Data Use Agreement Sample (Page 3 of 3) in pdf

Data Use Agreement Sample Page 3

HHS EPLC Practices Guide - <OPDIV> Data Use Agreement (v1.0)

YYYY



Resolution of Conflicts



Concurrences, including Third Party Concurrence

Timeframe and Completion of the DUA

The HHS Enterprise Performance Life Cycle (EPLC) requires as part of a project’s Design Phase that

security documents (Certification and Accreditation [C&A], Privacy Impact Assessment [PIA], System of

Record Notice [SORN], and Computer Match Agreement [CMA] be reviewed for completeness and

accuracy. The Data Use Agreement is conditionally required as part of a project’s Design Phase. It is the

responsibility of the IT Project Manager to ensure that the System Owner prepares and/or approves the

initial DUA. The IT Project Manager and/or System Owner must then submit the DUA to the Office of the

Chief Information Security Officer (OCISO) for formal review and clearance of the DUA, and to

Institutional Review Boards of the entities involved in the data use agreement.

Practice Activities

For software development projects the following practice activities are appropriate:



Identify – Identify the need for a DUA



Document – Document the fields / systems that will be exchanged



Consistency – Ensure that data-use-agreements are consistent with the contents and format of

NHIN CONNECT DURSA agreements



Develop Agreement – Prepare the Inter/Intra-Agency Agreement (agreement between the

sending and receiving agency)



Review – Review the DUA for completeness and accuracy



Submit – Submit the DUA to the OCISO and Institutional Review Boards for formal review and

clearance

<OPDIV> Data Use Agreement (v1.0)

Page 3 of 3

This document is 508 Compliant

[Insert additional appropriate disclaimer(s)]

Data Use Agreement Sample Page 3