Skip Navigation
Search
Office for Research and Innovation
Office of Research Security
HomeResearch Data Protections and SecurityPersonal Data and International Laws

Personal Data and International Laws

Note this page is for general discussion of international data protection in the context of research

What is Personal Data? 

Many countries have laws that are similar to the European Union's law General Data Protection Regulation (GDPR).  International personal data is personal data that is transferred or accessed across international borders.  

GDPR definition of personal data: 

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

What are the international laws for personal data?

Personal data regulations (also known as privacy and data protections laws) are country specific.  Currently there are over 160 countries with laws protecting personal data.    

These laws provide requirements for: 

  • Privacy: how to use and share data for legiimate research and other purposes, while protecting personally identifiable information; and 
  • Security: how to secure personal data in order to prevent unintentional disclosures, access by unauthorized persons, or improper use by unauthorized persons.

How could a researcher receive and/or create data subject to international laws? 

Data collected, recorded, stored, and/or used by researchers may be regulated by international data protect laws.  

Examples of data that may be subject to international laws: 

  • Data repositories, such as UK Biobank 
  • Research project with data collection in an international location 
  • Research project with data collection in the U.S. using surveys distributed internationally

What does a researcher need to do if they want to collect personal data from international participants? 

A researcher must submit an application to the Office of Research Compliance if they plan to collect, record, store and/or use data from international participants.  The application allows the Office of Research compliance and other administrative areas review the application and implement required rights and security measures.