DOJ Regulations Regarding Access to Bulk U.S. Sensitive Data - Office of the Vice President for Research

Overview

The Department of Justice (DOJ) has issued a Final Rule titled “Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons” (the Final Rule). Below are FAQs that explain how the Final Rule impacts the sharing of U.S. sensitive personal data or U.S. government-related data with certain countries outside of the U.S., particularly in the University of Rochester research context. Researchers handling the sensitive data described in the Final Rule must ensure compliance with its requirements.

For a brief overview of the Final Rule, see IAPP’s “Cheat Sheet” overview. More information can also be found in FAQs issued by the DOJ.

In implementing the Final Rule, the National Institutes of Health (NIH) has also issued a Policy on Enhancing Security Measures for Human Biospecimens that prohibits institutions and researchers that hold human biospecimens of U.S. persons collected, obtained, stored, used, or distributed using on-going or new NIH funds from distributing the human biospecimens to institutions or parties located in countries of concern.

Frequently asked questions

Expand All

What data and transactions does the Final Rule regulate?

The Final Rules imposes requirements on U.S. persons and entities that provide access to bulk U.S. sensitive personal data or U.S. government-related data to countries of concern or covered persons that involves (1) data brokerage, (2) a vendor agreement, (3) an employment agreement, or (4) an investment agreement.

What are the countries of concern?

The Final Rule identifies China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela as countries of concern.

What is a covered person?

“Covered persons” include entities that are organized or chartered under the laws of, or have their principal place of business in, a country of concern, individuals who are employees or contractor of a country of concern or covered person, or non-U.S. persons who are primarily a resident of a country of concern. Covered persons also include any individuals specifically designated by the DOJ.

For purposes of the Rule, an individual is a U.S. person (and not a covered person) if the individual is located in the United States, regardless of whether they are a citizen of a country of concern, unless specifically designated by DOJ.

What is considered bulk U.S. sensitive personal data?

The Final Rules define six categories of U.S. sensitive personal data that have defined “bulk” thresholds detailed below.

Human ‘omic data collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons.
Biometric identifiers collected about or maintained on more than 1,000 U.S. persons.
Precise geolocation data collected about or maintained on more than 1,000 U.S. persons.
Personal health data collected about or maintained on more than 10,000 U.S. persons.
Personal financial data collected about or maintained on more than 10,000 U.S. persons.
Covered personal identifiers collected about or maintained on more than 100,000 U.S. persons.

Excluded from each category of sensitive personal data is data that is, at the time of the transaction, lawfully available to the public from a Federal, State, or local government record (such as court records) or in widely distributed media (such as sources that are generally available to the public through unrestricted and open-access repositories).

Does the Final Rule apply to de-identified or anonymized data?

Yes, the Final Rule’s prohibitions and restrictions on data transactions apply regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted.

What does “accessing” data mean under the Final Rule?

“Access” is defined very broadly. Access means logical or physical access, including the ability to obtain, read, copy, decrypt, edit, divert, release, affect, alter the state of or otherwise view or receive, in any form, including through information systems, information technology systems, cloud-computing platforms, networks, security systems, equipment or software.

What transactions are prohibited?

The Final Rule prohibits certain transactions involving human ‘omic data and data brokerage:

Human ‘Omic Data:

Any covered data transaction (whether involving data brokerage, a vendor agreement, an employment agreement, an investment agreement) with a country of concern or covered person that involves access to bulk human ‘omic data, or to human biospecimens from which bulk human ‘omic data could be derived, is prohibited.

Data Brokerage:

Any covered data transaction involving data brokerage with a covered person or a country of concern is prohibited; and
Covered data brokerage transactions with any foreign entities or persons are prohibited unless the U.S. person (such as the University) imposes contractual commitments on the foreign person regarding subsequent transactions involving same data. If the University is exchanging or permitting access to data with a foreign party that is not a covered person, it must ensure the contract prohibits the foreign party from further sharing the data.

