Data Access

Data Ownership, Retention, and Access at UMass Amherst

Sen. Doc. No. 06-047


of the








Presented at the

654th Regular Meeting of the Faculty Senate

May 18, 2006

Jenny Adams

Krishna Melnattur

Iqbal Agha

John Mullin

D. Anthony Butterfield

David Ostendorf

Charles Clifton

William Patterson

Kourosh Danai

Stanley Scarpati

Andrea Foulkes

Jay Schafer

Dorothy Gilbert

Lynnette Leidy Sievert

Paul Kostecki

Carol Sprague

Mason Lowance

Jean Swinney

Michael Malone

Martha Taunton

Ernest May

Paul Utgoff, Chair

Juan Zamora


Sen. Doc. No. 06-047


Data Ownership, Retention, and Access at the University of Massachusetts Amherst

Approved by Research Council on May 5, 2006. Forwarded to Faculty Senate on May 5, 2006.


The University of Massachusetts Amherst supports a wide variety of research and scholarly activity. A fundamental component of many research investigations is the creation and use of data. It is in the interest of the research enterprise at large to make such data available to others, to the extent possible. This is important for furthering new research efforts and for enabling others to examine previous research in detail. It is in the University's interest to facilitate these processes, and to assist and protect those who conduct research and scholarly activities on behalf of the University.


External Policies and Guidelines

Various federal agencies have formulated policies regarding data ownership, retention, and access. For example, see Part C.53 of the Office of Management and Budget's (OMB) grants management circular A-110, the Council on Government Relations (COGR) document `Access to and Retention of Research Data: Rights and Responsibilities,' Chapter 6 of Steneck's  `Introduction to the Responsible Conduct of Research,'and the various requirements regarding research data stated by the National Science Foundation (NSF), the National Institute for Health (NIH), and other government funding agencies. Some publishers impose requirements on the access to data as a condition for publication.

The Amherst Campus policy (this document) applies to all campus research and researchers, regardless of funding source, if any. For sponsored research, any relevant policies of the sponsor shall apply in addition to those provided here. Any apparent conflicts of policies are to be resolved in writing and approved by the Vice Chancellor for Research and Engagement prior to accepting an award, contract, or other binding agreement.


Data Definition

Data shall be construed as all recorded information, regardless of medium, and all actual samples or examples, that were created or gathered and that could serve to influence or support a research finding or conclusion. Data does not include such items as research papers cited by the researcher, preliminary notes or paper drafts, reviews, or related communications, or items that are already the property of others. This definition is intended to characterize current research norms, not to modify them.


Data Ownership

The Amherst campus of the University of Massachusetts is the owner

or joint owner of all data that is created or collected by its employees or contractors, except when the creation or collection of such data is governed by a written agreement or contract to the contrary, approved in writing by the Vice Chancellor for Research and Engagement. Terms of the campus policy on intellectual property may apply as well.

When another research institution or entity has joint ownership rights to data, agreed in writing prior to creation of the data, the data shall be owned jointly as agreed. Each such institution shall have unfettered access rights to the original data. Such an institution not holding or serving as custodian for the original data may copy the data and own the copy.

When a creator of data ceases to be an employee or contractor of the University, the creator must leave the data in the physical possession of the owner(s), but will continue to have access rights to the data. The creator may take a copy of the data, at creator's expense.


Data Custody

The researcher(s) who created the data typically serve as the custodian of the University's data. Such researchers act on behalf of the University, without limiting the University's ownership rights. Data may not be removed from the University premises, except on a temporary basis when work occurs elsewhere, without written approval of the Vice Chancellor for Research and Engagement. The custodian of the data shall take all reasonable steps to protect the data from damage or loss, including

damage or loss due to catastrophic events. The owner of the data shall provide storage space and financial support as necessary to maintain the data. The University may elect to serve as custodian of the data, but may not limit the creator's access to those data.

Data Quality

Data shall be maintained in a manner that prevents alteration or that makes any and all alterations evident. For example, written data should be recorded in a bound notebook with numbered pages. If a datum is revised, the reason for revising it must be documented and dated. Electronic data should be kept on a read-only medium, or in a read-only mode. The creator of data should be able to document and defend any modification of the data.


