The Data Security Program (DSP) is a set of federal rules issued by the U.S. Department of Justice (DOJ) that carry out Executive Order 14117 concerning access to certain types of data that could pose a threat to national security. These rules took effect on April 8, 2025.
The goal of the DSP is to protect sensitive personal data about individuals and entities in the United States and to protect data connected to the U.S. government or U.S. government officials. The DOJ has determined certain countries of concern, and certain entities or individuals connected to those countries—persons of concern—may try to access this information to engage in activities harmful to the U.S., like surveillance or intelligence gathering.
Note: For researchers, other laws or programs may have their own security requirements or restrict access to data by countries or persons of concern in addition to what the DSP requires. Compliance with the DSP does not preclude the need to comply with those other requirements and restrictions. More information can be found on the Office of Research’s Research Security at UW webpage.
Why does this matter for universities?
Universities often work with research data, large datasets, and international collaborators. Under the DSP:
- Universities must be careful with sharing, storing, or allowing access to certain types of sensitive data if individuals or entities connected to countries of concern are involved.
- These rules apply even when the university collaborates with or receives funding from foreign institutions, hires international researchers, or uses vendors connected to these countries.
- Care also must be taken when sharing covered data with people or organizations to make sure they do not share it further with a country or person of concern.
What does this mean for students, faculty, researchers, and other UW personnel?
If your work involves sharing data with individuals or entities in or from a country of concern, you may need to:
- Review whether your data is covered by the DSP.
- Implement new or different data access controls.
- Update how your data is tracked and managed.
- Add specific language to contracts with vendors.
Please visit the Data Security Program Frequently Asked Questions page for more information about the DSP and its requirements. If you are a researcher or research administrator, please visit the Office of Research’s DSP Decision Tree.
What is the University doing to meet institutional compliance requirements?
UWIT Information Security, the Office of Research, and UW Medicine, in consultation with the Washington State Attorney General’s Office, are developing standards and procedures that establish roles and responsibilities for the University. While additional self-service resources are in development, to help University personnel determine if their work may be subject to the DSP, the UW Privacy Office has created this Frequently Asked Questions webpage. We are also available to assist University personnel with questions and guidance at uwprivacy@uw.edu.
Data Security Program (DSP) Frequently Asked Questions
The UW Privacy Office developed these FAQs to help University personnel determine whether their work involves the sharing of data that may be subject to the DOJ’s DSP and what may be required if the DSP applies. We recognize that navigating the DSP’s definitions and requirements can be challenging and complex. If you have any questions about whether the DSP applies to your work-related activities or what any of the terms or other concepts below mean, reach out to us at uwprivacy@uw.edu for assistance and further guidance.
Researchers may also visit the Office of Research’s DOJ DSP Decision Tree.
Data Security Program Frequently Asked Questions
The goal of the DSP is to protect certain types of personal data considered to pose a risk to U.S. national security if accessed by countries of concern or persons or entities connected to such countries. The DSP covers two specific categories of data:
Data is bulk U.S. sensitive personal data if it falls into one of the below six categories with defined bulk thresholds:
- Human ‘omic data collected about or maintained on more than 1,000 U.S. persons, or, in the case of human genomic data, more than 100 U.S. persons.
- Biometric identifiers collected about or maintained on more than 1,000 U.S. persons.
- Precise geolocation data collected about or maintained on more than 1,000 U.S. persons.
- Personal health data collected about or maintained on more than 10,000 U.S. persons.
- Personal financial data collected about or maintained on more than 10,000 U.S. persons.
- Covered personal identifiers collected about or maintained on more than 100,000 U.S. persons.
A U.S. person includes:
- Any U.S. citizen, national or lawful permanent resident.
- Any individual admitted to the United States as a refugee or granted asylum.
- Any person in the United States, meaning any individual, regardless of citizenship or status, physically located in the United States.
Data is U.S. government-related data if it consists of:
- Precise geolocation data relating to a list of over 700 geofenced coordinate areas near U.S. government facilities; or
- Sensitive personal data, regardless of any number threshold, that is marketed as linkable to employees, contractors, or officials of the U.S. government.
Note: Even where data is de-identified, anonymized, or encrypted, it is still considered to be bulk U.S. sensitive personal or U.S. government-related data if it meets the definitional requirements above.
A country of concern is any foreign government that the DOJ, with the concurrence of the U.S. Secretary of State and Secretary of Commerce, determines:
- Has engaged in a long-term pattern or serious instances of conduct significantly adverse to U.S. national security or the security and safety of U.S. persons; and
- Poses a significant risk of exploiting government-related or bulk U.S. sensitive personal data to the detriment of U.S. national security or the security and safety of U.S. persons.
Currently, the following six governments have been designated as countries of concern:
- China, including Hong Kong and Macau
- Cuba
- Iran
- North Korea
- Russia
- Venezuela
Covered persons include, among others:
- Entities that are organized or chartered under the laws of a country of concern or have a principal place of business in a country of concern.
- Entities that are at least 50% owned by a country of concern or covered person.
- Individuals who are employees or contractors of such covered person entities.
- Non-U.S. individuals who are primarily a resident of a country of concern.
Note: Under the regulations, an individual who is a covered person may access bulk U.S. sensitive or government-related data while located in the U.S. If they then leave the U.S., they may no longer access the data. There are some exceptions to such individuals’ ability to access the data while located in the U.S., for example:
- If the DOJ has specifically designated the individual as a covered person; or
- The access is an attempt to avoid the regulations’ prohibitions, such as by having the individual enter the U.S. to access the data.