The Final Rule also prohibits transactions that have the purpose of evading or avoiding the prohibitions described above.

What transactions are restricted?

Covered data transactions that involve vendor agreements, employment agreements, and investment agreements are restricted transactions and subject to significant reporting, data security, and auditing requirements.

Can a “covered person” access bulk U.S. sensitive personal data or U.S. government-related data while they are located in the United States?

While located in the United States, a non-designated covered person is considered a U.S. person and can access bulk U.S. sensitive personal data or U.S. government-related data while located in the United States. Upon leaving the United States, the individual will revert to being a covered person.

In addition, any attempt to avoid the regulations’ prohibitions, such as by having a covered person enter the U.S. to receive bulk U.S. sensitive personal data, could constitute evasion and a violation of the regulations.

Are there any exemptions from the Final Rule?

Yes, but the exemptions are narrow. One exemption is for the “Official Business of the United States Government.” Federally funded research is exempt from the restrictions when data transactions are conducted pursuant to a grant, contract, or other agreement with Federal departments and agencies. The federal grant, contract, or agreement must direct or authorize the data transaction with the covered person.

What does the NIH Policy on Enhancing Security Measures for Human Biospecimens restrict?

The NIH Policy on Enhancing Security Measures for Human Biospecimens (NIH Policy) prohibits institutions and researchers that hold human biospecimens of U.S. persons collected, obtained, stored, used, or distributed using on-going or new NIH funds from distributing the human biospecimens to institutions or parties located in countries of concern.

The NIH Policy defines human biospecimens as “A quantity of tissue, blood, urine, or other human-derived material. A single biopsy may generate several human biospecimens, including multiple paraffin blocks or frozen sample. A human biospecimen can comprise subcellular structures, cells, tissue (e.g., bone, muscle, connective tissue, and skin), organs (e.g., liver, bladder, heart, and kidney), blood, gametes (sperm and ova), embryos, fetal tissue, and waste (urine, feces, sweat, hair and nail clippings, shed epithelial cells, and placenta). Human biospecimens include those that are isolated and propagated into new cell lines. The term also includes cell lines for which an agreement is in place to commercially or publicly make them available, but for which the cell lines have not yet been made commercially or publicly available on or after the effective date of this policy.”

In limited circumstances, the human biospecimens may be shared or distributed to countries of concern only if use of the human biospecimens is:

to meet transactions required or authorized by Federal law or international agreements; or
needed in rare and compelling circumstances where the facility and personnel in the country of concern possess needed capabilities and/or expertise not available elsewhere, the use of the biospecimen cannot be delayed to a time when capability and/or expertise is available elsewhere, and done with the consent of the individual from whom the biospecimen was collected; or
at the request of the individual whose biospecimen was collected, obtained, or stored using NIH-funds; for purposes of diagnosis, prevention or treatment of that individual; and in compliance with applicable Federal laws, regulations, and policies.

How can researchers help ensure compliance with the Final Rule?

If you are storing or handling bulk U.S. sensitive data or with U.S. government-related data and plan to disclose or make the data accessible to any external entity, contact ORPA to ensure proper handling of the transaction and for review for compliance with the Final Rule.

ORPA must approve any arrangement that involves the University allowing access to or transferring sensitive personal data (even if de-identified or anonymized and regardless of subject authorization) for research purposes to foreign entities, foreign institutions, or researchers residing in foreign countries . These arrangements must be documented under a data use agreement, clinical trial agreement, or similar agreement. This includes data sharing for collaborative research purposes.

Are there consequences for non-compliance?

Yes, civil or criminal penalties may be imposed by the DOJ, and any non-compliance could result in reputational harm the researcher and University.

Where can I find additional information?

Researchers can reach out to ORPA or the University’s Research Security Officer (Joe Doyle; joe.doyle@rochester.edu) for additional guidance.