Information Privacy and Security
Additional requirements may be imposed on information by federal or state law, regulation, or specific terms and conditions that apply to the award.
- Controlled Unclassified Information (CUI) including:
- Requirements for Human Subjects Research
- Classified Information
- Proprietary Information
When information is restricted, it must be secured according to standards outlined in the award, or in authorizing regulation (e.g. NIST standards under FISMA). This ongoing responsibility requires direct project oversight under the authority of the Principal Investigator. This is typically achieved through budgeting for and maintaining an IT specialist and/or Project Manager to implement and monitor that security requirements are met.
More guidance on protecting data is available from the UW Chief Information Security Office.
The University maintains information security standards and guidelines that are met through UW provided systems to meet federal regulations.
Human subjects research reviewed by the UW Institutional Review Board (IRB) are outlined in this document.
Obtaining and using identifiable UW record information for human subjects research without the consent of the subjects requires a Confidentiality Agreement, as described in this Guidance. These records may be from any UW administrative unit, such as: UW Medicine medical records, Office of the Registrar, departmental student records, Dental Clinic healthcare records, etc.
A researcher may obtain, or the UW IRB may require, a Certificate of Confidentiality (CoC) from a federal agency (such as NIH) to protect sensitive identifiable human subjects data against subpoenas and other legal actions.
Principal Investigator (PI) CoC Responsibilities
- Treat ALL information about individuals involved in NIH funded research as if a CoC applies.
- Modify, if the study is modified.
- If the collection of data continues after the award, apply to extend CoC protection.
- Review & follow guidance for Sharing/Disclosing CoC Protected Information.
NIH Funded Research
A CoC automatically applies to all active NIH funded research projects.
Data collected while NIH funding is active is permanently protected under a CoC, even after your funding has ended and your study has been completed. Review guidance for Sharing/Disclosing CoC Protected Information.
All Other Research
Researchers must apply to appropriate federal agency for a CoC. Review: Apply for, Extend, or Modify a Certificate of Confidentiality.
Research funded by the federal Department of Justice is required to obtain a Privacy Certificate, which is very similar to a Certificate of Confidentiality. See this Guidance.
Forms, Tools, and Resources
- TEMPLATE: HIPAA Authorization
- NIH: What is FISMA?
- Federal Certificate of Confidentiality (CoC) Kiosk
- Certificate of Confidentiality: Apply, Extend, Modify
- Is your project considered research?
- Does your project involve Human Subjects?
- CoC Decision Tree: Is my research subject to CoC?
- Privacy Office: European Union – General Data Protection Regulation (EU…
- Office for Human Research Protection (OHRP): EU General Data Protection…
Policy, Regulation, and Guidance
- GUIDANCE: HIPAA
- ZIPLINE GUIDANCE: Data Security Protections
- Office of the Chief Information Security Officer: Laws
- APS 2.6 Information Security Controls and Operational Practices
- National Institute of Standards and Technology (NIST) Special Publications (SPs)
- Federal Information Security Management (and Modernization) Act (FISMA)
- Family Educational Rights and Privacy Act (FERPA)
- Guidance: Certificate of Confidentiality (CoC)
- NIH: Certificate of Confidentiality