Data management must consider how any laws, rules, and regulations may apply to the data as well as who will be accountable.
Data-related laws and regulations
Many laws and regulations pertain to how we manage data. Here are a few:
Accessibility
Digital Accessibility Americans with Disabilities Act (ADA): Title II – Digital Accessibility has specific requirements about how to ensure that web content and mobile applications (apps) are accessible to people with disabilities. See Digital Accessibility policy (UW-519).
Data Privacy
- CCPA The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them.
- COPPA Children’s Online Privacy Protection Rule (COPPA) is a federal law that protects the privacy of children under 13 online. It applies to websites, online services, and operators that collect personal information from children or have actual knowledge of doing so.
- GDPR: The European Union’s General Data Protection Regulation harmonizes data-protection laws throughout Europe and may apply to certain personal data collected by UW‑Madison where we engage in business activities that collect or process the personal data of individuals physically located in the EU. See the UW–Madison GDPR Notice.
- PIPL: China’s Personal Information Protection Law (PIPL) regulates personal information, defined as any kind of information, electronically or otherwise recorded, related to an identified or identifiable natural person within the People’s Republic of China (PRC).
Health Data
- HIPAA: The Heath Insurance Portability and Accountability Act is a federal law that protects the privacy and security of Protected Health Information (PHI) as defined by HIPAA. Designated schools, colleges, departments and individuals at UW–Madison form the HIPAA Health Care Component (HCC). See UW–Madison’s HIPAA page.
Institutional Reporting
- Federal Accreditation and Pre-Accreditation Standards: Per 34 CFR § 602.16 an agency must demonstrate that it has standards for accreditation, and preaccreditation, if offered, that are sufficiently rigorous to ensure that the agency is a reliable authority regarding the quality of the education or training provided by the institutions or programs it accredits.
- IPEDS: IPEDS is a system of 12 interrelated survey components conducted annually that gathers data from every college, university, and technical and vocational institution that participates in the federal student financial aid programs.
- Legislative Accountability Reports: Legislative Accountability Report – Act 32, Section 36.65 Wisconsin Statutes Every year UW-Madison produces accountability reports related to legislated requirements, accreditation, institutional improvement, and peer benchmarking.
- NCAA Financial Data Filing: National Collegiate Athletic Association (NCAA) constitution, Article 2(D)(1)(c) states that all members of the NCAA must submit annually its financial data as determined by the division detailing operating revenues, expenses and capital relating to the intercollegiate athletics program.
Research Data
- CUI: The federal government requires cybersecurity controls on certain types of protected data, known as Controlled Unclassified Information, often used or gathered in research projects.
- FISMA: The Federal Information Security Management Act requires implementing moderate or higher security controls documented in the most recent revision of the National Institute of Standards and Technology Special Publication 800-53 (NIST SP 800-53) and related publications.
- ITAR/EAR/FACR: The Export Control Office works with UW–Madison faculty, researchers, staff and students to ensure compliance with the U.S. Export Control laws and regulations, including the International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR) and Foreign Assets Control Regulations (FACR).
- NSPM-33: NSPM-33 (National Security Presidential Memorandum-33) mandates the establishment of research security programs at research institutions receiving federal funds.
Security
- CIRCIA: Cyber Incident Reporting for Critical Infrastructure Act, rulemaking currently under consideration would bring higher ed institutions that accept Title IV funding into scope of the Act, requiring reporting of certain cyber incidents and and ransomware payments to the Cybersecurity and Infrastructure Agency (within Dept. of Homeland Security).
- GLBA: The Gramm-Leach-Bliley Act requires institutions that offer consumers financial products or services like loans, financial or investment advice, or insurance to explain their information-sharing practices to their customers and to safeguard sensitive data.
- PCI-DSS: The Payment Card Industry Data Security Standard (PCI-DSS) provides guidance to organizations, including universities, for protecting the payment card data used to process these transactions.
- Wisconsin Data Breach Notification Law: Section 134.98 of the Wisconsin Statutes requires most businesses to notify individuals if an unauthorized person has acquired their personal information.
Student Data
- FERPA: The Family Educational Rights and Privacy Act is a federal law that governs the privacy of student education records, access to those records, and disclosure of information from them. See Office of the Registrar’s FERPA Overview.
- Public Records: The Wisconsin Public Records Law, Wis. Stats. §19.31-19.39, is intended to ensure that state agencies and institutions, including the University of Wisconsin-Madison, are transparent to the public by granting a right of access to records. See Office of Compliance Public Records Program.