Data Protections: Privacy, Security, Proprietary
At a minimum, a Data Use Agreement (DUA) must be in place whenever there are restrictions for: Information Privacy, National Security, Protecting Commercial, Proprietary, or Confidential Interests in Data.
In some cases there are additional guidelines or requirements which must be followed before a DUA can be put into place. Review the following guidance on these topics for next steps and more information.
Topics Covered:
- Information Privacy
- Information Security / National Security
- Protecting Commercial, Proprietary, or Confidential Interests in Data
Information Privacy
Information Privacy Topics:
Protected Health Information & HIPAA
HIPAA protects the privacy of individually identifiable information, sets standards for the security of electronic PHI, and includes breach notification rules.
Researchers that will obtain and use protected health information (PHI) must obtain: (a) authorization from the participant; or (b) a waiver of authorization granted by an IRB, unless the PHI is:
- de-identified;
- a limited data set, or
- from decedents.
Many UW researchers are also health care providers at a UW covered entity. These researchers follow all policies, procedures, and requirements about the research use of PHI, such as prior IRB approval and a waiver of authorization, even for one’s own patients, and following all UW Medicine Honest Broker requirements.
Please see GUIDANCE HIPAA from the UW’s Human Subjects Division (HSD) for additional information.
UW Medicine Clinical Research Data
UW Medicine maintains policies regarding use of UW Medicine clinical data in research.
- Honest Broker: An honest broker is an individual or group acting on behalf of a covered entity to search the entity’s health care records, collect PHI, and make the PHI available to researchers. The PHI may be de-identified, coded (with the researcher having no access to the code link) or identifiable. The Honest Broker acts as a gatekeeper and must be independent of the research team.
- Release of UWM Clinical Data for Research Purposes: This policy defines clinical data, which is broader than PHI, and the circumstances when such data can be used for research purposes.
Questions?
Contact ritdatahelp@uw.edu with questions on the Honest Broker processor the Release of UWM Clinical Data for Research Purposes.
Federal Certificate of Confidentiality
Information, including PHI, under a Certificate of Confidentiality, receives the following additional protections, under a Certificate of Confidentiality and sharing is not allowed:
- as part of a Federal, State, local civil, criminal, administrative, legislative or other proceeding
- to any other person not connected with the research
Review: more guidance on Certificate of Confidentiality (CoC) from the UW’s Human Subjects Division.
European Union - General Data Protection Regulation
The EU GDPR limits when and how organizations worldwide can collect, store, use, or otherwise process personal data of persons residing in the European Economic Area (EEA). Please review more information from UW IT on European Union General Data Protection Regulation including how they may impact access and use. If you carry out a UW activity that involves sharing personal data subject to EU GDPR, you will need to consider a Data Processing Agreement.
If you will be handling incoming personal data subject to the EU GDPR, as a processor or controller, the party providing such data may require certain contractual clauses. If a sponsored program, these terms would be placed in the sponsored research agreement or related DUA by the providing party
When routing an eGC1 to OSP and you are aware personal data subject to EU GDPR will be involved, please select the checkbox next to “Other Sensitive Information” under D-1. Ensure you are completing a privacy assessment with the UW Privacy Office if the data handling is considered high-risk data processing.
FERPA
Researchers who obtain records from schools are responsible for contacting the schools to make sure that the research will comply with FERPA requirements.
Please see more from the Academic Data Management Office.
Youth-Involved Research
UW-Led Youth-Involved Research includes any study that involves:
- personnel acting on behalf of UW;
- youth human subjects (under age 18); and
- collecting data from youth, analysis of identifiable youth data, or other interactions with youth that occur as part of UW’s involvement.
Please see more information on Youth Research Requirements or contact the Youth Protection Coordinator.
Information Security / National Security
Information Security / National Security Topics:
Foreign Interests
There may be restrictions or prohibitions on the sharing of data to foreign parties. Please see Foreign Interests and Sponsored Programs for more information.
Classified or Restricted Research
There are restrictions and prohibitions for sharing classified federal contract information (FCI) or Controlled Unclassified Information (CUI). Typically assessed at the proposal stage, please review proposal stage guidance on Classified or Restricted Research.
Protecting Commercial, Proprietary, or Confidential Interests in Data
In general all research data are considered open access and available in the public domain. See UW Policy on Open Access. However there are commercial and proprietary interests considered in sponsored research contexts.
Protecting Commercial, Proprietary, or Confidential Interests in Data Topics:
Sponsors or Third Party Data
Data from sponsors or third parties coming into the UW for use on a sponsored project often requires protection for proprietary purposes. Sponsors typically provide a license to us within a sponsored research agreement or will provide a data use agreement.
Review more information on Data Use Agreements and Agreement Types.
Research Data Developed by the UW
Research data are not typically considered intellectual property. However, all UW research data are owned by the UW, except as otherwise provided by an agreement, law, regulations, or policy, and in some cases protected by copyright. See GIM 37 Research Data.
Open Use & Open Access
Generally research data developed under a UW sponsored project are required to be open use or available in the public domain. See UW Libraries Guide on Open Access.
Certain sponsors include public access, open use, or open access requirements as a condition of award.
Some examples include:
Open Source
Some sponsors may require terms in agreements for open source licensing of software. When this happens, your OSP reviewer will request the Principal Investigator to acknowledge and sign the UW IP Disposition Memo (also referred to as the GIM 40 Memo).
UW’s CoMotion also provides detailed guidance on Open Source Licensing at the UW.
Data Protections for Proprietary Purposes
Research data is not usually eligible to be protected as standalone commercial innovations. However, data can carry key information necessary to securing intellectual property protection. Additionally, it is important to understand how the parties to an agreement are defining “data”. If the agreement broadly defines data to include innovations, UW Intellectual Property policies apply. See for details:
Policies, Regulation, and Guidance
- Compliance for Proposals & Agreements
- Classified or Restricted Research
- Agreement Considerations
- Genomic Data Sharing
- Executive Order 8: Classified, Proprietary, and Restricted Research
- Executive Order 36: Patent, Invention, and Copyright Policy
- APS 2.6 Information Security Controls and Operational Practices
- UW-IT Information Security: Sharing Data