Lesson 1: Policies and Regulations

Responsible Data Planning, Use, and Sharing

1.1 Introduction to policies and regulations

The research data you produce while at a university or in the workplace is often subject to larger legal or institutional policies that impact the ways you can collect, share, and use the data. This section will provide a brief introduction to some of the policies and regulations that may affect you, especially if you work or study at UW-Madison. Every institution or organization will have different policies, so it’s important to seek out relevant resources as you begin each project to ensure you’re handling your data responsibly. If you are not a member of the UW-Madison community, this section will help you identify the types of policies you should be looking for. These include legal policies, industry agreements, organizational policies, and funding agency requirements.

1.2 Legal policies

For certain data types, there are legal policies that regulate the security and protection of certain types of data. Below we’ve included three common legal regulations for specific data type.

Health Insurance Portability and Accountability Act (HIPAA)

  • The Health Insurance Portability and Accountability Act of 1996 is a law that has multiple aims, but one aim, with which you are most likely familiar and that has large impact on research data, is the privacy rule. The privacy rule set out protections for the privacy of protected health information (often referred to as PHI) and set limits on sharing it.
  • UW-Madison has a number of security and privacy policies that can be found via the Office of Compliance website. HIPAA training is required of all members of the UW Health Care Component, and you can now also self-enroll in HIPAA training. Each unit of the UW-Madison Health Care Component has assigned HIPAA Security Coordinators and Privacy Coordinators who are available to answer questions about HIPAA security and privacy.

HIPAA symbol

Federal Information Security Modernization Act of 2014 (FISMA)

  • The Federal Information Security Modernization Act amended the Federal Information Security Management Act of 2002 to ensure stronger protection over Federal information and information systems from cybersecurity threats, including more specific policies and procedures for dealing with data breaches and providing better technical support to agencies.
  • The UW-Madison campus provides campus-specific information on the IT website and the Office of Cybersecurity provides consulting services to assist with FISMA compliance.

Federal Educational Rights and Privacy Act (FERPA)

  • The Federal Educational Rights and Privacy Act protects the privacy of data from student records, and applies to all schools that receive funding from the U.S. Department of Education. FERPA covers any educational record that contains personally identifiable information (personally identifiable information will be covered a little later in this course).
  • The campus Education and Social/Behavioral Science Institutional Review Board (ED/SBS IRB) provides guidance on understanding FERPA as well as for using student records for research purposes.

1.3 Industry - use agreements

HIPAA symbol

Often when acquiring data from industry sources, you will be asked to sign a data use agreement with the company. A data use agreement will detail the bounds within which you are allowed to access, manipulate, and share the data or the outputs created from the data.

The Education and Social Behavioral Science IRB provides guidance for use agreements, which are also sometimes called memorandum of understanding, data sharing agreements, or data release agreements. This guidance provides further detail on when these agreements are required and how they relate to FERPA and the IRB process.

1.4 Institutional and Organizational Policies

Institutions, as well as other organizations, will often have unique policies that guide members of their communities in the use, security, and management of data while at that institution. These may come from different offices or departments, so sometimes it can be difficult to identify all the policies to which you may be subject. However, investing some time to locating relevant policies will help inform your data management plan as well as ensure that you’re being a thoughtful and responsible data steward. This section will give a brief introduction into a few UW-Madison campus policies.

Campus data requirements

The Office of Data Management and Analytics Services has defined four major classifications for campus data (defined broadly here) that can help us understand the risk associated with our data and help us select the most appropriate storage and sharing methods for our data. The four classifications, their definitions, and brief examples are included below.

Data should be classified as Restricted when the unauthorized disclosure, alteration, loss or destruction of that data could cause a significant level of risk to the University, affiliates or research projects. Data should be classified as Restricted if protection of the data is required by law or regulation or if UW-Madison is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed.

Examples include social security numbers, PHI, social security numbers, and other personally identifiable information.

Data should be classified as Sensitive when the unauthorized disclosure, alteration, loss or destruction of that data could cause a moderate level of risk to the university, affiliates or research projects. Data should be classified as Sensitive if the loss of confidentiality, integrity or availability of the data could have a serious adverse effect on university operations, assets or individuals.

Examples include unpublished research and data such as date of birth or gender.

Data should be classified as Internal when the unauthorized disclosure, alteration, loss or destruction of that data could result in some risk to the University, affiliates, or research projects. By default, all Institutional Data that is not explicitly classified as Restricted, Sensitive or Public should be treated as Internal.

Examples include employee information like phone numbers and contact information, internal memos and emails, and project/aware numbers.

Data should be classified as Public prior to display on websites or once published without access restrictions, and when the unauthorized disclosure, alteration, or destruction of that data would result in little or no risk to the University and its affiliates.

Examples include campus maps, job postings, public policies or procedures, and the student directory.

For more information visit the UW-Madison Data Governance program page.

Other Campus level requirements

1. Policy on data stewardship, retention, and access:

The UW-Madison Office of the Vice Chancellor for Research and Graduate Education has a policy detailing the data stewardship roles and responsibilities of the University, Principal Investigators (PIs), and researchers on the campus. This policy outline focuses largely on retention, access, and guidance on data ownership in the event a researcher leaves the institution. While the full policy should be read to ensure your complete understanding and compliance, below we’ve included brief excerpts of some of the most salient components.

