What is Data Protection?

Data protection is a set of strategies and practices that apply to systems, practices and operations designed to safeguard an individual’s personal data. Brown is working to strengthen data protection by standardizing the ways in which personal data is managed and shared within units and across the University.

What is personal data?

Personal data is broadly defined as any information relating to an individual’s personal identity. This includes a person’s name; government-issued identification number (Social Security Number, state ID, resident number, etc.); address or other location data; online identities such as email or IP addresses; images; and information on an individual’s health, genetics, race or ethnic origin, gender identity, sexual orientation, biometrics, political opinions, religious or philosophical beliefs, and trade union membership. 

Laws and regulations governing use of personal data

As a research University engaged in international activities, Brown is subject to a range of applicable laws and regulations governing the collection and use of personal data.

U.S. Privacy Laws

The United States does not have a comprehensive national law governing data protection or data privacy law. However, state and federal privacy laws and regulations govern the gathering, using and sharing of certain types of personal data. For example, the Family Educational Right to Privacy Act (FERPA) governs the access and sharing of student education records, the Health Insurance Portability and Accountability Act (HIPAA) establishes regulation for the use and disclosure of protected health information, and various state privacy laws govern other aspects of data privacy and protection. A wide-ranging California law taking effect in 2020 addresses the protection of consumer data. Other states are also likely to pay increasing attention to the issue of data privacy.

Applicable International Law (GDPR)

Effective May 25, 2018, the European Union’s General Data Protection Regulation, known as GDPR, established new regulations regarding how personal data is managed and shared.  GDPR aims to standardize data protection laws and data processing across the EU, affording individuals stronger, more consistent rights to access and control their personal information. While the GDPR was established to apply to the data of individuals who are in the EU, the global nature of society and commerce means that nearly every online service is affected, including for U.S. companies and institutions.

Important key principles underlying GDPR include ensuring personal data is accurate; ensuring data is used only for specified, explicit and legitimate purposes; limiting the length of time that data is retained; and granting individuals various rights to access to their data and how their personal data will be used and shared.

Considerations for research

Brown’s Office of the Vice President for Research maintains a webpage providing information on GDPR and its applications to research involving human subjects.