binding concepts: a marketing plan focuses on promoting data availability, an informal email lacks enforceable terms, and a technical specification for de-identification concentrates on how to remove identifiers rather than defining permissible uses and protections.