Data Retention

Data shall be retained for at least three years after its creation. If the data were created as part of a sponsored research project, then the data shall be retained for at least three years after the final report to the sponsor has been submitted, or the ending date of the project, whichever is later. The data shall be retained for a longer period as dictated by any applicable policy or written agreement. If more than one minimum period of retention is deemed to apply, the data will be retained for the longest of these

periods. If the data led to the granting of a patent, then the data shall be retained for the life of the patent and its extensions. The data shall be retained while any litigation or legal action or investigation of allegations regarding it is pending. The data shall otherwise be retained for as long as anyone expresses, in writing, an interest in its retention. In no case will the data be discarded or destroyed when it is known to be in use.


Data Access

Researchers shall endeavor to make their data publicly available as soon as possible, and to the extent possible. Access may be delayed while the correctness of the data is being verified, until an initial publication based on the data appears, for the minimum period needed to file a patent application, or for any other reasonable need. Data should be released early if benefit to the public is likely.

No data may be published or made available in a form that would breach aconfidentiality. For example, the medical and financial records of an individual are private. The identity of human subjects is also typically held in confidence. The confidential aspects of confidential data are to be protected by both the custodian and the owner of the data. This may include physically securing the data. When a means of hiding the identity of a protected individual or entity is possible, say by the encoding or removal of names, such steps will taken so that the data may be made public to the greatest extent possible. If the data cannot be made satisfactorily anonymous, it shall not be made public, and the Vice Chancellor forResearch and Engagement will be informed of the existence of the data and the reasons that it cannot be made public. The creator of the data must make every reasonable effort to release the data in a useful form. If the veracity of confidential research data is challenged, the creator must cooperate with the Vice Chancellor for Research and Engagement to devise a means to satisfy the challenge. As owner, the University will defend any challenge, with the cooperation of the researcher. All applicable laws and legal protections regarding confidentiality will be obeyed.

Data that is deemed sensitive may require restricted access or other limitations. The owner and custodian of such data will comply with applicable laws.

Applicable non-disclosure agreements must be honored. However, the Vice Chancellor for Research and Engagement must approve any non-disclosure agreement ahead of time and be a co-signer. Such agreements shall generally be of limited duration, to give a sponsor sufficient time to file a patent application or for other protection.

When a collaboration comes to an end, and data was created during the collaboration, each member of the collaboration shall retain access to that data.


MOVED: That the Faculty Senate approve the Policy on Data Ownership Retention, and Access at the University of Massachusetts Amherst, as presented in Sen. Doc. No. 06-047.




Document File: 

Contingent Worker Form

Note that the Contingent Worker form for PeopleSoft is no longer sent to the Office of Research & Engagement.

Please download the Contingent Worker Form for PeopleSoft by clicking on the "Download File" link at the right. Note that the instructions for submitting this form were changed on March 12, 2018.  Please be sure to read these instructions on Page 1 carefully.

The Access to Research Electronic Data Systems page defines all other requirements to gain access to the Kuali system. When all criteria have been met, Kuali user setup will be completed and a confirmation email will be sent back the requestor indicating setup completion.


Document File: 

A Data Use Agreement (DUA) is a contractual document used for the transfer of non-public or restricted use data. Examples include records from governmental agencies, institutions or corporations, student records information, and existing human research subjects’ data.

IRB Requirements for DUAs

  • If a data use agreement is a part of the project you are submitting to the IRB, it should be noted in the protocol application and a copy of the DUA should be included in the Attachments Section.
  • The IRB can provide conditional approval of your protocol if it is needed in order to get a data use agreement signed, but final approval will not be granted until a copy of the signed data use agreement is submitted to the IRB.
  • The University of Massachusetts Amherst’s Office of Research Compliance serves as the campus signatory for data use agreements. DUAs must be routed through the Human Research Protection Office (HRPO).  The HRPO reviews and institutionally endorses DUAs to ensure compliance with appropriate policies and regulations.  HRPO will communicate with the Office of Research Compliance for the final sign-off and approval.
  • For human subjects research purposes, only the Office of Research Compliance is authorized to enter into contractual agreements, including DUAs, on behalf of the University. Researchers cannot sign (including electronic signature) data use agreements on behalf of the institution. DUAs should not be signed by University faculty or staff members in the absence of institutional approval from HRPO and the Office of Research Compliance.
    • Researchers are not authorized to negotiate or sign agreements on behalf of the University. When a researcher signs such an agreement, they could be subjected to legal and financial risks.
    • It is important for researchers to read the terms of a DUA before forwarding it to HRPO for review. It is the researcher’s responsibility to understand and follow the terms of the agreement and to only use data for purposes specified. HRPO assumes that a researcher who transmits a DUA has read and agrees to conform to those terms, whether or not the researcher’s signature is required on the DUA itself.

