Skip to Main Content

Data Sharing and Transfer

Information related to institutional, publisher, and grant-funder data sharing workflows, contacts, and policies.

Data Sharing FAQ

What is a Data Sharing Agreement?

A Data Sharing Agreement is a contract that documents what data will be shared, who it is being shared with, and the ways that the data can be used. It is intended to protect the person sharing the data and to ensure the data is not misused, e.g., all privacy policies and laws are followed by the data recipient. 

A Data Sharing Agreement can also be referred to as a Data Transfer Agreement or a Data Use Agreement. 

What does a Data Sharing Agreement include? 

A Data Sharing Agreement should include: 

  1. If the data is being shared with the understanding that its originator will be acknowledged in any future publications that makes use of the data. 
  2. If the data is being shared with the understanding that both parties are entering into a collaboration and will be co-authors on future publications that make use of the data 
  3. If the data is being shared with the understanding that it may result in a future collaboration. This is only necessary in situations where the person requesting the data is still unsure if that data will be useful for their work. 

Do I need to use a Data Sharing Agreement if I am sharing with another researcher at NYU Langone Health?

A Data Sharing Agreement is not required to share data with another NYU Langone Health researcher. 

However, outlining the terms of sharing (i.e. acknowledgement vs. co-authorship) is good practice for research collaborations even if a Data Sharing Agreement is not required by NYU Langone Health. The National Cancer Institute (NCI) provides templates for Collaborative Agreements (available in the appendix of the Collaboration and Team Science Field Guide).

Do I need to use a Data Sharing Agreement if I am sharing with my students?

A Data Sharing Agreement is not required to share data with your students. 

However, you may want to consider how long your students will be with you and how long their project will take. If the student leaves the institution, it may become necessary to implement a Data Sharing Agreement 

I have co-authors. What are my obligations to them if I share my data?

Ownership of research data should be spelled out in any collaboration before the start of data collection, and the templates for Collaborative Agreements (available in the appendix of the Collaboration and Team Science Field Guide) from NCI can help establish the terms for a collaborations. 

If you have documentation that indicates your ownership of the data, best practices still dictate that you inform collaborators that you are sharing the data. 

Is it necessary to get IRB approval to share my data?

If your data is from human subjects based research and your data contains identifying information, you will need to contact the IRB before sharing your data. 

If your data is from human subjects based research and your data is de-identified, it may still be prudent to contact the IRB to ensure that you have properly de-identified your data before sharing it. 

I am sharing my data with a researcher at another institution. Should I contact the IRB at NYU Langone Health or should they contact the IRB at their institution?

Both the IRB at NYU Langone Health and the IRB at the other institution should be contacted about sharing the data. 

What level of de-identification is necessary in order for the NYU IRB to consider them fully de-identified?

HIPAA provides guidance on two methods of de-identification: the Safe Harbor Method and Expert Determination Method. The Expert Determination Method requires that a person with knowledge of statistical scientific principle for rendering information not individually identifiable use and document those principles so that the dataset cannot be re-identified. The Safe Harbor method requires that researchers remove the following data points from a dataset: 

  1. Names
  2. All geographic subdivisions smaller than a state except for the initial three digits of the Zip code with exceptions
  3. All elements of dates, except year, for dates that directly relate to an individual, including birth date, admission date, discharge date, and death date with additional requirements for age
  4. Telephone numbers
  5. Vehicle identifiers and serial numbers, including license plate numbers
  6. Fax numbers 
  7. Device numbers
  8. Email addresses
  9. URLS
  10. Social security numbers
  11. IP addresses
  12. Medical record numbers
  13. Biometric identifiers, including finger and voice prints
  14. Health plan beneficiary numbers
  15. Full-face photographs and any comparable images
  16. Account numbers
  17. Any other unique identifying number, characteristic, or code
  18. Certificate or license number