HiPerGator is a shared system, with many users working on open and sensitive data, as classified by UF Guidelines:
Policy
When a project is identified that benefits from the storage and processing capabilities of HiPerGator and that project involves student records, the procedure described below shall be followed.
NOTE: Currently faculty and TAs who work with students and student records on a daily basis all receive FERPA training and are aware of the limitations imposed by the law and where to get advice when issues arise that are not clear to them. This policy does not cover the use of desktop or laptop computers to work on grades of students or similar tasks.
The scope of this policy is when faculty, staff, and researchers use sophisticated tools for larger data sets such as machine learning to learn how to improve learning and teaching outcomes. For example:
- Helping identify students who could benefit from extra help and what the form of that assistance may be.
- Helping instructors for possible auto-grading, or teaching evaluation, etc.
NOTE: Collected documents such as writings of students (essays or homework) that are submitted by students as part of their educational activities count as student record, see https://studentprivacy.ed.gov/ferpa#0.1_se34.1.99_13.
Procedure
When an activity that falls in the scope of this policy, the researcher shall work with various support staff to accomplish the following tasks:
Project registration
A project is registered by entering a Request in UF’s Integrated Risk Management (IRM) system at https://riskmanagement.ufl.edu/apps/ArcherApp/Home.aspx This will record details like the data owner (usually the principal investigator) and the type and size of data involved. The risk assessment by UFIT Information Security Office (ISO) is simplified because of the security controls in place on HiPerGator, but it provides a record about the project and who will be involved in it.
UFIT Research Computing staff will record the project by its IRM identifier with the researcher’s HiPerGator account. A project specific HiPerGator group will be created to provide access to the data by the role of the project participants, which is encoded as membership of that group.
A data management plan submitted as part of the risk assessment will briefly describe the workflow and disposition of the project data. What participating members are expected and allowed to do with the data will be defined by their role.
Participant agreement and registration
The members of the project group will sign an agreement form that specifies:
- They understand their role in the project
- They will take FERPA basics training in myTraining, course nr. UF_PRIV802_OLT
- They will take HiPerGator training on handling restricted data
A scanned or digitally signed agreement for each project participant is stored in the IRM system.
When the procedure is not followed, the project will not be given any resources. If participants fail to follow the steps, the university process for FERPA violations will be followed as described in the FERPA training.
What is needed
To set up a FERPA group on HiPerGator, UFIT Research Computing needs the following:
- PI Information
- Project Name (and suggested short version for a group name)
- Risk Assessment Number
- Specific staff to add to the group (must be listed on the IRB, must have submitted the Data Management Plan)
- Amount of Orange/Blue storage to allocate from new or existing purchase
Special Precautions
If there are special precautions that apply to the project and are called out in the risk assessment, then such actions or requirements will be added to the agreement.
Restricted Data Project Retirement and Removal
All restricted data projects on HiPerGator are required to have a data management plan filed with the security assessment. This data management plan must include a project retirement and removal section. Unless otherwise approved by the director, all restricted data projects will have the following retirement conditions:
- Upon completion of the project, the designated data manager is responsible for removing all data in the project group's folders within the HiPerGator ecosystem. This includes, but is not limited to, all restricted data.
- Once removed, the data manager will contact HiPerGator support and open a request to have the top-level project folders removed.
- The UFIT Research Computing staff will then remove all designated project folders and record the project closure date in the support request and any appropriate internal systems.
Abandoned Restricted Data Projects
If the storage investments for a specific restricted data project expire and are not replaced, then the restricted data project will be considered abandoned. UFIT Research Computing staff will make a good-faith effort to notify the Principal Investigator (PI) when internal processes indicate that a project has been abandoned. If a PI would like to renew their investments, it should be made within 60 days of the previous expiration date. Once a project has been abandoned for more than 60 days, UFIT Research Computing reserves the right to remove all data from the project folders to maintain the security of the data on HiPerGator systems.
Project Owner/Data Manager Responsibilities
UFIT Research Computing as the operator of the HiPerGator services is responsible for the vast majority of the security and compliance controls, but compliance and security are a shared responsibility, and some responsibilities, with accountability, fall on the principal Investigator (PI) or the designated data manager of the approved project involving restricted data and the authorized members of the project team.
The users and their project supervisors/mentors are responsible for ensuring that the endpoints used to access HiPerGator follow UF standards:
- All persistent storage within mobile computing devices will be encrypted:
(https://policy.ufl.edu/policy/mobile-computing-and-storage-devices-policy/) - Screen lock after 15 minutes of inactivity
- Use devices in locations where shoulder surfing is not possible
- If transferring files via Globus, it is the responsibility of the user/project manager to enforce the use of encrypted communication options available in Globus for the incoming or outgoing data transfers.
The PI is responsible for providing instructions to authorized users when they telework from approved locations to ensure that these procedures are followed. Users will also be instructed to not access the HiPerGator system and their restricted data projects from their endpoints while in public locations like airports, libraries, and other public venues such as coffee shops.
Each approved restricted data project will designate a data manager, whose responsibilities are listed below:
- Record and maintain the signed Rules of Behavior form (paper or electronic) signed by each user after training. Provide a copy of this list as a report to UFIT Research Computing quarterly.
- The list of authorized participants is maintained in the IRB record for projects involving PHI research, the UFHealth risk assessment record for projects involving operational work with PHI, the technology control plan (TCP) for ITAR/EAR project work, and the UFIT risk assessment system for FERPA projects. This requirement can be satisfied by pulling that information from the IRB, TCP, or relevant risk assessment database.
- Keep a record of when users complete training and ensure that training is renewed annually. Provide a report to UFIT Research Computing quarterly of this list. Training examples include:
- HIPAA training (PHI)
- FERPA training (FERPA)
- Export control training (Export controlled data)
- Protecting UF: Information Security Training
- Verify and review authorized accounts regularly, at least once per month, and notify UFIT Research Computing staff immediately when users leave the project or change roles in the project (e.g. when they take on a new job in the university or leave the university) so that access to the restricted data project can be removed.
- If the restricted data project involves transaction-based systems, the project manager and team are responsible for ensuring transactions can be recovered in the case of failures. This can be implemented in collaboration with UFIT Research Computing staff.