Designing a Restricted Data Use Contract
This web tool provides data producers with suggestions of elements to be considered for inclusion in contracts to disseminate data that are of a confidential or sensitive nature. In addition to these suggestions, this website will offer information that may be of help to data producers in identifying and managing confidentiality issues related to data released for use by the public.
The components of a restricted data contract presented here are intended to provide an overview of general issues typically addressed in data contracts used by data producers and archivists, including ICPSR. In compiling information for this website, we have reviewed 15 contracts used currently by data producers, including Add Health, LA.Fans, RLMS, and CHNS. These contracts include language that addresses proposal requirements, characteristics of the user, the administrative requirements of the contract, data safety and security including computer security, and publishing and reporting guidelines. There may be additional sections that you should develop and include that are specific to your data and situation or sections that are not necessary in your case or need to be adapted for your situation. Furthermore, we are not lawyers and do not intend to provide legal advice. All contracts for data distribution should be reviewed and approved by the General Counsel's Office or other designated reviewing authority of your particular university or research institute. In addition, if you choose not to distribute data under your own contract arrangements, ICPSR provides support for the distribution of data under a restricted data contract for member institutions and depositors.
Using These Guidelines
Each contract section listed in the menu contains a summary of elements that will be useful to consider in constructing a restricted data use contract. Do not assume that the items discussed here are the only requirements to be included in your contract. There may be additional items not identified here that you may want to or should include specific to your data and research context. The contract you develop should always be reviewed and approved by the appropriate legal authority of your institution. The contract form, a description of the contents of the restricted file, and appropriate information about the application process once developed could be made available for easy access and reference on the website that disseminates the data collection.
We have broken down each data access section into three broad restriction levels: Highly Restrictive, Moderately Restrictive, Least Restrictive.
Highly Restrictive: Contract provides access to highly sensitive information, contains many specific requirements, and generally requires more detail.
Moderately Restrictive: Contract contains some specific requirements, but not as many or as much detail as required by the more highly restricted data contracts.
Least Restrictive: Contract specifies only broad, basic requirements under which the least sensitive restricted data can be used.
Example: Under the requirements of a highly restrictive contract, all individuals who will have access to the data may be required to sign the contract at least to acknowledge that they have read and understood the terms. In contrast, the least restrictive contract type will specify that only the Principal Investigator needs to sign or acknowledge the contract. In general, an authorized official of an institution that employs individuals who are granted access to restricted data while acting within the scope of the individuals' employment should also be required to sign the data access agreement.
You can review (and download) several currently used contracts.
Data Security Guidelines
In addition to general contract sections, we have also identified three levels of security risk under which most of the contracts fall. These levels of security represent different approaches to securing and releasing data. It may not be appropriate or necessary to use a high level of restriction under each section of the agreement. Very strong restrictions can prevent widespread use of the data despite the risks of disclosure being low.
Clear, simple and agreed upon methods for classifying disclosure risk have yet to be developed that allow data producers and archivists to make straight forward, uniformly consistent decisions about the level of risk for any given data file. Work at ICPSR and the Institute for Social Research at the University of Michigan is currently under way to attempt to quantify the true risk of disclosure under a variety of survey and data collection scenarios.