European Union General Data Protection Regulation (GDPR)
The GDPR came into effect in 2016 and has worldwide application protecting the “Personal Data” of individual EU residents, which is defined as (a) any information (b) relating to (c) an identified or identifiable (d) natural person. The regulation imposes complex technical and organizational requirements—requirements that UVA, like many U.S. institutions, is not currently able to meet. Therefore, researchers who intend to engage in work that may involve the collection of data from EU residents are encouraged to consult OSP as early possible so that the office can explore alternative avenues to facilitate the performance of the project.
Please see this GDPR presentation for more information.
Under GDPR, the treatment of deidentified data is substantially different than the treatment that same category of data receives in the U.S., and deidentification does not remove the data from GDPR protection. Only anonymized data is excluded from GDPR’s provisions and certain data such as genetic and biometric data can never be deidentified. GDPR imposes harsh penalties on entities that obtain an EU resident’s Personal Data and fails to comply with GDPR’s protection regime. Any Personal Data transferred from an EU member state is protected, whether or not the Agreement expressly references the GDPR. Because of the stringent technical and organization requirements imposed by the regulation, UVA is not currently in a position to receive Personal Data of EU residents.
Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act is a federal law covering student records. It applies to all educational institutions receiving federal funds, and research involving student records may fall under FERPA protections.
For more information, please see the following short FERPA presentation.