Skip to content

Procedures for Regulated Data on HiPerGator

Project Registration with Integrated Risk Management

Any project with regulated data must be registered by entering a request in UF's Integrated Risk Management (IRM) system (Note that only certain users have access to the IRM). This will record details of the project to meet part of the documentation controls.

  • The data owner, usually the principal investigator or the designated data manager for the project.
  • The type and size of data involved

  • Additional Approvals depending on the nature of the work:

    Data/project type Documentation system
    PHI or Limited Data Sets Provide the Institutional Review Board (IRB) record number.
    Operational work with PHI Provide the UFHealth Risk Assessment record number.
    For work with NIH GDS data * Provide the UF Office of Research UFIRST Agreement number (of the form AGR000XXXXX, found in the top right of the UFIRST Agreement).
    Other NIH data For other NU=IH data with DUAs or Data Use Certifications (DUC), these should be atteched to the UFIT IRM
    For other sponsors requiring NIST 800-171 (e.g., NASA) Provide the UF Office of Research UFIRST Agreement number (starting with AGR, found in the top right of the UFIRST Agreement).
    FERPA The IRM alone will be used.

    * For NIH data:

    • Many use cases involving GDS data will also have an IRB. In that case, both the IRB number and the UFIRST Agreement number need to be supplied.

    • If a DUA is in place for multiple IRB projects, the GDS data will be stored separately from the IRB project data so that DUA-authorized people do not gain unauthorized access to IRB data without explicit authorization in the IRB approval.

Streamlining the IRM process

The risk assessment by the UFIT Information Security Office (ISO) is simplified because of the security controls in place on HiPerGator, but it provides a record about the project and who will be involved in it.

To ensure a streamlined review, please make sure to select:

  • For HiPerGator, in the "Usage Purpose" section of the assessment form, select "Regulated data on HiPerGator".
  • For Export Controlled and CUI projects, in the "Data Usage section", select "Export Controlled (ITAR, EAR)".

Data Flow Diagram

A data flow diagram: The Data Flow Diagram Template (Requires UF login) can be downloaded, edited, and added to the IRM record. The link is also available within the IRM system.

Data Management Plan

Resource Allocation on HiPerGator for Regulated Data Groups

A project-specific HiPerGator group will be created to provide access to the data. PIs will need to make investments in the storage space needed for the project. While NCU and GPU allocations can be shared across regulated and non-regulated groups, storage must be allocated to each regulated project individually.

Data will be stored in directories in the Blue or Orange filesystems that are not exported by the SMB service to limit opportunities for unauthorized distribution of regulated data.

Only individuals listed in the additional approval documents and who have submitted the ROB and User Agreement form can be added to the group.

Users can only be added to regulated data groups if:

  • They are listed in the authorized participants documentation.
  • They have submitted signed Rules of Behavior and User Agreement.

Regulated group directories are different than normal groups

While UFIT Research Computing makes it somewhat transparent to users, there are important compliance differences between regular group directories and those for regulated data. Users must take care to keep regulated data in the correct group directory.

Establishing a Regulated Research Group on HiPerGator

Once the IRM process has been completed, the PI should open a UFIT Research Computing Support Request with the following information:

  • PI Name:
  • If applicable, Data Custodian name:
  • Project Name (and suggested short version for a group name)
  • Risk Assessment Project Number
  • When a request on the risk management site is opened, a Request Number will be sent.
  • The Risk Management team will then create a Categorization number, and then create a Project Number. That Project Number is what is needed.

Please do not open your request with UFIT Research Computing for a HiPerGator PHI Group until you have that Project Number.

A HiPerGator Regulated Research Group cannot be created until that Risk Assessment Project has been marked as 'complete' by the Risk Assessment team. * Authorization source, one of the following: * IRB # * UFHealth risk assessment number * GDS DUA number UFIRST AGR000XXXXX * GDPR agreement number UFIRST AGR000XXXXX * Specific staff to add to the group (must be listed on the authorization source above, and must have the signed Rules of Behavior and User Agreement form entered in the IRM request). * Amount of Orange/Blue/Red storage to allocate from new or existing purchase

Timeline on HiPerGator

The procedure to set up the use of HiPerGator with regulated data involves several steps that each take time. It is important to consider this when planning a project.

  • Get IRB, UFHealth Risk Assessment or signed DUA. See details above when you need what. This can take several weeks, sometimes months.
  • UFIT Risk request:
  • If you have all the information ready, this takes a few days to a week.
  • You need an IRB number, UFHealth Risk Assessment number, or a signed GDS DUA with the Office of Research record number.
  • You need all participants to submit the signed participant registration and agreement form

  • You need a data flow diagram.

  • Make sure the team takes the required training and signs the agreement listed above. This can take a week to several weeks if people do not respond quickly to requests from the principal investigator.

  • HiPerGator storage (and optionally, compute) resources are purchased or requested to be re-allocated from another investment.
  • HiPerGator group creation cannot start until all of the above are in place. Once in place, groups are generally created in 3-4 business days.