Data Protection Laws
Yale faculty and students conduct a series of interviews in Denmark (or many other European and non-European countries) resulting in the collection of personal data for a research project. Issues raised include:
- Obtaining both Yale and local IRB approval for human subject research outside the U.S. (including local IRB approval to conduct oral histories in Europe).
- Disclosure to the subjects of the research that their personal data is being used and for what purpose, obtaining their clear consent, and allowing them access to view it and correct it as appropriate.
- Ensuring the security of the data that is collected (whether electronically or otherwise).
- Use of the data only for the specific purpose for which it was collected and making sure the data is destroyed once it is no longer needed.
- Meeting applicable reporting requirements to host-country regulators.
- If the data is health-related, compliance with Yale’s HIPAA policy and procedures.
Yale graduate students working at a health clinic in Ethiopia wish to bring patient medical data back into the US for research. Issues raised include:
- Compliance with Yale’s policy on Use and Disclosure of PHI for Research Purposes (HIPAA Policy 5032) and other Yale HIPAA policies and procedures as applicable.
- Determining what Yale and local IRB approvals would be required.
- Determining whether patient authorizations would be required.
- Meeting applicable local data security and privacy requirements and expectations.
Yale faculty, student or staff member brings a laptop on an international trip. The laptop contains personal identifying information (e.g., research data or personnel records). Local customs officials seize the laptop. Issues to consider: