Educational content only. Always follow the approved protocol, sponsor SOPs, applicable regulations, and local requirements.

Resources
Article·13 June 2026·6 min read·Last reviewed Jun 2026

DTA vs DTS: Essential Documents for External Data Transfers in Clinical Research

A complete guide to Data Transfer Agreements (DTA) and Data Transfer Specifications (DTS) - what each document contains, when each is required, how to choose between them using a risk-based framework, and a step-by-step implementation process.

ICH GCP E6(R2)FDAEMACDISC Standards
DTA vs DTS: Essential Documents for External Data Transfers in Clinical Research — 1 of 10
1.0×
1 / 10

Introduction

External data in clinical trials rarely stays within a single system. Lab results, ePRO data, IRT randomisation records, ECG waveforms, and imaging data all require governance - built through two essential documents: the Data Transfer Agreement (DTA) and the Data Transfer Specification (DTS).

The requirement for documented oversight of external data handling is grounded in ICH GCP E6(R2) Section 5.5, which places responsibility for data integrity on the sponsor regardless of which system or vendor generates the data. Many organisations use a Master DTA (covering the governance framework for the vendor relationship) with study-specific addenda for each individual study transfer.

Even if data is not uploaded into the EDC, it is still part of the study evidence trail and must be controlled.

Why External Data Governance Matters

Without structured governance over external data transfers, several risks emerge: data integrity failures from inconsistent formats or missing records, role ambiguity when discrepancies arise, inconsistent handling across transfers, inspection risk from inadequate documentation, and patient safety impact from delayed or incorrectly handled safety data.

Strong data transfer governance ensures data integrity and reliability, clear roles and accountability, consistent handling and quality across transfers, inspection readiness, and better decision-making based on complete verified data.

What Is a DTA?

A Data Transfer Agreement (DTA) is a governance document that defines the responsibilities, expectations, and accountabilities for the exchange of data between parties.

DTA = Agreement on HOW data will be transferred and WHO is responsible for WHAT.

A DTA governs the process between parties, addressing: Roles and Responsibilities · Transfer Method and Frequency · Issue Management and Escalation · Security and Privacy · Approvals and Reconciliation · Quality and Acceptance Criteria.

Minimum Requirements - DTA

  1. Study Information - protocol title, sponsor, CRO, vendor, system

  2. Purpose and Scope - why data is transferred and how it will be used

  3. Roles and Responsibilities - sender, receiver, data owner, contacts

  4. Data Description - types of data included in the transfer

  5. Transfer Method and Frequency - SFTP, portal, API, manual

  6. Security and Privacy - de-identification, PHI handling, access controls

  7. Quality Control - test transfer, QC checks, acceptance criteria

  8. Issue Management - missing, late, incorrect, or duplicate file handling

  9. Correction and Change Control - how corrected data and changes are managed

  10. Reconciliation - with EDC or other source system as applicable

  11. Retention and Archival - storage location and retention period

  12. Approvals and Signatures - all relevant parties

A DTA is about accountability, governance, and expectations.

What Is a DTS?

A Data Transfer Specification (DTS) is a technical document that defines the structure, format, content, and rules for the data being transferred.

DTS = Specification of WHAT data will be transferred and HOW it must be structured.

Minimum Requirements - DTS

  1. File Information - file name convention, format, versioning

  2. Data Structure - record level, file layout, dataset list

  3. Key Identifiers - study, site, subject, visit, sample, session

  4. Variable Specifications - name, label, type, length, format for every variable

  5. Units and Code Lists - controlled terminology, reference lists

  6. Date/Time Rules - format, time zone, 24-hour convention, DST, partial dates

  7. Missing Data Rules - allowed codes, blanks, not-done conventions

  8. Validation Rules - range checks, mandatory fields, logic checks

  9. Reconciliation Rules - match keys, EDC alignment, acceptable windows

  10. Duplicate Handling - identify, flag, or remove duplicate records

  11. Correction/Supersede Rules - how updated data replaces prior data

  12. QC Responsibilities - who checks, who approves, how it is logged

  13. Archival and Retention - final file location, retention period, version control

A DTS is about data structure, standards, and quality rules.

