Data Protection Laws

Data protection laws exist within the U.S. (federal and state) and in numerous other countries.  The purpose of the laws is to regulate the use and handling of data.  For Yale faculty, staff, and students, data protection laws pose two main challenges:

  • Privacy:  how to use and share data for legitimate research and other purposes, while protecting personally identifiable information.
  • Security:  how to secure personal data in order to prevent unintentional disclosures, access by unauthorized persons, or improper use by unauthorized persons.

Data collected, recorded, stored, transmitted, and used by Yale faculty, students and staff researching, studying or working abroad may be regulated by foreign data protection laws.  U.S. laws will apply when such data is brought into the U.S.

U.S. Data Privacy and Security Regulation

In the U.S. data privacy and security regulation is legislated by sector (or type of data), resulting in a series of data protection laws that address privacy and security needs of specific categories of data.  Some of the main federal laws that provide for data protection include the Health Insurance Portability and Accountability Act (medical records), the Family Educational Rights and Privacy Act (educational records), the Fair Credit Reporting Act (consumer reporting data), and the Federal Information Security Management Act (FISMA) (federal data).

State laws also provide for data protection and include legislation, for example, on data security breaches and protection measures for sensitive personal information such as social security numbers.

U.S. treatment of data protection is accomplished by sector and so definitions of what kinds of data are covered will vary from one law to the next.  Generally, however, the following kinds of personally identifiable information receive protection under one or more U.S. laws: 

  • educational data
  • financial records
  • medical history
  • criminal history
  • employment history
  • any data that can be used to determine someone’s identity including name, social security number, date and place of birth, and mother’s maiden name.
Last updated: 12/11/2017

EU General Data Protection Regulation (GDPR)

The European Union’s General Data Protection Regulation (GDPR) is a new regulation that went into effect on May 25, 2018.   The regulation provides protection for persons regarding the processing of their personal data.    The GDPR replaces a 1995 EU Directive regarding data protection. 

When might the GDPR apply to my Yale activities? 

The GDPR applies to individuals and organizations based in the European Economic Area (“EEA”) and non-EEA organizations that process the personal data of individuals in the EEA.  The EEA includes the 28 states of the EU as well as:  Iceland, Liechtenstein, Norway and Switzerland.

For non-EEA entities such as Yale, the law will apply when personal data is processed in connection with either: 

  •  Offering goods or services to individuals in the EEA; or
  •  Monitoring the behavior of individuals in the EEA

The GDPR may also apply to Yale activities if Yale is collaborating with an institution in the EEA, even if Yale is neither directly offering goods or services to individuals in the EEA, nor monitoring the behavior of individuals in the EEA.    

What is personal data?

Under the GDPR, “personal data” refers to any information that relates to an identified or identifiable natural person (i.e., an individual rather than a company).  Such data could include, for example, the individual’s name, e-mail address, identification number, or photograph.  Personal data also includes, an IP address or cookie number.  Under the GDPR, an individual whose personal data is being processed is also known as a “data subject.” 

Certain categories of personal data get even more protections under the GDPR due to the sensitive nature of this data.  Examples include:  information about a data subject’s race or ethnic origin, health, genetics, biometrics for identification purposes, sex life or sexual orientation, political opinions, religious or philosophical beliefs, or trade union membership.  Information about criminal convictions is also more protected. 

Under the GDPR, more data is likely to be considered personal data than under U.S. privacy laws.   For example, in contrast to U.S. law, “pseudonymized data” (i.e. coded data) is “personal data” even in cases where institution such as Yale does not have access to the key-code.  Only if there is no key-code in existence, anywhere in the world, is the data sufficiently anonymized that the GDPR will not apply. 

What is processing? 

Processing is any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction.

What does the GDPR require? 

The GDPR’s requirements are complex.  If you believe that you are or will be processing data of individuals in the EEA, please send an email to iocc@yale.edu.  The Office of General Counsel can assist you with incorporating the GDPR’s obligations into your activities and processes.  Typically, your department will perform a privacy assessment and make any appropriate modifications. 

As an example, one of GDPR’s requirements is that all personal data being processed have a “lawful basis.”  Examples of lawful bases include: 

  • The data subject consented to the processing.
  • The data processing is necessary for the performance of a contract to which the data subject is a party.
  • The data processing is necessary for the legitimate interests of Yale or a third party, except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject.

The list above is not exhaustive but rather includes some of the lawful bases most likely to be relevant to a U.S university.

