This page is intended to provide answers to questions you may have about research data security classification, requirements and resources. Expand each entry for a brief summary and links to additional information and resources.
Did you know that at UVA...
University research data (inputs or results) that have not been published/released, whether or not subject to regulatory or contractual confidentiality/privacy requirements, are "sensitive data" (at minimum) under University policy, IRM-003, Data Protection of University Information. If research data requires restrictions on access or must be protected from release under law or regulation it is likely "highly sensitive data". As such, research data must be used only to conduct official University business and be protected from unauthorized access or release in accordance with the applicable University Data Protection Standard (UDPS).
When a discrepancy exists between a UDPS and an applicable external data protection standard (e.g., ones required by law or regulation; imposed by a data provider, or research sponsor) the more stringent will apply and must be implemented to safeguard the data. For example, identifiable medical information for military services members could be "highly sensitive data" under IRM-003, subject to the Health Insurance Portability and Accountability Act (HIPAA; patient confidentiality requirements); and designated in the research contract as controlled unclassified information (CUI; requiring safeguarding in accordance with NIST SP 800-171).
Research data (inputs or results) that have not been published or released are also generally exempt from Virginia Freedom of Information Act (FOIA). The two sections of FOIA most likely to exclude research data from disclosure are § 2.2-3705.4. Exclusions to application of chapter; educational records and certain records of educational institutions; and § 2.2-3705.6. Exclusions to application of chapter; proprietary records and trade secrets.
These designations and standards are important so that you, as the custodian of University data, retain control over when and how to release the results of your research and scholarship. Data safeguarding is particularly important for research that results in technology developments where there is a desire to submit patent applications prior to publishing or to protect resources that provide you and your research team a competitive advantage in securing future research funding.
Research Data Services & Sciences, part of the University of Virginia Library, provides a variety of resources, software and services to support research data management. This includes hosting LibraData for the deposit and discovery of UVA datasets and other scholarly data with UVA’s instance of Dataverse. For more information check out the FAQs about LibraData or contact libra@virginia.edu.
Records & Information Management’s (RIM) is available to assist with all aspects of managing research records. RIM provides:
- The University Records Management Application (URMA), a web-based tool designed to assist departments in maintaining an inventory of their records.
- On-site and virtual consultations about proper retention, storage, and destruction of research records. Email records@virginia.edu to schedule a consultation.
Information Technology Services (ITS) is an central service groups that provides IT infrastructure and services for the Academic Division, many at no cost to the individual user. While they provide a wide resources and services, here are a few related to research data security and secure collaboration. Before selecting a service, tool or platform you should review the details carefully to make sure it is appropriate to the category of data you will be using/storing, e.g., sensitive data or highly sensitive data as defined in University policy IRM-003, Data Protection of University Information.
- Collaboration Tools: For each type of activity, this website provides a list of appropriate/available tools for different host and participant combinations. A link is provided for information on each listed tool.
- Sponsored Accounts: Allow people who are not UVA employees to access general computing services like email, Office 365, UVA Box, etc. They can be requested for a variety or roles and reasons, for example: unpaid interns; visiting students, professors, or scholars; collaborators or contractors. A sponsored account may also be required to access certain locally-managed (e.g., school or department) IT systems.
- Storage, Hosting & Servers: Provides access to a variety of available services (some of them at no charge) for data storage, backup, and hosting. This includes UVABox, Cloud Services (e.g., Azure or AWS) and Data Centers.
- UVA Software Gateway: Provides access to various types of software (e.g., Assistive Technologies; Connectivity & Remote Access; Data Analysis & Research; Microsoft; and Events, Video Conferencing & Web) licensed by the University and available to members of our community.
- Security: Provides access to products and services such as Antivirus software, SSL Server Certificates, Data Loss Prevention, Application Safelisting, Website Security, Vulnerability Management, and Information Security.
Research Computing is a UVA support team whose mission is to empower researchers to achieve more through the use of cutting-edge computational resources. They provide platforms and services for high performance computing, data analysis, image processing & visualization, bioinformatics & genomics, cloud solutions, and project consulting. For more information visit the Research Computing website.
Research Computing offers two local high performance computational facilities available to researchers, Rivanna and Ivy. Depending on your use case, privacy/safeguarding requirements, and the applications you'll need to run, one of these facilities may meet your needs. Both allow remote access.
Ivy is a secure computing environment consisting of virtual machines (Linux and Windows) that can be used to process and store sensitive data and highly sensitive data. A separate environment within Ivy, called Ivy-CUI, has been established for work with controlled unclassified information (CUI) and covered defense information (CDI). Ivy-CUI meets the safeguarding requirements of NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. See the CUI webpage for additional information.
UVA intends for Ivy and Ivy-CUI to be certified for Cybersecurity Maturity Model Certification (CMMC) Level 1 (basic safeguarding) and Level 3 (NIST SP 800-171 plus additional controls), respectively, when required by Department of Defense (DoD) contracts.
Virginia Assuring Controls Compliance of Research Data (ACCORD) is an initiative supported by the Vice Provost of Academic Technology. ACCORD is a cyberinstrument project being developed by a consortium of eleven public universities. Led by the University of Virginia at Wise, the consortium aims to address a pressing need in the research community by providing a secured, capable, and accessible cyberinstrument that allows diverse data with different protection requirements to be hosted on shared computing resources. ACCORD is built as the first compliant-capable community cyberinfrastructure for handling highly sensitive research data.
ACCORD resources and services are free to researchers at public and not-for-profit institutions (per availability). Priority is currently being given to projects related to the COVID pandemic. ACCORD leverages UVA Research Computing resources. For more information, visit the ACCORD Cyberinstrument Project website.
