Data Regulation Guide

Important Disclaimer

This guide provides general information about regulatory requirements that commonly apply to university data. You are responsible for ensuring compliance with all applicable laws, regulations, and policies, including those not listed in this document. This guide is not legal advice and does not replace consultation with university legal counsel, compliance officers, or domain experts for specific situations.

Regulation Priority Tiers

Tier 1: ALWAYS REQUIRED (Everyone Must Comply)

These apply to all university data activities regardless of data type:

Regulation Authority Key Requirements
NIST Cybersecurity Framework 2.0 UA Board requirement Risk identification and protection of critical data assets
Arkansas Personal Information Protection Act Arkansas State Law 72-hour breach notification for Arkansas residents
Arkansas Act 260 Incident Reporting Arkansas State Law 72-hour notification requirement for security incidents
UA System Policy 285.1 Cybersecurity University Policy Comprehensive cybersecurity controls
UAF Policy 921.0 Data Classification University Policy Four-tier classification: public/sensitive/highly sensitive/restricted
UAF Policy 922.0 Data Management University Policy Data governance across lifecycle
UAF Policy 911.0 Data Security Incident Response University Policy Incident response and escalation procedures

 

Tier 2: DATA-SPECIFIC (When You Have This Type of Data)

These apply only when you handle specific types of data:

Regulation Applies When Key Requirements
FERPA Any student education records Restricts disclosure without consent; lifetime protection
HIPAA/HITECH Any health information Administrative, physical, technical safeguards; breach notification
GLBA Any financial information Information security program; privacy notices
PCI DSS Credit card processing 12 core requirements including encryption
COPPA Data from children under 13 Parental consent requirements
GDPR Personal data of EU residents Data subject rights; consent management
Library Privacy Laws Library patron records Very strict confidentiality requirements
CJIS Criminal justice information Advanced authentication; audit trails
NCAA Compliance Student-athlete information Student-athlete privacy and eligibility records

Tier 3: CONTRACT-SPECIFIC (Only When Required by Contracts/Grants)

These apply only when mandated by specific contracts or grants:

 
Regulation Required By Key Requirements
NIST SP 800-171 DOD contracts with CUI 110 security requirements; multifactor authentication
CMMC DOD contracts requiring certification Tiered security maturity model; third-party assessment
FedRAMP Federal cloud services Continuous monitoring; 300+ security controls
Export Controls (EAR/ITAR) International technology transfer Technology export controls; U.S. person restrictions
NSPM-33 Foreign research collaboration Foreign affiliation disclosure; conflict management

Complete Regulatory Matrix

Federal Regulations

 
Regulation URL Data Types UARK Domains Summary
FERPA Link Student education records Student/Academic/Enrollment Protects privacy of student education records
HIPAA Link Protected Health Information Health Services Protects health information privacy and security
HITECH Link Electronic PHI Health Services Strengthens HIPAA with breach notification
GLBA Link Financial information Finance/Student Financial Aid Protects financial information privacy
PCI DSS Link Credit card data Finance/Student Services Secures payment card information
COPPA Link Children under 13 data Student/Outreach Protects children's online privacy
GDPR Link EU resident personal data All domains with EU data EU data protection regulation
Privacy Act of 1974 Link Federal records Research with federal agencies Federal privacy protections
NIST SP 800-171 Link Controlled Unclassified Information Research with federal contracts Protecting CUI in nonfederal systems
CMMC Link DoD contract information Research with DoD contracts DoD cybersecurity maturity certification

 

Arkansas State Regulations

Regulation Data Types Key Requirements
Arkansas Personal Information Protection Act PII of Arkansas residents Data protection; 72-hour breach notification
Arkansas Act 260 Incident Reporting All data systems 72-hour incident reporting to legislative auditor
Arkansas Consumer Protection Against Spyware Act Systems with potential spyware Anti-spyware protections

 

University of Arkansas Policies

Policy Data Types Key Requirements  
UAF 921.0 Data Classification All university data Four-tier classification system  
UAF 922.0 Data Management, Use and Protection All university data Data governance throughout lifecycle  
UAF 911.0 Data Security Incident Response All data systems Incident response procedures  
UAF 309.1 Payment Card Security Payment card data University-specific PCI DSS implementation  
UAF 206.7 Export Control Compliance Controlled technology Export control compliance procedures  

University Data Classification System

All data must be classified according to UAF Policy 921.0:

  • Public: Information approved for public release
  • Sensitive: University operations data not intended for public sharing
  • Highly Sensitive: PII that could cause serious harm if compromised (names, SSN, demographics, HR data)
  • Restricted: Data governed by federal, state, or local regulations (FERPA, HIPAA, GLBA, etc.)

Common Data Types and Applicable Regulations

Student Data

  • Education Records: FERPA (always), Arkansas Personal Info Act, UA policies
  • Financial Aid: FERPA, GLBA, SAIG requirements, UA policies
  • Health Records: FERPA, HIPAA/HITECH (if applicable), UA policies
  • International Students: FERPA + export control considerations

Employee Data

  • HR Records: Employment privacy laws, EEO reporting, Arkansas Personal Info Act
  • Compensation: FLSA, EEO reporting, highly sensitive classification
  • Health Information: HIPAA/HITECH, ADA/ADAAA, UA policies

Research Data

  • Federal Contracts: Depends on agency (NIST 800-171, CMMC, FedRAMP)
  • International Collaboration: NSPM-33, export controls
  • Human Subjects: IRB requirements, HIPAA (if applicable)

Financial Data

  • Payment Processing: PCI DSS, GLBA, Arkansas Personal Info Act
  • Banking Information: GLBA, Arkansas Personal Info Act
  • Audit Records: Various depending on funding source

Quick Start: Decision Tree

Step 1: Does your data include any of these types?

If YES to any item below, the corresponding regulation ALWAYS APPLIES:

  • Student information of any kind → FERPA applies (lifetime protection, includes alumni)
  • Health/medical information → HIPAA/HITECH applies
  • Financial/payment information → GLBA applies
  • Credit card processing → PCI DSS applies
  • Information from children under 13 → COPPA applies
  • Library patron records → Library Privacy Laws apply (very strict confidentiality)
  • Criminal justice information → CJIS applies
  • Employee personal information → Employment Privacy Laws apply
  • EU resident data → GDPR applies

Step 2: Do you have federal contracts or grants?

  • DOD contracts → NIST 800-171, DFARS, possibly CMMC
  • NSF/NIH grants → Federal grant requirements
  • DOE contracts → DOE 952.204-77
  • NASA contracts → NASA 1852.204-76

Step 3: Are you working with international partners or controlled technology?

  • Foreign collaborations → NSPM-33
  • Technology export → EAR/ITAR
  • Controlled technology research → Export Control Compliance

Step 4: Everyone must comply with (Tier 1 - Mandatory):

Print Article