Last updated: 02/20/2014

China’s Personal Information Protection Law (PIPL)

What is China’s PIPL?

PIPL is the Personal Information Protection Law of the People’s Republic of China, effective November 1, 2021.  China’s PIPL is similar to GDPR and other international privacy laws protecting the privacy and security of personal information of individuals in China. 

When might PIPL apply to my Yale activities?

PIPL applies to individuals or organizations that handle identifiable personal information of individuals located in China.   Yale researchers or programs that collect identifiable personal information of individuals who are located are China are required to comply with the new law.

What is Identifiable Personal Data under PIPL?

Any information about a person where it is possible to identify a certain natural person is considered to be identifiable personal data.  This definition would include data that includes names, email addresses, identification numbers as well as data that is pseudonymized with a code that would link the data to identifiers.

In addition, certain personal information is considered to be sensitive and require additional protection.  Information that if disclosed inappropriately may lead to personal discrimination or harm is considered to be sensitive. Sensitive data includes biometric information, religious beliefs, race & ethnicity, medical health information, financial information, location tracking and information on minors under 14 years of age.

What is required under China’s PIPL?

PIPL has a number of requirements including:

  • Explicit consent for each proposed use and the export of personal information outside China. 
  • Secure storage and transmission of the data
  • Breach reporting
  • Timely response to data subject rights requests
  • Requirements to register a local data contact

What steps should I take if a Yale project will involve collection of data about individuals in China?

The PIPL is a new law and some aspects are still in development.  If you are or plan to collect data on individuals in China, please contact IOCC@yale.edu for assistance.

Last updated: 11/12/2021

Other Countries’ Data Privacy and Security Regulation

Yale faculty and personnel conducting business, educational, or research activities outside of the United States should inquire as to the applicability of local laws in the country where the work is located.

Certain non-EU countries (e.g., Argentina, Canada) have followed the EU model and have created comprehensive laws regarding data privacy and security that may affect Yale research or activities in those countries.  Even in countries with less stringent regimes (e.g., Australia, Brazil, Israel, Russia), there may be data privacy and security requirements that Yale personnel must be aware of before collecting, storing, transferring or disseminating personal information.

It is important to note that in certain cases, compliance with both U.S. and host-country laws may be required.

Managing Risk

Use care in the collection, handling, and storage of data.  Follow these five principles for securing Yale’s data:

  1. Know what data you have
  2. Scale down the data
  3. Lock it up
  4. Review your data security
  5. Plan ahead

Visit Yale ITS’ Secure Computing website and apply ITS guidelines on maintaining security of data and electronic devices

Follow Yale and local IRB procedures for all human subject research and keep in mind that local (host-country) IRB requirements may differ from U.S. regulations. 

Request assistance.  Contact the Office of the General Counsel to ask for help on what U.S. and foreign data protection laws apply to your activities

 

Scenarios

Research Conducted Overseas

Yale faculty and students conduct a series of interviews in Denmark  (or many other European and non-European countries) resulting in the collection of personal data for a research project.   Issues raised include:

  • Obtaining both Yale and local IRB approval for human subject research outside the U.S. (including local IRB approval to conduct oral histories in Europe).
  • Disclosure to the subjects of the research that their personal data is being used and for what purpose, obtaining their clear consent, and allowing them access to view it and correct it as appropriate.
  • Ensuring the security of the data that is collected (whether electronically or otherwise).
  • Use of the data only for the specific purpose for which it was collected and making sure the data is destroyed once it is no longer needed.
  • Meeting applicable reporting requirements to host-country regulators.
  • If the data is health-related, compliance with Yale’s HIPAA policy and procedures.
Last updated: 12/09/2021

Data Brought Back to U.S.

Yale graduate students working at a health clinic in Ethiopia wish to bring patient medical data back into the US for research.  Issues raised include:

  • Compliance with Yale’s policy on Use and Disclosure of PHI for Research Purposes (HIPAA Policy 5032) and other Yale HIPAA policies and procedures as applicable.
  • Determining what Yale and local IRB approvals would be required.
  • Determining whether patient authorizations would be required.
  • Meeting applicable local data security and privacy requirements and expectations
Last updated: 12/09/2021

Laptop Seized While Traveling

Yale faculty, student or staff member brings a laptop on an international trip.  The laptop contains personal identifying information (e.g., research data or personnel records).  Local customs officials seize the laptop.  Issues to consider:

  • Before you travel, consider carefully what devices and data you bring.
  • Compliance with reporting requirements related to lost or stolen data and devices.
Last updated: 12/09/2021