Records & Information Management’s (RIM) goal is to ensure that records are efficiently managed, retained, and destroyed in compliance with all state and federal regulations.
The resources available through RIM include:
- On-demand training videos and live webinars. Researchers should begin with Records & Information Management Basics before completing Managing Research Records.
- Tip sheets designed to provide succinct guidance around common challenges. The Research Records Classification tip sheet is especially useful for researchers.
- Access to economic off-site physical records storage through a University-approved vendor.
- The University Records Management Application (URMA), a web-based tool designed to assist departments in maintaining an inventory of their records. This is especially challenging with research records that need to be retained years after the project has closed.
RIM encourages one-on-one consultation to address department-specific questions and concerns. Contact RIM at records@virginia.edu to schedule a consultation. RIM is here to help!
The Office of Sponsored Programs (OSP) follows RIM's guidance on retention and disposition of records in their system(s) and files. Visit the OSP website for more information about sponsored programs systems, procedures, resources and services.
Reminder: Only individuals authorized under University policy FIN-036, Signatory Authority for Executing University Contracts, may sign licenses and other agreements related to the acquisition of data sets or software/source code for use in University research. As part of their review and negotiation, institutional signatories are responsible for consulting other appropriate offices, e.g., to address intellectual property, export control, or data protection/safeguarding provisions.
Data Use Agreements (DUA) are a type of contract that establishes terms for the transfer between organizations of nonpublic data to be used for research. They should be used for incoming or outgoing transfers of research data. DUAs clearly specify who may use the data, for what purposes, what safeguarding measures must be taken, and how the provider should be acknowledged in any publications.
This is one of many types of research agreements that contract negotiators in the Office of Sponsored Programs (OSP) may execute to support University research and scholarship activities. DUAs for incoming or outgoing data exchanges, should be initiated in ResearchUVA (behind Netbadge). Research administrators in your department, division or school are available to help with the request process.
For more about research agreements and other information about sponsored research, visit the OSP website.
Software Licenses and Purchasing of Data Sets are subject to University procurement policies and procedures managed by Procurement and Supplier Diversity Services (PSDS), a division of UVAFinance. Staff in Procurement Operations are responsible for negotiating terms and conditions acceptable to the University as part of the procurement process.
Export and Sanction Licenses are sometimes required to legally transfer controlled information (including source code), technology, items and services to foreign collaborators or to foreign national team members in the U.S.
UVA's Office of Export Controls (OEC) performs export assessments and, when needed, applies for licenses to support University activities subject to the regulatory requirements of US embargoes and trade sanction programs, Export Administration Regulations (EAR), International Traffic in Arms Regulations (ITAR), and other regulations governing the international transfer of controlled information, technology, items and services.
See University policy FIN-043, Managing Export and Sanction Compliance in Support of University Activities, and the Export Controls website for more information. For help contact OEC at export-controls@virginia.edu.
Research Data Services + Sciences professionals offer their expertise to support your research activities in areas such as
- finding & managing data;
- data analysis, visualization & computation;
- navigating and understanding the changing scholarly landscape (e.g., impact factors, altmetrics, open access and copyright); and
- incorporating Library resources into your courses to enhance student research and learning and develop information literacy.
In particular, if you're looking for help developing an overall strategy for managing your research data (active data and/or archives) or drafting the data management and data sharing aspects of your research proposal, check out the Data Management Planning Support and Data Management Components pages in the Research Data Management section of the RDSS website.
Research Data Services + Support stays current with changing federal agency requirements, including the National Institutes of Health's updated Data Management and Sharing (DMS) policy which is effective for January 25, 2023.
Be sure to discuss any data privacy and safeguarding requirements that apply to your research data so that they can be incorporated into your overall data management strategy, proposal/award specific data management plans, and provisions for data sharing and access. Particularly with the new NIH Data Management and Sharing (DMS) policy, effective for applications for receipt dates on or after 1/25/2023, it will be critical to thoughtfully consider informed consent language when developing your DMS plan and budget and to make sure they remain aligned throughout the research lifecycle. NIH's new sharing website (https://sharing.nih.gov) offers excellent resources for developing DMS plans.
You can find the RDSS Science Liaisons assigned to each Social, Natural or Engineering Sciences area HERE and the Subject Liaisons for Academic Units HERE.
What is the IRB?
The Institutional Review Board (IRB) administer UVA's human subject protection program, which advocates for human subjects in research by working in concert with UVA researchers to ensure that they have the education and tools they need to work ethically with participants in their research studies. Together with partner offices, the IRB also helps researchers navigate and stay in compliance with federal laws and regulations as well as sponsor requirements, including but not limited those related to data privacy and protection/safeguarding.
UVA has two IRBs, one for social and behavior sciences (IRB-SBS) and the other for health sciences research (IRB-HSR).
How do I know if my research requires IRB approval?
It is the responsibility of each investigator to seek IRB review and approval prior to initiation of any research involving human subjects or before conducting any clinical investigation. The investigator is responsible for making a preliminary decision regarding whether his/her activities meet either (a) the Department of Health and Human Services (DHHS) definitions of both "research" and "human subjects" and/or (b) the FDA definitions of both "clinical investigations" and "human subjects."
See the Determination of Human Subject Research page for more information on making this determination.
Can I use data collected by someone else for another purpose to conduct research?
Often yes. For more information, review the IRB-SBS's Secondary Use of Existing Data web page and/or the IRB-HSR's answer to the question "Use of data from which Public Data Sets is NOT considered Human Subject Research?" (the answer includes a list of public data sets that can be used without IRB approval).