Importance of DUAs

  • DUAs address important issues such as limitations on use of the data, liability for harm arising from the use of the data, publication, and privacy rights that are associated with transfers of confidential or protected data and data security measures that must be met in order to ensure that the data is kept secure.
  • Assures that the recipients are using the data in accordance with applicable law.
    • Contractually obligates the recipient to use the data only for the purpose described in the DUA
  • Prevents the inappropriate use of protected or confidential information that could cause harm to research subjects, the investigator or the University.

For Human Subject Data, a DUA is typically required when:

  • Disclosure of data is for research purposes, and
  • Individual authorization for disclosure to this recipient is not/has not been obtained (i.e. through use of a subject-signed informed consent authorization), and
  • When no other form of contract concerning the data transfer exists between the provider and the recipient (i.e. sub-award agreement or a contracted services agreement)

Examples of Data that might be exchanged under a DUA include:

  • Records from governmental agencies or corporations
  • Student record information
  • Existing human research subject data

For Human Subject Data, a DUA is NOT typically required:

  • When data is publically available in public domain
  • When data is exchanged that is not subject to a legal or other restriction on its use
  •  If a research subject signs a consent authorization form that authorizes data sharing with the recipient
  • When another agreement, such as a sub-award agreement or a contracted services agreement is in place
    • Data transfer as part of such a collaborative research project is often addressed in the study protocol or in the funding agreement terms and conditions (i.e. grant, contract, sub-award, contracted services agreement, etc.). In these cases, a separate DUA is generally not necessary.

Source material for this policy guidance was provided by the University of Wisconsin-Madison Education and Social/Behavioral Science IRB. The UMass IRB gratefully acknowledges this support.


Federal regulations require the IRB to determine that research plans submitted provide adequate provisions for monitoring data collected in order to ensure the safety of subjects.  Monitoring should be commensurate with risks and with the size and complexity of the trials.  Phase III clinical trials generally require a data and safety monitoring board.  Investigators involved in Phase I and II clinical trials must submit a general description of the data and safety monitoring plan as part of the research application and as part of the protocol submission to the IRB.  The following template is provided for UMASS investigators as a guide to developing a data and safety monitoring plan.

I.  Protocol Title

II. Oversight of this Investigation will be provided by person’s name, department, title, contact information

III. Purpose of the Study may use protocol abstract

IV. Assessment of Level of Risk

  • Estimate risk level (minimal, moderate, high) and briefly discuss risk considerations relevant to your protocol.
  • Adapt the monitoring plan based on the risk. Use the following information as guidance only. Check with the IRB for final risk assessment.

a) Minimal Risk: All protocols presenting the potential of risk to subjects, even minimal risk, should address how the investigator will monitor risk and report adverse events. A minimal risk study is defined as one where the probability and magnitude of harm and/or discomfort in the proposed research are not more than ordinarily encountered in daily life or during the performance of routine physical or psychological examinations or tests. Minimal risk studies may include non-therapeutic studies such as survey research, questionnaires, blood samples (venipuncture or intravenous catheter insertion), observational studies, DEXA scans, routine MRI scans, special diets, exercise testing, EKG’s, and anthropomorphic evaluations.

However: survey research and questionnaires may present more than minimal risk to subjects if they address highly sensitive information. inclusion of special populations (children, prisoners, pregnant women mentally disabled persons, or economically and/or educationally disadvantaged persons) who may be more sensitive or vulnerable to the risks posed by the research, regardless of the study, may increase the level of risk to moderate or high.

