Data Sharing Agreements (DSAs) are administrative controls used by the Defense Health Agency (DHA) to document that the requested use of data managed by DHA is in compliance with Federal law and implementing Department of Defense (DoD) policies. Note that the DHA Privacy Office does not provide data extractions or grant system access. The Data Custodians who grant access to data require a DSA. The DHA Privacy and Civil Liberties Office (Privacy Office) reviews and approves DSAs based upon compliance with these policies. The DSA:
• Documents the responsibilities of the requestors, including the Government Sponsor and Applicant/Recipient
• Provides the requestors with clear terms and conditions for approval
Who Needs a Data Sharing Agreement
A Data Sharing Agreement (DSA) or Data Use Agreement (DUA) is required for work and/or research involving contractors (e.g., non-government or non-military personnel) that will be handling certain types of data that's managed by the DHA. DHA-managed data includes De-identified data, Personally Identifiable Information (PII), Protected Health Information (PHI), and/or Limited Data Sets (LDS). A DSA is also required for government-only research.
A DSA is not required for Business Associates nor for those requesting De-identified Data.
How to Request a DSA
Before submitting a DSA application (DSAA) a Prerequisite Checklist must be completed and signed. Business Associates will not be required to submit an application but will be required to complete the Prerequisite Checklist. A DSA is requested by submitting a DSAA endorsed by both an Applicant/Requestor and a Government Sponsor. Once the DSAA is approved it becomes part of the executed agreement provided to the Requestor and a Government Sponsor.
Submit Prerequisite Checklists and DSAAs to the DHA Privacy Office via Email.
Applicant Role
The Applicant is the individual, usually a contractor, who has primary oversight and responsibility for the data.
• For projects involving subcontractors, even when the data is solely handled by subcontractors, the DSAA Applicant must be an employee of the prime contractor
• For projects with more than one prime contractor, a DSAA must be completed for each contracting organization that requires data for the project
• The Applicant is referred to as the Recipient in the final approved DSA
Government Sponsor Role
The Government Sponsor is the point of contact who assumes responsibility for the project/data use described in the DSAA. This role can be filled by a civilian within the government or a uniformed Service member.
Memorandum of Agreement (MOA)
The DHA Privacy Office serves as the main point of contact for data sharing requests, data sharing arrangements with private entities, and research projects. The Support Agreements Manager
(SAM) handles MOAs for recurring data sharing arrangements with other DoD agencies, Federal agencies, and state and local governments. The DHA Privacy Office and the SAM have established a process for reviewing MOAs which involve sharing personally identifiable information or protected health information (PII/PHI).