UW Research

Information Privacy and Security

Additional requirements may be imposed on information by federal or state law, regulation, or specific terms and conditions that apply to the award.


When information is restricted, it must be secured according to standards outlined in the award, or in authorizing regulation (e.g. NIST standards under FISMA). This ongoing responsibility requires direct project oversight under the authority of the Principal Investigator. This is typically achieved through budgeting for and maintaining an IT specialist and/or Project Manager to implement and monitor that security requirements are met.

More guidance on protecting data is available from the UW Chief Information Security Office.

The University maintains information security standards and guidelines that are met through UW provided systems to meet federal regulations.

Requirements for Human Subjects Research

Data Security Requirements

Human subjects research reviewed by the UW Institutional Review Board (IRB) is outlined in this document.

Use of Protected Health Information (PHI)

Obtaining and using identifiable healthcare record information for human subjects research must comply with HIPAA regulations. See the UW IRB’s HIPAA guidance and HIPAA Authorization form.

Federal Certificate of Confidentiality

A researcher may obtain, or the UW IRB may require, a Certificate of Confidentiality (CoC) from a federal agency (such as NIH) to protect sensitive identifiable human subjects data against subpoenas and other legal actions.

Principal Investigator (PI) CoC Responsibilities

NIH Funded Research

A CoC automatically applies to all active NIH funded research projects.
Data collected while NIH funding is active is permanently protected under a CoC, even after your funding has ended and your study has been completed. Review guidance for Sharing/Disclosing CoC Protected Information.

CoC Decision Tree: Is my NIH research subject to a CoC?

All Other Research

Researchers must apply to the appropriate federal agency for a CoC. Review: Apply for, Extend, or Modify a Certificate of Confidentiality.

Privacy Certificate

Research funded by the federal Department of Justice is required to obtain a Privacy Certificate, which is very similar to a Certificate of Confidentiality. See this Guidance.

European Union (EU) General Data Protection Regulation (GDPR)

The European Union (EU) General Data Protection Regulation (GDPR) limits when and how organizations worldwide can collect, store, use, or otherwise process personal data broadly related to persons residing in the European Economic Area (EEA). It also provides individuals with certain rights regarding their personal data, such as the right to be informed, to make choices about personal data processing, to access personal data, and in some cases, to delete personal data, as well as other rights.

Learn More: