UK enacts Data Security Compliance Program
LEXINGTON, Ky. (July 8, 2025) — Over the next several months, the University of Kentucky will roll out a Data Security Compliance Program (DSCP).
This new program will be the focus for UK’s compliance with federal requirements in the U.S. Department of Justice’s Data Security Program (DSP). UK’s DSCP will cover all UK employees and all others who interact with UK.
On Jan. 8, 2025, the Department of Justice (DOJ) issued the DSP regulations (28 CFR 202) to prohibit certain transactions involving protected U.S. data.
Under the DSP, foreign governments (Countries of Concern) currently include China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela, and Covered Persons include individuals or entities subject to jurisdiction, ownership, control or direction of Countries of Concern and other individuals or entities that the U.S. Attorney General may individually identify from or associated with any country.
The types of data covered by the DSP include:
- Sensitive personal data of over a certain number of U.S. persons in any format, regardless of whether it is anonymized, pseudonymized, de-identified or encrypted (human genomic data, other ’omic data, biometric identifiers, personal health or financial data, certain personal identifiers).
- Certain U.S. government-related data that, if accessed by a foreign adversary, could pose a national security risk (both geolocation data that the U.S. Attorney General has determined presents a heightened risk of exploitation because of their nature or who works there, and sensitive personal data linkable to current or recent former employees or contractors, or former senior officials, of the U.S. Government, including the military and the intelligence community).
The DSP prohibits knowingly engaging in data brokerage transactions with Covered Persons or Countries of Concern and transactions involving transfers of covered data to Covered Persons or Countries of Concern (e.g., human genomic data).
Other transactions, including investment, employment or vendor agreements with Covered Persons that provide access to sensitive data, are permitted only if specific Cybersecurity and Infrastructure Security Agency (CISA) requirements are met, along with DSP compliance program requirements, audits and recordkeeping.
Planning is underway to offer DSCP training to employees and others through the myUK Learning application, and details will be communicated when training becomes available.
Attention and adherence to these new rules and training will help UK:
- Take action to protect U.S. national security.
- Provide information recommended by DOJ guidance.
- Employees understand what sensitive data they handle and its classification.
- Employees understand what inadvertent violations could lead to disciplinary actions including termination.
- Protect the university and individuals from penalties associated with violations.
Questions on the program can be sent to UK_DataSecurity@uky.edu.
As the state’s flagship, land-grant institution, the University of Kentucky exists to advance the Commonwealth. We do that by preparing the next generation of leaders — placing students at the heart of everything we do — and transforming the lives of Kentuckians through education, research and creative work, service and health care. We pride ourselves on being a catalyst for breakthroughs and a force for healing, a place where ingenuity unfolds. It's all made possible by our people — visionaries, disruptors and pioneers — who make up 200 academic programs, a $476.5 million research and development enterprise and a world-class medical center, all on one campus.