This Regulation summarizes UNC Charlotte’s comprehensive security program (the “Program”) for handling electronic data that is (a) received from third parties and (b) subject to contractual access restrictions. Such restrictions generally require the execution of agreements under such names as Data Sharing Agreement,Restricted Use Agreement, Restricted Use Data Agreement and License, Restricted Data Use Agreement,Limited Data Set Use Agreement, etc. This document describes the Program elements pursuant to which the University intends to:
i. Ensure that adequate precautions are implemented prior to receiving such data;
ii. Maintain the security and confidentiality of covered data; and
iii. Protect against the unauthorized access or use of such records or information in ways that could violate the University’s agreements with third parties who supply such data.
The Program incorporates by reference any relevant provisions in University Policy #303, #307 and #311, and is in addition to any policies and procedures that may be required pursuant to other federal and state laws and regulations.
The Program applies to all Restricted Data maintained by the University. For the purposes of this Regulation, “Restricted Data” shall be defined as any nonpublic electronic data that are received by the University from a third party pursuant to a written contract and which is subject to restrictions limiting access to specifically named or designated individuals.
The Dean of each College shall designate in writing one person to serve as the Data Security Officer (DSO) for that College with respect to this Program. Each DSO appointment shall be identified in writing by the Dean to appropriate administrative staff in the relevant College and to (a) the Contracts Manager for Research and Economic Development (Contracts Manager), (b) the ITS Information Technology Security Officer, (c) the Office of Legal Affairs, and (d) the Internal Audit Director. The Contracts Manager shall coordinate appropriate training for the DSO. The DSO shall assist faculty and staff in his/her College in initiating, negotiating, and implementing individual Security Plans and is responsible for ensuring that each Security Plan (the “Plan”) complies with all University policies and procedures.
Any employee of the University who intends to receive Restricted Data (the “Employee”) must inform the DSO for the College in which that Employee has primary employment prior to accepting such data. Restricted Data may not be brought onto campus until the DSO certifies that all mechanisms for controlling access to the data are in place and operational.
The DSO shall notify the Contracts Manager of any proposal to bring Restricted Data onto University property and will work with the Employee to develop a Plan in coordination with the University’s Institutional Review Board for Human Subjects and/or the Contracts Manager, as appropriate. The Plan shall:
If the DSO and the Employee are unable to agree on the terms of the Plan, the matter should be referred to the Vice Chancellor for Research and Economic Development, who has the authority to make a final decision. The DSO shall then send the completed Plan to the Contracts Manager, who will sign the third party Agreement (the "Agreement") on behalf of the University and forward it to the third party for signature. When the fully executedAgreement is received back from the third party, the Contracts Manager will distribute copies of the Plan and Agreement to the Employee, the DSO, the ITS Information Technology Security Officer, and the Internal Audit Director.
Upon receipt of the Agreement and approval of the Plan by the DSO, the Employee may then contact the third party supplier of the Restricted Data and make arrangements for the Restricted Data to be delivered to the person designated in the Plan. The DSO is responsible for implementing the Plan, including installation of the Restricted Data, and for providing all necessary information and training to all employees and students having access to the Restricted Data. The cost of implementation must be borne by a grant/contract or by the relevant College(s). The DSO must maintain written records of the physical location of the equipment on which the Restricted Data will reside, and a record of the date on which the Plan expires. During the time period in which the Plan is in effect, the ITS Information Technology Security Officer and the Internal Audit Director may, without prior notice, inspect the physical location at which the Restricted Data reside, if on campus (or, if off campus, require the researcher bring the computer or external storage device to campus for inspection), in order to ensure compliance with all aspects of the Plan and shall take all other actions specified in the Plan to ensure compliance.
In the event that the requirements and procedures outlined in the Plan are not met, the DSO is authorized to remove or otherwise secure the Restricted Data until a resolution is in place. All breaches and violations must be reported by the Employee or the DSO to the respective Dean, the Contracts Manager, the ITS Information Technology Security Officer, the Office of Legal Affairs, and the Internal Audit Director.
The term for which the Plan shall be in effect must be specified prior to its implementation, but such term may be extended or shortened if approved by the DSO and the third party supplier of the Restricted Data. The DSO shall notify the Internal Audit Director and the Contracts Manager of any extension, shortening or termination of the Plan. The Plan may not be terminated without at least thirty (30) days prior written notice to the DSO, who must promptly inform the Internal Audit Director and the Contracts Manager of such termination. The Contracts Manager must maintain and update records as appropriate and must notify the DSO and the Internal Audit Director at least thirty (30) days prior to expiration of the Plan. When the Plan expires or is terminated, the DSO must ensure that the Restricted Data are removed from any equipment on which it resides and that such equipment is appropriately sanitized of all Restricted Data. The DSO must then inform the Employee that the Restricted Data have been removed and the Employee must notify the third party supplier of the Restricted Data of such removal and handle the retention or disposition of the data in accordance with the Plan.
Upon approval, this Regulation shall be published on the appropriate UNC Charlotte website(s). The following offices and individuals shall be notified in writing with any subsequent revisions or amendments made to this Regulation:
Approved by the Chancellor, February 11, 2011