Designing a Restricted Data Use Contract
Implementing the Contract
Restricted data use contract implementation, management, and administration require attention on the part of the data producer to insure that the data users adhere to the requirements specified in the signed restricted data use agreement. The degree of administrative monitoring depends on the nature of the contract developed and the resources available for monitoring activities.
We have provided some suggestions to assist you in determining the type of data access and security your sensitive data requires. Please see Data Access and Computer Security.
The process specified below provides a general overview of the steps often taken in implementing a restricted data contract agreement.
1) Application submission and review procedure
- Develop and implement a process to accept restricted data contract applications, e.g., identify who receives applications, who reviews them, who asks applicants for additional information.
- Review applications for completeness and accuracy (e.g., confirm that all information requested is supplied and necessary signatures obtained, including human subjects or privacy board approvals. Such initial review can, but may not, include evaluation of the research being proposed).
- Inform applicant of problems, if any, with the initial application submission and provide an opportunity for resubmission.
- When the terms of the contract are mutually acceptable, have an authorized individual of each party (and investigators, if required) sign the restricted data contract.
2) Data Dissemination
- Provide restricted data.
- Mark electronic files with an identifier obvious to the recipient in order to ensure that original files are returned or destroyed, and arrange password limited access.
- Mail package of CD-ROM, copy of signed contract, and cover letter to data user via U.S. certified mail -- return receipt requested or some other carrier that provides reliable and trackable delivery and confirmation of receipt.
- Develop a process to respond to applicant questions about the restricted data contract process, procedures, and policies as well as to questions concerning filling out the form. Have staff available that can answer questions about meeting the computer security requirements, signing, and physical security requirements specified in the contract.
3) Contract Administration
- Develop a database of restricted data users.
- Record data user/order in database, noting researcher, affiliated institution, address, e-mail, phone, data provided, date data provided (mailed), data use expiration or due date.
- Keep database current with institutional contacts and records as well as updated IRB certification.
- Expiration date administration
- When expiration date set forth in the contract approaches, contact the researcher and ask for either a signed affidavit from them or the receiving institution, as appropriate, indicating the data have been destroyed or a request on university/institute letterhead for extension.
- If no response to initial mailing, contact data user by e-mail.
- If no response to the e-mail and the initial email was sent only to the researcher, you may need to escalate to get a proper response. An escalation path might be to send a letter saying you will contact the co-signer (university/institution authority that signed the agreement on behalf of the university) for assistance in enforcing the terms of the agreement. If still no response, send a letter to co-signer asking for their assistance. If no response to that, conduct Web searches to locate the researcher. (Sometimes if the researcher is at a member school, we ask the ICPSR Official Representative for assistance in locating the researcher.)
- Respond to data user questions about extending terms of the agreement/contract.
- Update restricted user database if extension granted or affidavit arrives indicating data user has destroyed the data covered under the agreement.
- Disposition of data after end of contract.
- Collect and archive/file contract.
- Collect and archive/file verification -- signed paperwork, affidavit, etc. -- from data user that data has been destroyed or returned.
- Update contract database with contract termination information collected as described above.