Lesson 1: Policies and Regulations

1.1 Introduction to Policies and Regulations

The research data you produce while at a university or in the workplace is often subject to larger legal or institutional policies that impact the ways you can collect, share, and use the data. This section will provide a brief introduction to some of the policies and regulations that may affect you, especially if you work or study at UW–Madison. Every institution or organization will have different policies, so it’s important to seek out relevant resources as you begin each project to ensure you’re handling your data responsibly. If you are not a member of the UW–Madison community, this section will help you identify the types of policies you should be looking for. These include legal policies, industry agreements, organizational policies, and funding agency requirements.

1.2 Legal Policies

For certain data types, there are legal policies that regulate the security and protection of certain types of data. Below we’ve included three common legal regulations for specific data type.

Health Insurance Portability and Accountability Act (HIPAA)

  • The Health Insurance Portability and Accountability Act of 1996 is a federal law that requires standardization of the protection and disclosure of protected health information (often referred to as PHI or ePHI).
  • One aim with which you are likely familiar with HIPAA is the privacy rule. The HIPAA Privacy Rule sets out protections for the privacy of PHI and set limits on sharing it. The privacy rule includes definitions of individually identifiable health information and de-identified data, guidance on use and disclosure, definitions of who the rule applies to, and more.
  • Another aspect of HIPAA regulation that affects campus’ protection and use of PHI and data is the HIPAA Security Rule:
    • “The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”
  • UW–Madison has a number of security and privacy policies that can be found via the Office of Compliance website. HIPAA training is required of all members of the UW–Madison Health Care Component, and you can now also self-enroll in HIPAA training. Each unit of the UW–Madison Health Care Component has assigned HIPAA Security Coordinators and Privacy Coordinators who are available to answer questions about HIPAA security and privacy.
  • It is important to note that the UW–Madison campus reviews, assesses risk, and then approves only specific tools to be used for HIPAA or PHI. Departmental and campus IT and the HIPAA Privacy and Security Officers can help you identify and access appropriate tools.
  • The Office of Cybersecurity also has resources regarding the campus HIPAA Security Program. If you have questions about security for PHI or other datasets, you should reach out to your departmental IT, DoIT’s Office of Cybersecurity, or HIPAA Security Officers depending on your question.
Logo for HIPAA - Health Insurance Portability and Accountability Act

Federal Information Security Modernization Act of 2014 (FISMA)

  • The Federal Information Security Modernization Act amended the Federal Information Security Management Act of 2002 to ensure stronger protection over federal information and information systems from cybersecurity threats, including more specific policies and procedures for dealing with data breaches and providing better technical support to agencies.
  • The UW-Madison campus provides campus-specific information and the Office of Cybersecurity provides consulting services to assist with FISMA compliance.

Federal Educational Rights and Privacy Act (FERPA)

  • The Federal Educational Rights and Privacy Act protects the privacy of data from student records, and applies to all schools that receive funding from the U.S. Department of Education. FERPA covers any educational record that contains personally identifiable information (personally identifiable information will be covered a little later in this course).
  • The campus Institutional Review Board (IRB) provides guidance on understanding FERPA as well as for using student records for research purposes.

1.3 Industry – Use Agreements

Hand holding a pen signing a contract on a desk.

Often when acquiring data from industry sources, you will be asked to sign a data use agreement with the company. A data use agreement will detail the bounds within which you are allowed to access, manipulate, and share the data or the outputs created from the data.

The campus IRB provides guidance for use agreements, which are also sometimes called memorandum of understanding, data sharing agreements, or data release agreements. This guidance provides further detail on when these agreements are required and how they relate to FERPA and the IRB process.

1.4 Institutional and Organizational Policies

Institutions, as well as other organizations, will often have unique policies that guide members of their communities in the use, security, and management of data while at that institution. These may come from different offices or departments, so sometimes it can be difficult to identify all the policies to which you may be subject. However, investing some time in locating relevant policies will help inform your data management plan and ensure that you’re being a thoughtful and responsible data steward. This section will give a brief introduction into a few UW–Madison campus policies.

