Illustration by Wan Wei/Shutterstock

Urban’s Process for Creating Private-Sector Data Use Agreements

The Urban Institute is home to more than 300 researchers analyzing a vast spectrum of data every day. Although most of those data are publicly available or restricted-access government data, our researchers are increasingly analyzing private-sector data, such as data from credit bureaus or social media platforms.

Some of the private-sector datasets Urban researchers use are purchased, and others are donated as part of corporate data philanthropycorporations that share data assets to serve the public good. (By data assets, we mean data that companies collect through passive or active means and use in some part of their business operations.)

Why draw this distinction between government data and private-sector data? When working with restricted government data and often with purchased private-sector data, data-sharing agreements are often prescribed by statute, previous precedent, or established procedure. For many data philanthropists, however, data-sharing agreements often break new ground or deviate from existing lines of business. When working with new or recently established data providers, we have developed data use agreement (DUA) guidelines as a starting point for data-sharing negotiations and conversations.

Although we cannot share Urban’s template directly with the public, we can describe some of our standard processes and best practices to help other organizations realize the benefits that data philanthropy can offer to serve the public good.

Our DUA Process

Urban’s DUA template follows many of the same principles as other DUAs in the research community and is structured like a contract. Like many contracts, it generally contains recitals, several sections of terms and conditions, and appendices. We’ll touch on each of them briefly here before we talk about the DUA’s benefits and how we use it.

Recitals: Like most agreements, recitals define the parties involved and any statements of facts relevant to the agreement. Urban sometimes uses recitals to describe the relationship between the parties, reference any overarching agreement, or list any third-party beneficiaries, to name a few objectives.

Scope of Agreement: A Scope of Agreement section usually defines the purpose of the agreement beyond what is stated in the recitals, such as the scope of work and what the data will be used for. Because this information is often more technical than contractual, Urban usually breaks out descriptive sections like this in the appendices.

Definitions: A Definitions section can define key terms in the agreement such as data, results, and breach to minimize ambiguity (and other items, such as business associate agreement for protected health information) and provide an easy reference for the reader.

Use and Disclosure of Proprietary Information: A Use and Disclosure section will often be the crux of a data-sharing agreement, as it ensures that the data are used only for work covered by the agreement. These sections also can ensure that data are stored, used, and transferred with appropriate security safeguards. Urban’s preference in drafting these sections is to use appendices to go into further detail about specific measures and activities. This approach allows Urban to customize its data security plans to fit the scope of work.

Ownership of Proprietary Information: An Ownership section is standard in data-sharing agreements and assures data providers that all the data provided remain theirs. Sections like this can also grant licenses and rights to use and promote work done under the agreement, which can benefit both parties.

Publication of the Results: A Publication section ensures that the data provider has control over appropriate citation.

Return of Proprietary Information: This section, found in all data use agreements, ensures that the data shared are appropriately returned or destroyed once the agreement has expired.

Notice of Breach: This section, found in all data use agreements, assures the data provider has control and notice over their data. These sections typically require the data user to notify the data provider as soon as possible, within 24 hours at most, of a breach (i.e., unauthorized access to the data) and specifies the data user’s role and the data providers’ rights in these circumstances.

Term and Termination: A Term and Termination section is standard agreement language to define how long the agreement is in effect and allows either party to terminate.

Appendices and attachments typically allow for further description and detail. They also allow an organization to customize the agreement to meet their needs while preserving the general legal terms and conditions.

Scope of Work: This type of appendix could be an open section written by the researchers in consultation with the data provider. This section should describe the details of the project or projects that can be undertaken in this agreement. More detail locks the researcher into a specific line of inquiry, and less detail allows for more freedom and the potential to share the data with other researchers within the organization.

Schedule of Data: This type of appendix could be a brief description of the data and metadata to be provided as part of the agreement, typically written by the data provider, or written by the researcher and edited by the data provider.

Data Security Agreement: A data security appendix can expand on the Use and Disclosure of Proprietary Information section in the agreement and provide more technical details concerning an organization’s data security capabilities. This appendix can provide further technical detail on how the data will be stored, accessed, and transferred; who can access the data; and how the data will be destroyed.