In addition, in relation to access to bulk U.S. sensitive or U.S. government-related data by countries of concern or covered persons, access is defined broadly to include the transfer, storage, editing, reading, receiving, or having the ability to obtain such data.
What activities are within scope of the DSP?
The DSP applies to any data transaction, such as sharing or selling of data, with individuals or entities in the U.S., including University partners and vendors, that involves access to bulk U.S. sensitive personal or U.S. government-related data by a country of concern or covered person. At a high level, given the DSP’s broad definition of access, any access to such data by a country of concern or covered person may be impacted.
If the DSP applies, the transaction will be:
- Prohibited — unless the DOJ has issued a license for such activity; or
- Restricted — may proceed subject to security and compliance requirements.
Prohibited transactions include:
- Data brokerage — knowingly engaging in the sale or licensing of access for monetary value or a similar commercial transaction involving bulk U.S. sensitive personal or U.S. government-related data with a country of concern or covered person.
- Certain onward transfers — knowingly engaging in data brokerage with a foreign person who is not a covered person, unless the foreign person is contractually required to refrain from engaging in data brokerage of the same data with a country of concern or covered person.
- Human ‘omic data and human biospecimen transactions — knowingly engaging in data brokerage, or a vendor, employment, or investment agreement with a country of concern or covered person involving access to bulk human ‘omic data or human biospecimens from which such data could be derived.
- Evasions, attempts, causing violations, and conspiracies — knowingly evading or avoiding, causing a violation of, or conspiring to violate the DSP’s prohibitions.
- Knowingly undertaking or causing to occur transactions that fail to comply with the requirements of the regulation.
Restricted transactions are those involving bulk U.S. sensitive or U.S. government-related data and access to such data by a country of concern or covered person who is a vendor, employee, or investor. Restricted transactions may be subject to security and compliance requirements to prevent access by the country of concern or covered person. A number of recordkeeping and reporting obligations also apply.
Accordingly, if you believe you may be engaged in a prohibited or restricted transaction or have received an offer to do so, reach out to the UW Privacy Office at uwprivacy@uw.edu as soon as possible for guidance.
Yes. A transaction may be exempt from the list of prohibited and restricted transactions if it falls within one of eleven enumerated categories of exempt transactions:
- Personal communications
- Information or information materials – e.g., expressive publications
- Travel
- Conduct of official U.S. government business – e.g., grant funding
- Financial services
- Corporate group transactions – e.g., human resources, payroll
- Transactions required or authorized by federal law
- Certain foreign investment agreements
- Provision of telecommunications services
- Drug, biological product, and medical device authorizations
- Other clinical investigations and post-marketing surveillance data
Note: If a transaction does not fit within one of the above exemptions, it may be prohibited and therefore cannot be engaged in or a restricted transaction subject to the regulations’ security and compliance requirements.
If you think your transaction may be exempt under the regulations, please reach out to the UW Privacy Office at uwprivacy@uw.edu for guidance.
Yes, in some instances. For example, engaging in data brokerage, meaning selling or licensing bulk U.S. sensitive personal data or U.S. government-related data, with a foreign person is permitted only if that person is contractually prevented from engaging in data brokerage of the same data with a country of concern or covered person.
In addition, to ensure the University complies with other prohibitions on data brokerage, specific contract language may need to be included in vendor and partner agreements. If you are providing access to bulk U.S. sensitive personal or U.S. government-related data to a vendor or partner, regardless of whether they are a foreign person, reach out to the UW Privacy Office at uwprivacy@uw.edu for guidance on the need to include such language.
University vendors and partners subject to the DSP also may require such language in their contracts and propose it to the University. If this occurs, please reach out to the UW Privacy Office at uwprivacy@uw.edu to help ensure the language is appropriately scoped to the data involved and the University’s own requirements.
Yes. Federal agencies may issue their own policies or guidance that expand or supplement the regulations, including adding additional data categories. For example, the National Institutes of Health (NIH) has issued the NIH Policy on Enhancing Security Measures for Human Biospecimens (NOT-OD-25-160), placing restrictions on the use of data relating to certain human biospecimens that otherwise is exempt under the regulations.
Because the regulations are new, the regulatory landscape is likely to continue to evolve. If you encounter a federal agency requirement that expands or supplements the regulations, please reach out to the UW Privacy Office at uwprivacy@uw.edu for assistance.
Yes. If the regulations are violated, the DOJ may impose both civil and criminal penalties. If you suspect a violation, reach out to the UW Privacy Office at uwprivacy@uw.edu immediately and work to remediate it as soon as possible.
This webpage provides a high-level overview of the DSP and its requirements. If you have questions about the DSP or its applicability, or if you need assistance, please reach out to the UW Privacy Office at uwprivacy@uw.edu.
Additional information about the DSP and University requirements concerning the sharing of data with individuals and entities outside the U.S. may be found in the below resources:
- Office of Research’s DOJ DSP Decision Tree
- Data Security Program: Fact Sheet (DOJ)
- Data Security Program: Frequently Asked Questions (DOJ)
- Data Security Program: Compliance Guide (DOJ)
- Security Requirements for Restricted Transactionsply/data-storage-access/Offshore Storage of and Access to UW Medicine Data by Third Parties