Understanding Data Privacy and Security

Expectations outside the U.S. about what information is private, and the extent to which it is private, can be substantially different from those in the U.S.  In Europe and elsewhere (e.g., Argentina, Canada, Israel), privacy of information is seen as a human right and their data privacy and security laws are both more comprehensive and more rigorous than those in the U.S.

For guidance on how to structure your international work so that it meets relevant data privacy and security regulations, contact the Office of the General Counsel.

What are data protection laws?

Data protection laws exist within the U.S. (federal and state) and in numerous other countries.  The purpose of the laws is to regulate the use and handling of data.  For Yale faculty, staff, and students, data protection laws pose two main challenges:

  • Privacy:  how to use and share data for legitimate research and other purposes, while protecting personally identifiable information.
  • Security:  how to secure personal data in order to prevent unintentional disclosures, access by unauthorized persons, or improper use by unauthorized persons.

 

Depending upon the specifics of your international work, including whether you transmit or transport data from one country to another, you may need to comply with the data protection laws of more than one jurisdiction.

Tell me more | Provide an example

When would these laws apply to you?

Data privacy and security regulations will apply to you if you are collecting, storing, transferring, or disseminating personal information such as:

  • financial records, such as credit card, salary, banking information
  • academic data
  • personal health information
  • human resources records
  • personal data collected in the course of academic study or research.

 

Data collected, recorded, stored, transmitted, and used by Yale faculty, students and staff researching, studying or working abroad may be regulated by foreign data protection laws.  U.S. laws will apply when such data is brought into the U.S.

What are your responsibilities?

Comply with relevant laws:  if you are working with data, you must become familiar with the data protection laws that apply to your activities.  Contact the Office of the General Counsel for assistance.  Questions regarding HIPAA Privacy should be directed to Yale’s Chief HIPAA Privacy Officer; questions regarding HIPAA Security should be directed to the Information Assurance & Compliance Office (ITS Information Security Office).

 

Follow Yale's requirements:  Yale policies and procedures addressing data privacy and security apply to activity in the U.S. as well as overseas.  For a listing of these policies and related guidance (with links), click on the Related Tools and Resources section below.

 

Report concerns and incidents:  any actual or potential breach of personal data must be reported immediately to Yale's Information Security Office and to the Office of the General Counsel so that Yale can act swiftly to protect affected persons and meet regulatory reporting requirements.

What should you do to reduce the risk of non-compliance?

Use care in the collection, handling, and storage of data.  Follow these five principles for securing Yale's data:

  1. Know what data you have
  2. Scale down the data
  3. Lock it up
  4. Review your data security
  5. Plan ahead

Visit Yale ITS' Secure Computing website and apply ITS guidelines on maintaining security of data and electronic devices

 

Read and apply Yale policies and procedures addressing data privacy and protection.  The “Related Tools and Resources” section below provides a list, with links, of relevant policies and procedures.

 

Follow Yale and local IRB procedures for all human subject research and keep in mind that local (host-country) IRB requirements may differ from U.S. regulations. 

 

Request assistance.  Contact the Office of the General Counsel to ask for help on what U.S. and foreign data protection laws apply to your activities, or use the Contact Us link on the right.

What are the possible costs of a violation?

Violations of data privacy and security laws and regulations can result in potentially severe civil and criminal penalties for individual faculty and staff members, as well as for the University, including fines, imprisonment and the loss of federal funding. Reputational costs related to publicity surrounding breaches of data privacy and security can be especially damaging.

Yale policies governing data privacy and security

To view Yale’s Policies and Procedures related to specific areas of data privacy and security, click on the links below:

Related tools and resources

For guidance on maintaining the security of data and electronic devices, visit the ITS Secure Computing website and the Office of Grant and Contract Administration guidance on electronic devices and international travel.

 

For information about risks related to the transfer of data to international persons located within the U.S. (called a “deemed export”), click here.

 

For training materials related to HIPAA policies and procedures, go to Yale Training:  HIPAA.

 

For guidance on the EU Data Protection Directive, review this fact sheet on collecting data in the EU and visit the EU websites on the EU Data Protection Directive and EU-approved model contracts for transferring data outside the EU.

 

The OECD website provides guidance on data privacy and security laws, regulations and guidelines in OECD member nations.

 

The APEC website on APEC Privacy Framework and data privacy and security laws in APEC member nations.