The benefits of a DUA template and guidelines

A DUA template saves time and provides legitimacy to Urban’s experience in this space. It also resolves two primary and immediate concerns for data providers and research organizations:

1. Privacy protection and security. Companies and researchers are justifiably wary of a potential breach. Strong language around use and disclosure of proprietary information and notice of breach make it clear that both parties will do their utmost to prevent data breaches, and in the case of a breach, report it as soon as possible. In addition, the detailed contents of a data security plan give the data provider confidence that the data analyst has the systems and processes in place to fulfill the terms and conditions.

2. Reducing reputational risk. There are two parties in any DUA. On one side, Urban researchers will do work only as impartial analysts, and on the other, data providers do not want to reveal corporate secrets. The language in the Publication of the Results section allows researchers editorial freedom to publish any results, while the Scope of Work section allows the parties to define the study’s allowed use of the data to ensure it is a topic that aligns with the data provider’s philanthropic strategy.

This ensures that any agreement aligns with Urban’s funding principles, well-documented policies and practices that help Urban remain objective. Sections on the ownership and return of proprietary information ensure that no proprietary information is revealed, used inappropriately, or stored outside the scope of work.

How we use the DUA template at Urban

If a data philanthropist or private-sector company does not have a DUA, we use our template as a starting point. If the company does have a template, we use our template to inform our targets in the negotiations, such as the freedom to publish independently specified in the Publication of the Results section.

When we use our DUA template as a starting point, we bring in a member of our contracts team and a technology and data science security officer. Though there are many nuances to the resulting conversation, we focus on four things:

1. Preserve independence (Publication of the Results). For institutions like Urban, research independence is crucial (see our funding principles). Any language that allows a private company to alter our publications for reasons not related to privacy or confidentiality is a nonstarter.

2. Choose a long term of agreement (Term and Termination). The planning fallacy leads everyone, including researchers, to underestimate how long a project will take. When parties are just getting to know each other in the initial stages of data philanthropy and establishing trust, the timeline can be lengthy. We often set the default term of agreement for three years as a starting point, but for researchers on large projects, longer is better.

3. Write a broad scope of work. We typically start with a broad scope of work that allows as many researchers within Urban access to the data as possible within the scope of the agreement. The more researchers allowed access, the more creative ideas research teams can develop that can cross policy areas and lead to more innovative solutions. Of course, often times this approach is not feasible, in which case we strive to include individuals with a diversity of skillsets as part of the research team specified in the agreement.

4. Balance usability with strong security (Data Security Agreement). The Data Security Agreement section contains a detailed write-up of the system(s) we set up to ensure the data are secure and the appropriate monitors, access instructions, and confidentiality procedures are in place. This section is typically written by a security officer at the organization receiving the data.

Our secure internal process usually fulfills or exceeds our partners’ expectations. But some data providers want more. In these cases, we work with security officers and legal personnel at the partnering organization to ensure the additional security requirements do not make it too difficult for us to analyze the data. For example, when working with big data, we might want the agreement to contain language allowing us flexibility to use our secure cloud systems. This would allow our researchers to take advantage of advanced computational capabilities to scale with the data, as opposed to specifying our more traditional capabilities on premise servers.

Disclaimers and notes

Although we developed our internal template with legal assistance, it is only a template and therefore does not include everything that is needed for a complete agreement. The information about the template provided here is solely an example, and none of what we say here or what is included in the template constitutes legal advice. Be sure to speak with a legal expert before drafting or executing a data-sharing agreement.

Data use agreement templates should be a starting point and nothing more. No data-sharing process involves replacing the fillers for name, address, and signature and executing the agreement — it’s never that easy. Each data provider is different, and you will need a legal representative and data security officer to help you navigate the process. At Urban, we require researchers consult with our security officer and a member of our contracts team before sharing the completed document with external partners.

As data philanthropy continues to develop, we hope that Urban and others will share resources and best practices to ensure that society can unlock the potential of private-sector data to serve the public good.

-Graham MacDonald

-Jeffrey Lin

Want to learn more? Sign-up for the Data@Urban newsletter.

Data@Urban is a place to explore the code, data, products, and processes that bring Urban Institute research to life.