DTA vs DTS - At a Glance

AspectDTADTSPurposeGovern the process and responsibilitiesDefine the data and technical detailsScopeWho does what, when, how, and with what commitmentsWhat data, in what format, structure, and with what rulesNatureGovernance / Operational / Sometimes contractualTechnical / Data / ProcessFocusParties, roles, frequency, security, issue managementFile layout, variables, validation rules, naming, reconciliationKey QuestionWho will send, receive, manage, and own the data?What exactly is in the file and how must it be used?When UsedHigh-risk or critical transfers, recurring exchangesWhenever data are transferred, loaded, transformed, or reconciled

High-risk transfers often require BOTH DTA and DTS.

When Are They Required?

DTA required or strongly recommended when: Vendor sends data on a recurring or ad hoc basis · Data are safety-critical, analysis-critical, or regulated · Data will be imported into EDC or submitted · Reconciliation is expected · Third-party service providers are involved.

DTS required when: Data are transferred, downloaded, or received · Files are loaded, transformed, reconciled, or reviewed · Data are used for analysis, reporting, or listings · Technical understanding and QC rules are needed · Even when data are not uploaded into the EDC.

Both documents are recommended for high-risk, high-frequency, or regulated transfers.

Decision Framework: DTA vs DTS vs Both

Risk LevelCharacteristicsDocument RequiredHigh Risk or Critical DataSafety data, submission data, high frequencyDTA + DTSMedium Risk or Recurring DataRegular transfers, analysis-relevantDTA + DTS (consider both)Low Risk or One-Time DownloadAd hoc, archive-only, manualDTS (lightweight) or DMP-only with documented rationale

Risk-based approach = right level of control. Document all decisions with rationale and approval.

How to Implement - Step by Step

  1. Identify External Data Sources - list all sources, systems, vendors, and data types at study setup

  2. Define Data Use and Requirements - how will data be used and what are the critical elements?

  3. Decide DTA / DTS / Both / DMP-only - apply the decision framework; document the rationale

  4. Define Roles, Process, and Technical Details - document responsibilities, timelines, QC, reconciliation, issue handling

  5. Execute Transfer and Perform QC - receive/download data, run validation, reconcile, log issues, obtain acceptance

  6. Maintain Records and Close Out - archive final files, logs, approvals, and formally close the transfer

Principle: Plan well. Agree clearly. Transfer securely. Check thoroughly. Archive reliably.

Minimum evidence package: Transfer/Download Log · QC and Validation Log · Reconciliation Log · Issue and Resolution Log · Approved DTA and DTS · Final Accepted Files · Superseded/Corrected Files · Archive Confirmation.

Summary

The DTA and DTS serve complementary and non-overlapping roles:

  • The DTA governs the relationship and process between data-transferring parties

  • The DTS governs the structure and quality of the data itself

Both are required for high-risk, high-frequency, safety-critical, or submission-relevant transfers. A risk-based decision framework determines what is needed for lower-risk transfers.

Govern the process. Define the data. Ensure quality. Protect integrity.

0 views·0 likes·
Share
dtadtsdata-transfervendor-managementcdmclinical-data-managementgcpregulatory

About the Author

NG

Neel Gajjar

CCDM®

Clinical Data Manager II

Clinical Data Manager specialising in EDC systems, CDISC standards, and GCP-compliant data governance. Creator of the Clinical Research Learning Hub — a platform built to make rigorous clinical research education accessible to every professional in the field.

Connect on LinkedIn

All content is expert-written and SME-reviewed. Regulatory references are verified against current ICH GCP E6(R2), FDA, and EMA guidance.

Comments

Leave a comment

Comments are reviewed before appearing.0/2000