DOJ Regulations on Bulk U.S. Sensitive Data

Key Concepts

  • Bulk U.S. Sensitive Personal Data: Includes large volumes of health, financial, biometric, and other personally identifiable information.
  • Covered Persons: Individuals or entities associated with countries of concern.
  • Countries of Concern: Currently includes China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.
  • Government-Related Data: Includes geolocation data tied to sensitive U.S. government sites and data linked to federal employees or contractors.

Want a quick overview?

Access IAPP’s Data Security Program Cheat Sheet here.

FAQs

The prohibitions and restrictions generally apply to covered data transactions involving a country of concern or covered person and sensitive personal data that meets or exceeds certain bulk volume thresholds.

The rule identifies six categories of personal data, along with designated bulk thresholds:

  1. Covered personal identifiers – any “listed identifiers” when combined with, linked, or linkable to any other listed identifier.
  2. Precise geolocation data - Data, whether real-time or historical, that identifies location of device/individual (e.g., GPS coordinates).
  3. Biometric identifiers - measurable physical characteristics or behaviors used to recognize or verify the identity of an individual (e.g., facial images, voice prints and patterns, retina scans, palm/fingerprints, gait, keyboard usage pattern that are enrolled in a biometric system).
  4. Human genomic data and three other types of human ‘omic data:
    • Human genomic data such as data representing nucleic acid sequences that comprise the entire set or a subset of the genetic instructions found in a human cell, including results of a “genetic test” and biospecimens.
    • Human epigenomic, proteomic, or transcriptomic data.
  5. Health data - health information that indicates, reveals, or describes the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for the provision of healthcare to an individual. (e.g., height, weight, vital signs, symptoms, test results, diagnosis, exercise habits, prescription history).
  6. Financial data - data about an individual's credit, charge, or debit card, or bank account.

Sensitive personal data meeting or exceeding these bulk thresholds, whether through a single, covered data transaction or aggregated across multiple data transactions in the preceding twelve months, involving the same U.S. person and the same foreign person or covered person, is bulk U.S. sensitive personal data:

U.S. Sensitive Personal DataThreshold of data collected about or maintained on…
Human genomic data100 U.S. persons
Human epigenomic data1,000 U.S. persons
Human proteomic data1,000 U.S. persons
Human transcriptomic data1,000 U.S. persons
Biometric identifiers1,000 U.S. persons
Precise geolocation data1,000 U.S. devices
Personal health data10,000 U.S. persons
Personal financial data10,000 U.S. persons
Covered personal identifiers100,000 U.S. persons
Combined data, as described in § 202.205(g)Lowest applicable number

Researchers should:

  • Assess whether their research involves: 
    • Accessing or sharing sensitive data types listed above.
    • Collaborating with foreign entities or researchers from countries of concern.
    • Utilizing data platforms or services that may be subject to DSP restrictions.
  • Ensure that any data sharing or collaboration complies with DSP restrictions.
  • Review the DSP Compliance Guide provided by the Department of Justice National Security Division (NSD).
  • For assistance in understanding specific compliance scenarios refer to the US Department of Justice’s frequently asked questions.

Contact RSO

The Research Security Office is here to assist faculty and researchers. Please contact us at: rsohelp@iu.edu

View the RSO staff directory