Information Privacy and Security

Additional requirements may be imposed on information by federal or state law, regulation, or specific terms and conditions that apply to the award.

Examples:

• Controlled Unclassified Information (CUI) including:
  • Export controlled information
  • Federal information
  • Student information
• Requirements for Human Subjects Research
  • Data Security Requirements
  • Personal Health Information (PHI)
  • Federal Certificate of Confidentiality
  • Privacy Certificate
• Classified Information
• Proprietary Information
• European Union General Data Protection Regulation (EU GDPR)

When information is restricted, it must be secured according to standards outlined in the award, or in authorizing regulation (e.g. NIST standards under FISMA). This ongoing responsibility requires direct project oversight under the authority of the Principal Investigator. This is typically achieved through budgeting for and maintaining an IT specialist and/or Project Manager to implement and monitor that security requirements are met.

More guidance on protecting data is available from the UW Chief Information Security Office.

The University maintains information security standards and guidelines that are met through UW provided systems to meet federal regulations.

Requirements for Human Subjects Research

Data Security Requirements

Human subjects research reviewed by the UW Institutional Review Board (IRB) is outlined in this document.

Use of Protected Health Information (PHI)

Obtaining and using identifiable healthcare record information for human subjects research must comply with HIPAA regulations. See the UW IRB’s HIPAA guidance and HIPAA Authorization form.

Federal Certificate of Confidentiality

A researcher may obtain, or the UW IRB may require, a Certificate of Confidentiality (CoC) from a federal agency (such as NIH) to protect sensitive identifiable human subjects data against subpoenas and other legal actions.

Principal Investigator (PI) CoC Responsibilities

• Treat ALL information about individuals involved in NIH funded research as if a CoC applies.
• Modify, if the study is modified.
• If the collection of data continues after the award, apply to extend CoC protection.
• Review & follow guidance for Sharing/Disclosing CoC Protected Information.

NIH Funded Research

A CoC automatically applies to all active NIH funded research projects.
Data collected while NIH funding is active is permanently protected under a CoC, even after your funding has ended and your study has been completed. Review guidance for Sharing/Disclosing CoC Protected Information.

CoC Decision Tree: Is my NIH research subject to a CoC?

All Other Research

Researchers must apply to the appropriate federal agency for a CoC. Review: Apply for, Extend, or Modify a Certificate of Confidentiality.

Privacy Certificate

Research funded by the federal Department of Justice is required to obtain a Privacy Certificate, which is very similar to a Certificate of Confidentiality. See this Guidance.