Skip to content

Procedures for All Regulated Data Projects

Project Owner/Data Manager Responsibilities

UFIT Research Computing as the operator of the HiPerGator and HiPerGator-RV services is responsible for the vast majority of the security and compliance controls, but compliance and security are a shared responsibility, and some responsibilities, with accountability, fall on the Principal Investigator (PI) or the designated data manager of the approved project involving regulated data and the authorized members of the project team.

  • Record and maintain the signed Rules of Behavior form (paper or electronic) signed by each user after training. Provide a copy of this list as a report to UFIT Research Computing quarterly.

  • For each regulated project, a support ticket will be created quarterly, listing users associated with the project.

    • PIs will need to reply to that ticket after verifying that each user should continue to have access and that training is up-to-date for all users.
    • Failure to reply to the ticket within three weeks will result in access to the storage being limited.
    • After a month, access to project data will be prevented until deficiencies are addressed.

  • The list of authorized participants is maintained in the following systems:

    Data/project type Documentation system
    PHI The IRB
    Operational work with PHI The UFHealth risk assessment record
    ITAR/EAR The Technology Control Plan (TCP), maintained in UF RISC’s Export Mitigation Database.
    FERPA The UFIT IRM
    NIH dbGAP data The NIH GDS Data Use Agreement (DUA) and Data Access Application from the PI should be attached to the UFIT IRM
    Other NIH data For other NU=IH data with DUAs or Data Use Certifications (DUC), these should be attached to the UFIT IRM

  • Keep a record of when users complete training and ensure that training is renewed annually. Training examples include:

    Data/project type Required Training (Courses are in myTraining)
    For ALL projects Protecting UF: Information Security Training (UF_ITT102v_OLT)
    HIPAA/PHI At least HIPAA Awareness Training (UF_PRV800v_OLT)
    FERPPA FERPA training (UF_PRV802_OLT)
    Export controlled Export Controls: The Basics (UF_RSH613_OLT)
    Export Controls: UF Project Personnel (UF_RSH633_OLT)
    For the PI: Export Controls: UF Administrators (UF_RSH623_OLT)
    Additional TCP training as needed

  • Verify and review authorized accounts regularly, at least once per month, and notify UFIT Research Computing staff immediately when users leave the project or change roles in the project (e.g. when they take on a new job in the university or leave the university) so that access to the regulated data project can be removed.

  • If the regulated data project involves transaction-based systems, the project manager and team are responsible for ensuring transactions can be recovered in the case of failures. This can be implemented in collaboration with UFIT Research Computing staff.
  • The users and their supervisors/mentors are responsible for ensuring that the endpoints used to access HiPerGator or HiPerGator-RV follow UF standards:
    • All persistent storage within mobile computing devices will be encrypted (see UF's Mobile Computing and Storage Device Policy)
    • Computer and mobile device screens should lock automatically after no more than 15 minutes of inactivity.
  • Users will also be instructed not to access the HiPerGator or HiPerGator-RV systems and their regulated data projects from their endpoints while in public locations like airports, libraries, and other public venues such as coffee shops.
  • If transferring files via Globus (if permitted for the data type), it is the responsibility of the user/project manager to enforce the use of encrypted communication options available in Globus for the incoming or outgoing data transfers.
  • These standards also apply to users who telework when approved. Note that most projects with TCPs do not allow work off-campus.

Special Precautions

If there are special precautions that apply to a project and are called out in the risk assessment, then such actions and requirements will be added to the security responsibilities of the PI, data manager, and users as documented in the IRM and will become part of regular review, vulnerability scanning, and/or risk reassessments, depending on the level of risk assessed for the set of special precautions.

Regulated Data Project Retirement and Removal

All regulated data projects on HiPerGator and HiPerGator-RV are required to have a data management plan filed with the security risk assessment. This data management plan must include a section on project retirement and removal. Unless otherwise approved by the director, all regulated data projects will have the following retirement conditions:

  • Upon completion of the project, the designated data manager is responsible for removing all data in the project group's folders within the HiPerGator or HiPerGator-RV ecosystem. This includes, but is not limited to, all regulated data.
  • Once removed, the data manager will contact UFIT Research Computing support and open a request to have the top-level project folders or the HiPerGator-RV team removed.
  • The UFIT Research Computing staff will then remove all designated project folders/teams and record the project closure date in the support request and any appropriate internal systems.

Abandoned Regulated Data Projects

If the storage investments for a specific regulated data project expire and no new investments are made, then the regulated data project will be considered abandoned. UFIT Research Computing staff will make a good-faith effort to notify the Principal Investigator (PI) when internal processes indicate that a project has been abandoned. The standard UFIT-RC Data Removal policies will be followed.