Regulation Regarding Third Party Data Subject to Contractual Access Restrictions

I. Executive Summary and Purpose

This Regulation summarizes UNC Charlotte’s comprehensive security program (the “Program”) for handling electronic data that is (a) received from third parties and (b) subject to contractual access restrictions. Such restrictions generally require the execution of agreements under such names as Data Sharing Agreement, Restricted Use Agreement, Restricted Use Data Agreement and License, Restricted Data Use Agreement, Limited Data Set Use Agreement, etc. This document describes the Program elements pursuant to which the University intends to:

i.  Ensure that adequate precautions are implemented prior to receiving such data;

ii. Maintain the security and confidentiality of covered data; and

iii. Protect against the unauthorized access or use of such records or information in ways that could violate the University’s agreements with third parties who supply such data.

The Program incorporates by reference any relevant provisions in University Policy #303, #307 and #311, and is in addition to any policies and procedures that may be required pursuant to other federal and state laws and regulations.

II.  Scope

The Program applies to all Restricted Data maintained by the University. For the purposes of this Regulation, “Restricted Data” shall be defined as any nonpublic electronic data that are received by the University from a third party pursuant to a written contract and which is subject to restrictions limiting access to specifically named or designated individuals.

III.  Designation of Representatives

The Dean of each College shall designate in writing one person to serve as the Data Security Officer (DSO) for that College with respect to this Program. Each DSO appointment shall be identified in writing by the Dean to appropriate administrative staff in the relevant College and to (a) the Contracts Manager for Research and Economic Development (Contracts Manager), (b) the OneIT Chief Information Security Officer, (c) the Office of Legal Affairs, and (d) the Internal Audit Director. The Contracts Manager shall coordinate appropriate training for the DSO. The DSO shall assist faculty and staff in their College in initiating, negotiating, and implementing individual Security Plans and is responsible for ensuring that each Security Plan (the “Plan”) complies with all University policies and procedures.

 IV.  Procedures

a.   Identification of Subject Data

Any employee of the University who intends to receive Restricted Data (the “Employee”) must inform the DSO for the College in which that Employee has primary employment prior to accepting such data. Restricted Data may not be brought onto campus until the DSO certifies that all mechanisms for controlling access to the data are in place and operational.

b.   Development of the Plan

The DSO shall notify the Contracts Manager of any proposal to bring Restricted Data onto University property and will work with the Employee to develop a Plan in coordination with the University’s Institutional Review Board for Human Subjects and/or the Contracts Manager, as appropriate. The Plan shall:

• comply with the requirements of the third party supplying the Restricted Data;
• comply with IRB requirements for data security;
• specify the individual who shall physically receive the Restricted Data from the third party supplier;
• specify the individual who shall subsequently serve as the custodian of the Restricted Data;
• specify in reasonable detail all obligations imposed on the University with respect to restricting access to the Restricted Data and the University’s plan for fulfilling such obligations, including whether or not  the Restricted Data may be taken off campus by an investigator or student and the conditions for doing so;
• specify the expiration date of the Plan;
• specify requirements for the disposition or retention of the Restricted Data by the University at the expiration or termination of the Plan;
• stipulate that the plan will be subject to unannounced review and inspection by the Internal Audit Department;
• be signed by the Employee (as the Principal Project Officer) and the DSO (as the Security Officer); and
• be signed by all faculty, staff, and students who will have access to the Restricted Data, indicating acceptance of their responsibilities under the Plan.

If the DSO and the Employee are unable to agree on the terms of the Plan, the matter should be referred to the Vice Chancellor for Research and Economic Development, who has the authority to make a final decision. The DSO shall then send the completed Plan to the Contracts Manager, who will sign the third party Agreement (the "Agreement") on behalf of the University and forward it to the third party for signature. When the fully executed agreement  is received back from the third party, the Contracts Manager will distribute copies of the Plan and Agreement to the Employee, the DSO, and the OneIT Chief Information Security Officer.

c.  Implementation of the Plan

Upon receipt of the Agreement and approval of the Plan by the DSO, the Employee may then contact the third party supplier of the Restricted Data and make arrangements for the Restricted Data to be delivered to the person designated in the Plan. The DSO is responsible for implementing the Plan, including installation of the Restricted Data, and for providing all necessary information and training to all employees and students having access to the Restricted Data. The cost of implementation must be borne by a grant/contract or by the relevant College(s). The DSO must maintain written records of the physical location of the equipment on which the Restricted Data will reside, and a record of the date on which the Plan expires. During the time period in which the Plan is in effect, the OneIT Chief Information Security Officer and the Internal Audit Director may, without prior notice, inspect the physical location at which the Restricted Data reside, if on campus (or, if off campus, require the researcher bring the computer or external storage device to campus for inspection), in order to ensure compliance with all aspects of the Plan and shall take all other actions specified in the Plan to ensure compliance.

d.   Breach or Violation of the Plan

In the event that the requirements and procedures outlined in the Plan are not met, the DSO is authorized to remove or otherwise secure the Restricted Data until a resolution is in place. All breaches and violations must be reported by the Employee or the DSO to the respective Dean, the Contracts Manager, the OneIT Chief Information Security Officer, the Office of Legal Affairs, and the Internal Audit Director.

e.  Expiration of the Plan

The term for which the Plan shall be in effect must be specified prior to its implementation, but such term may be extended or shortened if approved by the DSO and the third party supplier of the Restricted Data. The DSO shall notify the Contracts Manager of any extension, shortening or termination of the Plan. The Plan may not be terminated without at least thirty (30) days prior written notice to the DSO, who must promptly inform the Contracts Manager of such termination. The Contracts Manager must maintain and update records as appropriate and must notify the DSO at least thirty (30) days prior to expiration of the Plan.  When the Plan expires or is terminated, the DSO must ensure that the Restricted Data are removed from any equipment on which it resides and that such equipment is appropriately sanitized of all Restricted Data. The DSO must then inform the Employee that the Restricted Data have been removed and the Employee must notify the third party supplier of the Restricted Data of such removal and handle the retention or disposition of the data in accordance with the Plan.

V.   Communication

Upon approval, this Regulation shall be published on the appropriate UNC Charlotte website(s). The following offices and individuals shall be notified in writing with any subsequent revisions or amendments made to this Regulation:

• Chancellor’s Cabinet
• Associate Provosts
• Deans, Directors and Department Heads