Information Privacy and Security
Additional requirements may be imposed on information by federal or state law, regulation, or specific terms and conditions that apply to the award.
- Controlled Unclassified Information (CUI) including:
- Requirements for Human Subjects Research
- Classified Information
- Proprietary Information
- European Union General Data Protection Regulation (EU GDPR)
When information is restricted, it must be secured according to standards outlined in the award, or in authorizing regulation (e.g. NIST standards under FISMA). This ongoing responsibility requires direct project oversight under the authority of the Principal Investigator. This is typically achieved through budgeting for and maintaining an IT specialist and/or Project Manager to implement and monitor that security requirements are met.
More guidance on protecting data is available from the UW Chief Information Security Office.
The University maintains information security standards and guidelines that are met through UW provided systems to meet federal regulations.
Human subjects research reviewed by the UW Institutional Review Board (IRB) is outlined in this document.
A researcher may obtain, or the UW IRB may require, a Certificate of Confidentiality (CoC) from a federal agency (such as NIH) to protect sensitive identifiable human subjects data against subpoenas and other legal actions.
Principal Investigator (PI) CoC Responsibilities
- Treat ALL information about individuals involved in NIH funded research as if a CoC applies.
- Modify, if the study is modified.
- If the collection of data continues after the award, apply to extend CoC protection.
- Review & follow guidance for Sharing/Disclosing CoC Protected Information.
NIH Funded Research
A CoC automatically applies to all active NIH funded research projects.
Data collected while NIH funding is active is permanently protected under a CoC, even after your funding has ended and your study has been completed. Review guidance for Sharing/Disclosing CoC Protected Information.
All Other Research
Researchers must apply to the appropriate federal agency for a CoC. Review: Apply for, Extend, or Modify a Certificate of Confidentiality.
Research funded by the federal Department of Justice is required to obtain a Privacy Certificate, which is very similar to a Certificate of Confidentiality. See this Guidance.
European Union (EU) General Data Protection Regulation (GDPR)
The European Union (EU) General Data Protection Regulation (GDPR) limits when and how organizations worldwide can collect, store, use, or otherwise process personal data broadly related to persons residing in the European Economic Area (EEA). It also provides individuals with certain rights regarding their personal data, such as the right to be informed, to make choices about personal data processing, to access personal data, and in some cases, to delete personal data, as well as other rights.
Forms, Tools, and Resources
- HIPAA Authorization Template
- NIH: What is FISMA?
- Is your project considered research?
- Does your project involve Human Subjects?
- CoC Decision Tree: Is my research subject to CoC?
- Privacy Office: European Union – General Data Protection Regulation (EU…
- Office for Human Research Protection (OHRP): EU General Data Protection…
Policy, Regulation, and Guidance
- GUIDANCE HIPAA
- GUIDANCE Data Security Protections
- Office of the Chief Information Security Officer: Laws
- APS 2.6 Information Security Controls and Operational Practices
- National Institute of Standards and Technology (NIST) Special Publications (SPs)
- Federal Information Security Management (and Modernization) Act (FISMA)
- Family Educational Rights and Privacy Act (FERPA)
- Guidance: Certificate of Confidentiality (CoC)
- NIH: Certificate of Confidentiality
- DOD: Cybersecurity Maturity Model Certification
- NIH: Data Management and Sharing Policy