Stewardship and retention:

“Principal Investigators should adopt an orderly system of Data organization, access, and retention and should communicate the chosen system to all members of a research group and to the appropriate administrative personnel, where applicable.”

Research Data must be archived for a minimum of seven years after the final project close-out, with original Data retained wherever possible. Principles of good stewardship would justify longer periods of retention in the following cases:

  1. Data must be kept for as long as may be necessary to protect any intellectual property resulting from the work;
  2. If any charges regarding the research arise, such as allegations of scientific misconduct or conflict of interest, Data must be retained until such charges are fully resolved; and,
  3. If a postdoctoral scholar or other trainee, graduate student, or undergraduate student is a Research Contributor, Data must be retained at least until the degree is awarded, training is completed, or it is clear that the individual has abandoned the work.


“As part of the stewardship of research Data, the Principal Investigator shall create explicit understandings with Other Research Contributors regarding access to and use of Data. These understandings ought to reflect access appropriate to one's role and contribution to the conception and design of research, acquisition of Data, or analysis, and interpretation of Data.

It will also be the responsibility of the Principal Investigator to follow the requirements of any sponsored agreements with regard to access to Data.”

Transfer in the event a researcher leaves UW-Madison

“When individuals involved in research projects at UW-Madison leave the University or move to a different research group or position at UW-Madison, they may, with PI approval, take copies of research Data that they have generated or to which they have made a substantial contribution for projects on which they have worked. Original Data, however, must be retained at UW-Madison by the Principal Investigator.

If a Principal Investigator leaves UW-Madison, and a project is to be moved to another institution, the Data may be transferred with the approval of the Vice Chancellor for Research, and with written agreement from the PI's new institution that guarantees: 1) its acceptance of custodial responsibilities for the Data, and 2) UW-Madison access to the Data, should that become necessary.

Data sets comprised of directly or indirectly identifiable human subjects data may not be transferred outside of the University without UW IRB review and approval of the transfer. IRB review and approval to use the data may also be needed from the institution to which the data will be transferred." [1]

2. Invention and discovery disclosure

If you are conducting funded research while at UW-Madison, it is good to be aware that you are subject to invention and discovery disclosure. Other institutions or organizations may have similar policies.

The Office of the Vice Chancellor for Research and Graduate education notes that - “To assure the University’s ability to comply with obligations arising under federal laws or in extramural sponsored research agreements, faculty, staff, and students are required as a condition of participation in sponsored research to file disclosure reports for any invention or discovery made during the course of their University activities.” [2]

3. Institutional Review Board

IRBs are campus bodies that work with campus researchers to review human subjects research and ensure that the rights and interests of those participating are protected. For research that involves the use of human subjects, it is expected that you will submit your project plan and materials to the correct IRB for review prior to the beginning of your project. The IRB will review your plans and examine the risk to the subjects, help ensure you are meeting ethical and legal responsibilities, and will help you understand if you may share your data. UW-Madison has multiple IRBs:

  • The Health Sciences IRB: Reviews research protocols involving medical interventions or procedures where medical expertise is required for evaluation.
  • The Minimal Risk IRB: Reviews research protocols that present minimal risk to subjects and that involve medical interventions or procedures requiring medical expertise or that require knowledge of the health care setting.
  • The Education and Social Behavioral Science IRB: Reviews and approves human participants research occurring within the social and behavioral sciences, and non-medical health research, including social and behavioral science, genetic research, and non-medical prison research.” Information from Human Research Protection Program [3]

1.5 Funding agency requirements

In 2013, a memo from the White House Office of Science and Technology (OSTP) directed federal agencies with over $100 million in R&D to create plans that would increase public access to the articles and the underlying research data that result from grant funding.

This memo affected many of the common, large funders that we frequently encounter at UW-Madison like the National Science Foundation (NSF), Department of Energy (DOE), Department of Defense (DOD), etc. Each agency was responsible for detailing its exact requirements, which were largely released in 2015. These requirements affect both publications and data from federally funded research, typically requiring that articles and associated research data be made publicly available no later than 12 months after the article’s publication date.

Along with the public access component, agencies also now typically ask for a data management plan to be submitted as part of the proposal process. The plan should detail the management of the data during the research project and should identify where and when the data and research outputs will be made publicly available.

Other federal agencies not identified in the OSTP memo, such as the National Endowment for the Humanities (NEH), and some private foundations, such as the Bill and Melinda Gates Foundation, American Heart Association (AHA), and Howard Hughes Medical Institute (HHMI), have also begun requiring more detailed plans for data management and public access.

Funding agency guidelines have provided some of the greatest incentive for researchers and universities to think more carefully about data management and data sharing. Especially as funders begin to become more stringent in the review of and compliance with these plans.

We’ll introduce data management plans a little later on in this course, but as you work through the course, keep in mind that all of the topics we’re introducing are resources to help you write a more useful and effective data management plan for your project.

For more information about federal funding requirements view the Research Data Services informational table.

[1] University of Wisconsin-Madison. (2013) Policy on Data Stewardship, Access, and Retention. Retrieved from: https://kb.wisc.edu/images/group156/34404/12.17datastewardshiprev.pdf

[2] University of Wisconsin-Madison. (n.d.) Disclosure of Inventions. Retrieved from: https://research.wisc.edu/disclosure-of-inventions/

[3] University of Wisconsin-Madison. (n.d.) Human Research Protection Program. Retrieved from: https://research.wisc.edu/compliance-policy/human-research-protection-program/