Skip to Main Content

Research Data Management

This guide provides best practices and resources for managing your research data for any discipline.

What is data privacy?

Data Privacy governs how data is collected, shared, and used.  It refers to your personal information and is also called Information Privacy.  It applies to PII - Personally Identifiable Information and PHI - Personal Health Information, among other data types.  This includes your social security number, health/medical records, financial data such as bank account and credit card numbers, your full name, race, national /ethnic origin, age, religion, physical and email addresses, student ID number, birth date, DMV number, location data (from your cell phone), employment history, criminal history, blood type, etc.

Access to this data is highly regulated by governments. Common regulations you should be aware of when using this type of data in your research include the GDPR, CCPA, FERPA, the Common Rule (PPHS 45 CFR part 46), and HIPPA.  Many countries have their own versions of these laws.  Many states have specific laws that protect individual data. The National Conference of State Legislatures (NCSL) maintains the Consumer Data Privacy Legislation site which lists the legislation that was being considered in 2019.  It provides the Bill Number, Status, and Summary, listed by state. 

Protecting personal data privacy has always been an important factor in academic research. Some of this legislation is intended to protect personal data in business transactions, not in research, but the definitions are vague enough that they could impact research data sharing. The CCPA and state laws are examples of this type of legislation.  Their definitions and data sharing attributes mirror the GDPR, HIPPA, and Common Rule. 

The following section will provide a brief summary and links to related documents to many of these regulations. 


The General Data Protection Regulation is a European Union law that was implemented May 25, 2018, and requires organizations to safeguard personal data and uphold the privacy rights of anyone in EU territory. The regulation includes seven principles of data protection that must be implemented and eight privacy rights that must be facilitated. It also empowers member state-level data protection authorities to enforce the GDPR with sanctions and fines. The GDPR replaced the 1995 Data Protection Directive, which created a country-by-country patchwork of data protection laws. The GDPR, passed in European Parliament by overwhelming majority, unifies the EU under a single data protection regime.

Any organization that processes the personal data of people in the EU must comply with the GDPR. “Processing” is a broad term that covers just about anything you can do with data: collection, storage, transmission, analysis, etc. “Personal data” is any information that relates to a person, such as names, email addresses, IP addresses, eye color, political affiliation, and so on. Even if an organization is not connected to the EU itself, if it processes the personal data of people in the EU (via tracking on its website, for instance), it must comply. The GDPR is also not limited to for-profit companies. [courtesy of the GDPR.EU FAQ website, a project funded by the Horizon 2020 Framework Programme of the European Union]

Managing user research data and participant privacy is a UK User Research guide (from the Gov.UK Service Manual - User research). While it is written for UK researchers, it is a very useful guide that explains the important points of the GDPR in relation to research and personal data.  Topics covered include Managing participants' personal data during recruitment, Managing the research data you collect and use, Protecting privacy when sharing research outputs, Making sure colleagues protect participant privacy, Working with service providers, contractors and third-party staff, and Protecting participant privacy when reporting findings publicly. 

The California Consumer Privacy Act of 2018 (CCPA) [AB-375] will take effect January 1, 2020. It is the strongest state privacy legislation enacted in the United States.  It is written for California residents, but it applies to any business entity doing business in California that meets certain rules. Businesses will likely chose to adhere to the CCPA because it is simpler (and less expensive) to meet the requirements of one set of rules instead of 50 different ones (each state has different privacy legislation enacted). The Act provides "consumers" five basic rights concerning their personal information:

  • The right of Californians to know what personal information is being collected about them
  • The right of Californians to know whether their personal information is sold or disclosed and to whom
  • The right of Californians to say no to the sale of personal information 
  • The right of Californians to access their personal information
  • The right of Californians to equal service and price, even if they exercise their privacy rights

Legislation: AB-375 

Proskauer Privacy Law Blog The California Consumer Privacy Act of 2018  

The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records.  It is administered by the U.S. Department of Education.  It gives parents certain rights with respect to their children's education records. the rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are called "eligible students".

The Health Insurance Portability and Accountability Act (HIPAA) establishes the conditions under which protected health information may be used or disclosed by covered entities for research purposes. Drafted in 1996, HIPPA is comprised of 2 rules. The Privacy Rule, also known as the Standards for Privacy of Individually Identifiable Health Information, was the first federal regulation for the use and/or disclosure of an individual's health information (PHI).  The Security Rule establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity.  Both rules are in the same legislation in 45 CFR Part 160.  The Privacy Rule is also in Subparts A & E of part 164 and the Security Rule is also in Subparts A & C of part 164.  Subpart A is the General Provisions. Subpart C is the Security Standards for the Protection of Electronic Protected Health Information. Subpart D is the Notification in the Case of Breach of unsecured Protected Health Information. Subpart E is the Privacy of Individually Identifiable Health Information. The Act is administered by the Department of Health & Human Services.  

The Gramm-Leach-Bliley Act (GLBA) is a federal law that applies to financial institutions (including banks, savings & loans, credit unions, insurance companies, academic institutions, and securities firms) and includes privacy and information security provisions designed to protect consumer financial data. The Act is administered by the Federal Deposit Insurance Corporation (FDIC). The Federal Trade Commission (FTC) enforces the Privacy Rule (16 CFR 313) and the Safeguards Rule (16 CFR 314) for higher education institutions. Generally if an institution is in compliance with FERPA they are assumed to be in compliance with the GLBA Privacy Rule. The Federal Student Aid (FSA) office maintains the Cybersecurity compliance site documenting GLBA compliance information, including two provisions that address data breach issues. ​

The Children's Online Privacy Protection Act of 1998 (COPPA) is a Federal law that applies to the online collection of personal information of children under the age of 13.  Persons or entities under U.S. jurisdiction must adhere to the requirements to include a privacy policy, when and how to seek verifiable consent from a parent or guardian, and the responsibilities a site owner/operator has to protect children's privacy and safety online.  It is administered by the Federal Trade Commission.  15 USC 6501- 6506.

The Common Rule is a 1981 ethics rule in the United States governing biomedical and behavioral research involving human subjects. It was revised in 2018. It governs the IRB oversight of human research. Title 45 CFR 46 (Public Welfare) Subparts A, B, C, and D.  Subpart A is the Common Rule. Subpart B provides protection for pregnant women, human fetuses and neonates as subjects. Subpart C protects prisoners as subjects. Subpart D protects children as subjects. Twenty Federal agencies have signed onto the Common Rule. They include the Department of Agriculture, Department of Commerce (NIST), Department of Energy, Department of Defense, Department of Health and Human Services, Department of Homeland Security, Department of Housing and Urban Development, Department of Justice (National Institute of Justice), Department of Labor, Department of Transportation, Department of Veterans Affairs, Agency for International Development, Central Intelligence Agency, Consumer Product Safety Commission, Environmental Protection Agency (Research and Development), National Aeronautics and Space Administration, National Science Foundation, Office of the Director of National Intelligence, and the Social Security Administration.  It is administered by the Department of Health and Human Services.

Federal regulations require that all proposed human research studies undergo review by the Institutional Review Board (IRB). The IRB is responsible for reviewing all human subjects research and ensuring compliance with federal regulations. The primary role of the IRB is to protect the safety and welfare of human subjects.

UVa utilizes a Human Research Protection Program (HRPP) to manage the Institutional Review Board (IRB) and Post-Approval Monitoring (PAM) offices. It is administered by the Vice President for Research Office