Skip to main content

DataTags Dataset Deposit Interview

Share sensitive data with confidence

To try the demonstration for a dataset you have in mind, please click the "Start Tagging" button.

About This Questionnaire

This is a sample questionnaire that covers three main areas of U.S. privacy law. It is designed to elicit from the user the key properties of a dataset that are relevant to determining whether privacy risks or restrictions from these laws constrain how it can be handled.

The questionnaire demonstrates how complex legal standards from different statutes, regulations, and policies can be conveyed clearly to users and used to assign tags to a wide range of datasets. For instance, it provides detailed definitions and multiple examples to aid the user in interpreting legal concepts and applying them in different contexts.

Based on the user’s responses to the questionnaire, DataTags generates a set of tags that describe the properties of a dataset, which laws are applicable, and how the dataset can be stored, transmitted, or used according to the relevant laws, contracts, and policies.


With this sample questionnaire, you can navigate some of the data use and sharing requirements in the following three areas of U.S. privacy law. learn more

Statutes and Regulations Covered

The sample questionnaire is designed to help a researcher understand whether rules from any of the following U.S. privacy laws and regulations govern the storage, transmission, or use of a specific dataset. It aims to cover a subset of the laws most relevant to the sharing of sensitive research data in the United States, but it does not address categories of information beyond the scope of the following list of laws.

Privacy of medical records

  • The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, 45 C.F.R. Part 160 and Subparts A and E of Part 164, which regulates the use and disclosure of protected health information held by covered entities such as health care providers
  • The substance abuse confidentiality regulations, 42 C.F.R. Part 2, which protect the confidentiality of the medical records of patients seeking treatment for alcohol or drug abuse

Privacy of education records

  • The Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, which safeguards student records maintained by an educational agency or institution
  • The Protection of Pupil Rights Amendment (PPRA), 20 U.S.C. § 1232h, which establishes privacy-related procedures for certain surveys, analyses, and evaluations funded by the US Department of Education
  • The Education Sciences Reform Act of 2002, 20 U.S.C. § 9573, which restricts the collection, use, and dissemination of education data in research conducted by the Institute of Education Sciences

Privacy of government records

  • The Privacy Act of 1974, 5 U.S.C. § 552a, which establishes fair information practices for protecting personally identifiable records maintained by federal agencies
  • The Confidential Information Protect and Statistical Efficiency Act (CIPSEA), 44 U.S.C. § 3501 note, which protects confidential data collected by U.S. statistical agencies
  • Title 13 of the U.S. Code, which protects the confidentiality of Census Bureau data
  • The Driver’s Privacy Protection Act (DPPA), 18 U.S.C. §§ 2721-2725, which restricts the disclosure of personal information from state department of motor vehicle records
Medial Records

Health information protected by HIPAA and federal substance abuse confidentiality regulations

Education Records

Student information covered by FERPA and laws protecting research funded by the Department of Education and the Institute of Education Sciences

Government records

Personal information held by government agencies, including statistical agencies and state departments of motor vehicles, and safeguarded by federal law


The chart below displays the range of tags that may be suggested at the conclusion of the demonstration. These tags cover properties such as the regulatory classification of the information, the sensitivity of the information, the terms of governing contractual agreements, and the appropriate data security and other handling requirements.

Code One of:
blue green yellow orange red crimson
Part2 One of:
deidentified veteransMedicalData consent scientificResearch
HIPAA Some of:
waiver authorization safeHarborDeidentified expertDetermination limitedDataset businessAssociateContract
FERPA Some of:
deidentified directoryOptOut directoryInfo schoolOfficial study consent audit
PPRA Some of:
protected protectedDeidentified consent optOutProvided marketing
ContractOrPolicy One of:
no yes
DPPA Some of:
highlyRestricted required stateConsentLimited stateConsentBroad requesterConsentLimited requesterConsentBroad research exception
CIPSEA Some of:
deidentified identifiable
PrivacyAct Some of:
deidentified identifiable
Census Some of:
ESRA Some of:
restricted public
IP value placeholder
Harm One of:
noRisk minimal shame civil criminal maxControl
Effort One of:
anonymous deidentified identifiable identified
Identity One of:
noPersonData notPersonSpecific personSpecific
Authentication Some of:
None Email OAuth Password
Approval One of:
None Email Signed
Transit One of:
clear encrypt doubleEncrypt
Storage One of:
clear serverEncrypt clientEncrypt doubleEncrypt
auth One of:
approval none
Acceptance One of:
Click Signed SignWithID
Use One of:
NoRestriction Research IRB NoProduct
Publication One of:
NoRestriction Notify PreApprove Prohibited
Reidentify One of:
NoMatching NoEntities NoPeople NoProhibition Reidentify Contact
TimeLimit One of:
none _50yr _5yr _2yr _1yr
Sharing One of:
Anyone NotOnline Organization Group NoOne
Auditing One of:
NotNeeded Yearly Monthly

To try the demonstration for a dataset you have in mind, please click the "Start Tagging" button.

Start Tagging