Research & Economic DevelopmentOffice of Grants and Contracts Administration

Data SecurityPresented by Debbie Bolick

September 24, 2015

Data Security

Data security• Means safeguarding data, from being lost,

modified, or unauthorized access

Monitoring• That responsible parties are compliant with

security plans

Termination• Disposition or Sanitization of Data

What type of Data is being protected?

•  Defined personally identifiable information• Information that can be used to distinguish or track an

individual’s identity such as name, SSN, or biometric information

•  Indirect identification• using information in conjunction with other data elements to

reasonably infer the identity of a respondent such as a combination of gender, race, date of birth, geographic indicators, or other descriptors

•  Non-identifiable information

• Tracking purposes

CIPSEA• Confidential Information Protection and Statistical Efficiency Act

of 2002 (CIPSEA), Implemented June 15, 2007

• Provides strong confidentiality protections for statistical information collections sponsored by or conducted by more than 70 Federal agencies

• Establishes uniform policy across Federal agencies

• Authorizes data sharing among specified agencies (Bureaus of Economic Analysis, Labor Statistics and Census) to include identifiable data

• CIPSEA data may only be used for statistical purposes

CIPSEA

• Penalties for non-compliance

• Class E felony with imprisonment of not more than five (5) years

• Fine of not more than $250,000

CIPSEA Implementation Guidance• Harmonized principles and processes and set

minimum standards

• Utilized best practices for handling

• Addressed intersection between CIPSEA and Privacy Act of 1974 for non-statistical uses

Authority

Federal agencies empowered to make determination about the sensitivity of their information used for statistical purposes under a pledge of confidentiality

Applies to local and state governments collecting data for federal agencies

Special procedures required for use of laptop computers, PDAs, zip drives, floppy disks, CDROMs or any other IT devices

Minimum Standards• All persons with access understand his/her responsibility related to

maintaining confidentiality of information • Monitoring procedures for collection and release

• Evaluating the reason for and controlling access

• Maintaining physical and information systems security

• Required Training • Overview of protection procedures • Limit access to those with a “need to know” • Physical and information systems security procedures must be

in place• Penalties

Inform

Protect Identities

Minimize Risks

Restrict Use

Ensure Controls

311.9 Regulation Regarding Third Party Data Subject to Contractual Access

Data Security at UNC Charlotte pursuant to Policy 311.9Implemented February 2011

Policy for handling and safeguarding electronic third party data • Received from third parties • Subject to contractual access restrictions. 

Ensures that adequate precautions are implemented prior to receiving such data• Maintain the security and confidentiality of covered data; and • Protect against the unauthorized access or use of such records

or information in ways that could violate the University’s agreements with third parties who supply such data.

Initiate Request for Data?

Data Security

Officer)

• First Point of Contact• Data Security Plan• Checklist

University

Signator

y

• Data Use Agreement• Document Repository• Submits to Agency

Data

Sponsor

• Agency releases Data to PI

PI

PI

PI

DATA

Ongoing Monitoring

• College Data Security Officer

• Central IT

• Random audits• Collaborative

role

• PI (Lead Custodian) cannot be a student

• Authorizes Updates and monitor• Students• Research staff

• Signs Use Agreement

• System of Record

Signatory Unit

Responsible Party

Information Security

Internal Audit

DSO list

Data Security OfficersEffective April 2015

Charles Andrews  ......Metropolitan Studies and Extended Academic ProgramsWilliam Ardern  .........William States Lee College of EngineeringBrian Bard  ................Student Health CenterTim Carmichael  ........Belk College of BusinessAlex Chapin  ..............College of Liberal Arts & SciencesRose Diaz  .................College of Arts + ArchitectureDane Hughes  ............College of EducationJoe Matesich  .............College of Computing and InformaticsMichael Moore  ...........College of Health and Human Service

ResourcesCollege Data Security Officers http://itservices.uncc.edu/home/it-policies-standards/data-security-officers

IT Policies & Standardshttp://itservices.uncc.edu/home/it-policies-standards

Security Awareness Traininghttp://itservices.uncc.edu/home/information-security/information-assurance/security-awareness-training

Human Subjects (IRB) http://research.uncc.edu/departments/office-research-compliance-orc/human-subjects

Checklist & Data Security Planhttp://research.uncc.edu/departments/office-research-compliance-orc/human-subjects/3rd-party-data-requirements

QUESTIONS?

DATA MANAGEMENT

DATA SECURITY