Data Regulations

Data management must consider how any laws, rules, and regulations may apply to the data as well as who will be accountable.

 

Data-related laws and regulations

Many laws and regulations pertain to how we manage data. Here are a few:

Accessibility

Digital Accessibility Americans with Disabilities Act (ADA): Title II – Digital Accessibility has specific requirements about how to ensure that web content and mobile applications (apps) are accessible to people with disabilities. See Digital Accessibility policy (UW-519).

Data Privacy

  • CCPA The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them.
  • COPPA Children’s Online Privacy Protection Rule (COPPA) is a federal law that protects the privacy of children under 13 online. It applies to websites, online services, and operators that collect personal information from children or have actual knowledge of doing so.
  • GDPR: The European Union’s General Data Protection Regulation harmonizes data-protection laws throughout Europe and may apply to certain personal data collected by UW‑Madison where we engage in business activities that collect or process the personal data of individuals physically located in the EU. See the UW–Madison GDPR Notice.
  • PIPL: China’s Personal Information Protection Law (PIPL) regulates personal information, defined as any kind of information, electronically or otherwise recorded, related to an identified or identifiable natural person within the People’s Republic of China (PRC).

Health Data

  • HIPAA: The Heath Insurance Portability and Accountability Act is a federal law that protects the privacy and security of Protected Health Information (PHI) as defined by HIPAA. Designated schools, colleges, departments and individuals at UW–Madison form the HIPAA Health Care Component (HCC). See UW–‍Madison’s HIPAA page.

Institutional Reporting

  • Federal Accreditation and Pre-Accreditation Standards: Per 34 CFR § 602.16 an agency must demonstrate that it has standards for accreditation, and preaccreditation, if offered, that are sufficiently rigorous to ensure that the agency is a reliable authority regarding the quality of the education or training provided by the institutions or programs it accredits.
  • IPEDS: IPEDS is a system of 12 interrelated survey components conducted annually that gathers data from every college, university, and technical and vocational institution that participates in the federal student financial aid programs.
  • Legislative Accountability Reports: Legislative Accountability Report – Act 32, Section 36.65 Wisconsin Statutes Every year UW-Madison produces accountability reports related to legislated requirements, accreditation, institutional improvement, and peer benchmarking.
  • NCAA Financial Data Filing: National Collegiate Athletic Association (NCAA) constitution, Article 2(D)(1)(c) states that all members of the NCAA must submit annually its financial data as determined by the division detailing operating revenues, expenses and capital relating to the intercollegiate athletics program.

Research Data

Security

  • CIRCIA: Cyber Incident Reporting for Critical Infrastructure Act, rulemaking currently under consideration would bring higher ed institutions that accept Title IV funding into scope of the Act, requiring reporting of certain cyber incidents and and ransomware payments to the Cybersecurity and Infrastructure Agency (within Dept. of Homeland Security).
  • GLBA: The Gramm-Leach-Bliley Act requires institutions that offer consumers financial products or services like loans, financial or investment advice, or insurance to explain their information-sharing practices to their customers and to safeguard sensitive data.
  • PCI-DSSThe Payment Card Industry Data Security Standard (PCI-DSS) provides guidance to organizations, including universities, for protecting the payment card data used to process these transactions.
  • Wisconsin Data Breach Notification LawSection 134.98 of the Wisconsin Statutes requires most businesses to notify individuals if an unauthorized person has acquired their personal information.

Student Data