Campus data classification

UW–Madison’s IT has defined four major classifications for campus data that can help us understand the risk associated with our data and help us select the most appropriate storage and sharing methods for our data. The four classifications, their definitions, and brief examples have been pulled from the campus IT website and are included below. You can find further detail on the IT website and the Office of the Vice-Chancellor for Research and Graduate Education. If you are unsure how to classify your data, reach out to your departmental IT or Office of Cybersecurity.


Data should be classified as Restricted when the unauthorized disclosure, alteration, loss, or destruction of that data could cause a significant level of risk to the University, affiliates, or research projects. Data should be classified as Restricted if protection of the data is required by law or regulation or if UW–Madison is required to self-report to the government and/or provide notice to the individual if the data is inappropriately accessed.

Examples include social security numbers, PHI, social security numbers, and other personally identifiable information.


Data should be classified as Sensitive when the unauthorized disclosure, alteration, loss, or destruction of that data could cause a moderate level of risk to the university, affiliates, or research projects. Data should be classified as Sensitive if the loss of confidentiality, integrity, or availability of the data could have a serious adverse effect on university operations, assets, or individuals.

Examples include unpublished research and data such as date of birth or gender.


Data should be classified as Internal when the unauthorized disclosure, alteration, loss, or destruction of that data could result in some risk to the University, affiliates, or research projects. By default, all Institutional Data that is not explicitly classified as Restricted, Sensitive, or Public should be treated as Internal.

Examples include employee information like phone numbers and contact information, internal memos and emails, and project/aware numbers.


Data should be classified as Public prior to display on websites or once published without access restrictions, and when the unauthorized disclosure, alteration, or destruction of that data would result in little or no risk to the University and its affiliates.

Examples include campus maps, job postings, public policies or procedures, and the student directory.

For more information visit the UW–Madison Data Governance program page.

Other campus-level requirements

1. Policy on data stewardship, access, and retention:

The UW–Madison Office of the Vice Chancellor for Research and Graduate Education has a policy detailing the data stewardship roles and responsibilities of the University, Principal Investigators (PIs), and researchers on the campus. This policy outline focuses largely on retention, access, and guidance on data ownership in the event a researcher leaves the institution. While the full policy should be read to ensure your complete understanding and compliance, below we’ve included brief excerpts of some of the most salient components.

Stewardship and retention

“Principal Investigators should adopt an orderly system of Data organization, access, and retention and should communicate the chosen system to all members of a research group and to the appropriate administrative personnel, where applicable.

Research Data must be archived for a minimum of seven years after the final project close-out, with original Data retained wherever possible. Principles of good stewardship would justify longer periods of retention in the following cases:

  1. Data must be kept for as long as may be necessary to protect any intellectual property resulting from the work;
  2. If any charges regarding the research arise, such as allegations of scientific misconduct or conflict of interest, Data must be retained until such charges are fully resolved; and,
  3. If a postdoctoral scholar or other trainee, graduate student, or undergraduate student is a Research Contributor, Data must be retained at least until the degree is awarded, training is completed, or it is clear that the individual has abandoned the work.”


“As part of the stewardship of research Data, the Principal Investigator shall create explicit understandings with Other Research Contributors regarding access to and use of Data. These understandings ought to reflect access appropriate to one’s role and contribution to the conception and design of research, acquisition of Data, or analysis, and interpretation of Data.

It will also be the responsibility of the Principal Investigator to follow the requirements of any sponsored agreements with regard to access to Data.”

Transfer in the event a researcher leaves UW–Madison

“When individuals involved in research projects at UW–Madison leave the University or move to a different research group or position at UW–Madison, they may, with PI approval, take copies of research Data that they have generated or to which they have made a substantial contribution for projects on which they have worked. Original Data, however, must be retained at UW–Madison by the Principal Investigator.

