The security of research data is managed by the Office of the Vice Provost for Research and its Research Compliance & Safety department.

Global privacy laws and regulations aim to protect individuals’ personal information. They are concerned with the manner in which personal data are collected, used, transferred, or otherwise handled. Research institutions are responsible for ensuring compliance with privacy laws and regulations. Many such laws and regulations vary in their processes, procedures, and requirements. Tufts University is committed to abiding by these laws and regulations to provide maximum protection for individuals’ personal information.

Currently, Tufts maintains procedures for complying with the following global privacy laws and regulations:

• General Data Protection Regulation: European law expanding privacy and security protections for individuals’ personal information. This law regulates the collection, use, transfer, storing and other processing of personal information of individuals located in the European Economic Area (EEA).
  • GDPR Research FAQs
• UK GDPR: This Act was created after the UK’s departure from the European Union; however, the UK DPA operates similarly to the GDPR, and as such, there will be little difference in practice to the GDPR’s core data protection principles, rights and obligations.
• Personal Information Protection Law (PIPL): This is China’s data protection law. Though the PIPL has many of the same goals as the GDPR, there are some important differences that researchers must be aware of when collecting personal data in China. As with all of these laws and regulations, the OVPR staff will be happy to assist researchers in complying with requirements.

These Global Privacy Laws have some common features:

1. Broad definition of covered data. While they sometimes list specific data elements (e.g., IP Address), they apply to anything that is linked or reasonably linkable to a person (or sometimes a group).
2. Extraterritorial coverage. Most apply to those outside the country if the collect or process data of residents.
3. Narrow definition of anonymity/de-identification. There is no HIPAA safe-harbor rule that deems data “safe” if certain fields are removed. Must generally show that reidentification is extremely unlikely.
4. Requirement of a lawful basis to use data: Consent is universal; others vary by country.
5. Focus on cross-border transfers. Contracts required in most cases.
6. Transparency. Must disclose planned processing and retention of data.
7. Security. Must be reasonable based on the risks.
8. Data Subject Access Requests. Data Subjects can request deletion, correction, restriction of use, explanations of what was done with the data, or the data itself.

There are many other nations with their own laws and regulations governing the use of personal data. While the current focus is on those listed above, Tufts intends to broaden its compliance efforts as more global laws and regulations become pertinent.

If you believe any of these laws or regulations may apply to your research, please submit the Researcher Global Privacy Questionnaire. For any other questions, please contact dataprivacy@tufts.edu.