Monitoring Plan for Minimal Risk research does not require an independent Data and Safety Monitoring Board (DSMB). Monitoring is the responsibility of the investigator.

b) Moderate Risk: Moderate risk studies exceed the minimal risk, but constitute less risk to the subject than studies with the potential for serious risks to subjects. Moderate risk studies may include phase I, II or phase III multi-institutional trials, studies using drugs for their indicated use, studies that use invasive hemodynamic monitoring with arterial lines, and studies in which blood and tissue specimens are stored. Studies in which blood is drawn for genetic studies, either real time and/or stored for later use are also deemed to present risk to subjects.

Monitoring Plan for Moderate Risk will, in most cases, require independent safety monitoring. For some strictly genetic studies, in targeted populations, the investigator may serve as the monitor. For small, moderate risk studies, monitoring might be performed by an independent investigator who is an expert in the agent being studied and the patient population.

c) High Risk: Protocols presenting the potential for serious risks and adverse events may include clinical trials using investigational agents, gene transfer studies, studies using FDA-approved agents for non approved indications; Phase I clinical trials; studies requiring investigator-initiated IND’s (investigational new drug) or IDEs (investigational devices); and some Phase II clinical trials.

This category may include studies involving procedures in which there is a high risk for adverse events such as conscious sedation or interventional radiology. Studies in which some or all subjects are at risk of death or severe morbidity because of existing illness or disease are also considered high risk.

Monitoring Plan for High Risk research may require a DSMB. For example, in large, blinded studies involving high risk or special populations a DSMB should be constituted. For some high risk studies, monitoring might be performed by a single, independent investigator who is an expert in the agent being studied and the patient population.

V. Plan for Monitoring Safety/Confidentiality

  • Specify the name and contact information of the individual responsible for monitoring the safety environment of the participants (PI, or additional monitoring personnel)
  • Specify any conditions that would necessitate early termination of the study (i.e. some clinical trails require documentation of stopping rules that might be used if the participants are found to be exposed to excessive risks in relation to anticipated benefits).
  • Specify what you will monitor, for example:
    • State that only subjects who meet the study eligibility criteria are enrolled.
    • The informed consent process will be conducted appropriately and that informed consent will be obtained prior to proceeding with any study procedures. Monitor any problems with informed consent.
    • Data will be collected and analyzed as specified in the protocol.
    • Adverse events will be reviewed promptly and reported as required (see Section VII below).
    • Discuss how privacy and confidentiality of subjects will be maintained. Indicate your plan to protect the private health information from improper use and disclosure (e.g. assign study numbers, de-identification process, locked storage, etc.).
    • Documentation of dropouts.
    • Evaluation of primary and secondary endpoints.

VI. Plan for Data Management

  • Indicate who is responsible for collection and storage of data.
  • Describe how data will be organized, managed, and stored. Security measures used to protect study data from loss or inappropriate use (password protection, restricted access to database, database backup etc.).
  • Include a description of how often interim data will be reviewed and by whom.
  • Indicate who will perform aggregate analysis of data and adverse events, if applicable.

VII. Adverse Event

  • Describe the anticipated adverse events listed in the Consent Form for this protocol.
  • Indicate that you will follow the Adverse Event guidelines  and the Significant Adverse Event Report Form, and, in so doing, will report to the UMASS IRB and to NIH as required.
  • Indicate how adverse events will be identified, for example, interviewing subjects, physical exams, laboratory results, safety test etc.
  • Include the scale that will be used to grade the severity attribution of adverse event. The Common Toxicity Criteria (CTC) scale below is typically used:

0 = No adverse event or within normal limits

1 = Mild AE, not requiring treatment

2= Moderate AE, resolved with treatment.

3= Severe AE, resulted in inability to carry on normal activities and required professional medical attention

4= Life threatening or disabling AE

5= Fatal AE

  • Attribution of Adverse Events Categories : Indicate a scale to be used to attribute the relatedness of the experience to the study procedures/interventions. The following is a common reference:

Definitely related
Probably related
Possibly related
Probably not related
Definitely not related

VIII. Protection of Human Research Participants-Computer Based Training

The University of Massachusetts Amherst Institutional Review Board will approve this plan, with the project protocol, prior to implementation of the study.