Bulk Sensitive Data

University of Florida Data Security Program (Bulk Sensitive Data)

Welcome to the University of Florida's Data Security Program webpage. In compliance with new U.S. Department of Justice (DOJ) regulations, the University is committed to protecting sensitive personal data and government-related data from access by foreign persons or entities from "countries of concern."

The DOJ's Data Security Program, effective April 8, 2025, is a national security measure designed to prevent the transfer of sensitive U.S. data. These regulations, which implement Executive Order 14117, impose requirements on all U.S. persons and entities, including our faculty, staff, and students, who may provide access to such data.

What is Covered Data?

The regulations cover two primary types of data:

• Bulk U.S. Sensitive Personal Data: This includes data on U.S. persons that exceeds specific thresholds. The regulations apply even if the data has been anonymized or encrypted. The six categories of data covered, along with their bulk thresholds, are:
• Human Genomic Data: The data of 100 or more U.S. persons.
• Biometric Identifiers: The biometric identifiers of 1,000 or more U.S. persons.
• Precise Geolocation Data: The precise geolocation data of 1,000 or more U.S. devices.
• Personal Health Data: The personal health data of 10,000 or more U.S. persons.
• Personal Financial Data: The personal financial data of 10,000 or more U.S. persons.
• Covered Personal Identifiers: Personal identifiers (such as full name, physical address, phone number, and Social Security number) of 100,000 or more U.S. persons.
• U.S. Government-Related Data: This includes precise geolocation data near U.S. government facilities or sensitive personal data that is marketed as linkable to U.S. government personnel, regardless of volume.

The regulations are broad in scope, and "access" is defined as any ability to obtain, transfer, store, edit, or read the data.

Who is Affected?

The regulations apply to any University of Florida faculty, staff, or student who may provide access to covered data to a "covered person." A covered person is a foreign person or entity from a "country of concern," which includes:

• China (including Hong Kong and Macau)
• Cuba
• Iran
• North Korea
• Russia
• Venezuela

A "covered person" can be a foreign university, a corporation that is at least 50% owned by a person from a country of concern, or an individual who primarily resides or is employed in one of these countries. The regulations apply to U.S. persons, which includes U.S. citizens, legal permanent residents, refugees, asylum recipients, and anyone physically located in the United States.

What Constitutes a Covered Transaction?

The regulations prohibit or restrict transactions that provide a covered person with access to covered data. This includes:

• Data Brokerage Transactions: The sale or licensing of covered data.
• Vendor Agreements: The provision of services that involve data access, such as cloud storage or data processing. A vendor agreement is defined as “any agreement or arrangement, other than an employment agreement, in which any person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration.” 28 CFR § 202.258.
• Employment Agreements: The employment of a covered person in a position that grants them access to covered data. An employment agreement is defined as “any agreement or arrangement in which an individual, other than as an independent contractor, performs work or performs job functions directly for a person in exchange for payment or other consideration, including employment on a board or committee, executive-level arrangements or services, and employment services at an operational level.” 28 CFR § 202.217. The regulations also provide examples of restricted employment agreements.
• Investment Agreements: Investments by a covered person that grant them access to covered data. An investment agreement is defined as “agreements or arrangements whereby a person gains direct or indirect ownership of a U.S. legal entity or real estate located in the United States.” 28 CFR § 202.228.

Some transactions may be "restricted," meaning they are permitted if specific security and compliance requirements are met. Researchers should be particularly mindful of multi-site clinical trials and international research grants that could be affected by these regulations.

Our Commitment to Compliance

Any data transaction, agreement, or collaboration that involves providing access to covered data to a covered person is subject to the DOJ's regulations. Non-compliance can result in severe civil and criminal penalties and reputational damage to the University and the individuals involved.

The University of Florida is committed to ensuring all research and academic activities involving sensitive data comply with these national security measures. We advise all researchers to assess their work for potential involvement with sensitive data, collaborations with foreign entities, or use of data platforms that might be subject to the DOJ Data Security Program.

Questions and Review Process

If you have questions about whether a research project, collaboration, agreement, or transaction is subject to these regulations, or if it requires a formal review, please direct all inquiries to:

• bulk-sensitive-data@ufl.edu

The Privacy Department will be involving the proper UF partner to each inquiry as issues come forth, to ensure the subject matter expert can connect with the inquiring party.