If a Principal Investigator leaves UW–Madison, and a project is to be moved to another institution, the Data may be transferred with the approval of the Vice Chancellor for Research, and with written agreement from the PI’s new institution that guarantees: 1) its acceptance of custodial responsibilities for the Data, and 2) UW-Madison access to the Data, should that become necessary.

Data sets comprised of directly or indirectly identifiable human subjects data may not be transferred outside of the University without UW IRB review and approval of the transfer. IRB review and approval to use the data may also be needed from the institution to which the data will be transferred.” [1]

2. Invention and discovery disclosure

While at UW–Madison, you are subject to invention disclosure. The Office of the Vice Chancellor for Research and Graduate Education (VCRGE) guidance states that:

“Based on UW–Madison and UW System policy, faculty, staff, and students are responsible for reporting all inventions resulting from work:

  • that took place while pursuing university duties, or
  • that used ANY university funding (including federal funds, industrial funds, state funds, gift funds, etc.), or
  • that was conducted on university premises, or
  • that used university supplies or equipment.” [2]

You can find the full policy and guidance on the VCRGE Intellectual Property page. You can also visit the Wisconsin Alumni Research Foundation (WARF) website to learn more about the disclosure process. WARF also provides an FAQ page regarding common disclosure questions.

3. Institutional Review Board

IRBs are campus bodies that work with campus researchers to review human subjects research and ensure that the rights and interests of those participating are protected. For research that involves the use of human subjects, it is your responsibility to submit your project plan and materials to the correct IRB for review prior to the beginning of your project. The IRB will review your plans and examine the risk to the subjects, help ensure you are meeting ethical and legal responsibilities, and will help you understand if you may share your data. UW–Madison has multiple IRBs:

  • “The Health Sciences IRB: Reviews more than minimal risk biomedical research, including FDA regulated research, VA research, and emergency use applications.
  • The Minimal Risk IRB: Reviews minimal risk research, including educational, social, behavioral, medical records review, and minimal biomedical interventional research.” [3]

1.5 Funding Agency Requirements

In 2013, a memo from the White House Office of Science and Technology (OSTP) directed federal agencies with over $100 million in R&D to create plans that would increase public access to the articles and the underlying research data that result from grant funding.

This memo affected many of the common, large funders that we frequently encounter at UW–Madison like the National Science Foundation (NSF), Department of Energy (DOE), Department of Defense (DOD), etc. Each agency was responsible for detailing its exact requirements, which were largely released in 2015. These requirements affect both publications and data from federally funded research, typically requiring that articles and associated research data be made publicly available no later than 12 months after the article’s publication date.

White porcelain piggy bank with paper money stuffed inside it.

Along with the public access component, agencies also now typically ask for a data management plan to be submitted as part of the proposal process. The plan should detail the management of the data during the research project and should identify where and when the data and research outputs will be made publicly available.

Other federal agencies not identified in the OSTP memo, such as the National Endowment for the Humanities (NEH), and some private foundations, such as the Bill and Melinda Gates Foundation, American Heart Association (AHA), and Howard Hughes Medical Institute (HHMI), have also begun requiring more detailed plans for data management and public access.

Funding agency guidelines have provided some of the greatest incentive for researchers and universities to think more carefully about data management and data sharing, especially as funders become more stringent in the review of and compliance with these plans.

We’ll introduce data management plans a little later on in this course, but as you work through the course, keep in mind that all of the topics we’re introducing are resources to help you write a more useful and effective data management plan for your project.

For more information about federal funding requirements, view the Research Data Services informational table.


[1] University of Wisconsin-Madison. (2013) Policy on Data Stewardship, Access, and Retention. Retrieved from: https://kb.wisc.edu/images/group156/34404/12.17datastewardshiprev.pdf

[2] University of Wisconsin-Madison. (n.d.) Disclosing an Invention. Retrieved from: https://research.wisc.edu/intellectual-property/disclosing-an-invention/

[3] University of Wisconsin-Madison. (n.d.) Human Research Protection Program. Retrieved from: https://research.wisc.edu/compliance-policy/human-research-protection-program/