HiPerGator is a shared system, with many users working on open and sensitive data, as classified by UF Guidelines:
Policy
When a project is identified that benefits from the storage and processing capabilities of HiPerGator and that project involves student records, the procedure described below shall be followed.
NOTE: Currently faculty and TAs who work with students and student records on a daily basis all receive FERPA training and are aware of the limitations imposed by the law and where to get advice when issues arise that are not clear to them. This policy does not cover the use of desktop or laptop computers to work on grades of students or similar tasks.
The scope of this policy is when faculty, staff, and researchers use sophisticated tools for larger data sets such as machine learning to learn how to improve learning and teaching outcomes. For example:
- Helping identify students who could benefit from extra help and what the form of that assistance may be.
- Helping instructors for possible auto-grading, or teaching evaluation, etc.
NOTE: Collected documents such as writings of students (essays or homework) that are submitted by students as part of their educational activities count as student record, see https://studentprivacy.ed.gov/ferpa#0.1_se34.1.99_13.
Procedure
When an activity that falls in the scope of this policy, the researcher shall work with various support staff to accomplish the following tasks:
Project registration
A project is registered by entering a Request in UF’s Integrated Risk Management (IRM) system at https://riskmanagement.ufl.edu/apps/ArcherApp/Home.aspx This will record details like the data owner (usually the principal investigator) and the type and size of data involved. The risk assessment by UFIT Information Security Office (ISO) is simplified because of the security controls in place on HiPerGator, but it provides a record about the project and who will be involved in it.
UFIT Research Computing staff will record the project by its IRM identifier with the researcher’s HiPerGator account. A project specific HiPerGator group will be created to provide access to the data by the role of the project participants, which is encoded as membership of that group.
A data management plan submitted as part of the risk assessment will briefly describe the workflow and disposition of the project data. What participating members are expected and allowed to do with the data will be defined by their role.
Participant agreement and registration
The members of the project group will sign an agreement form that specifies:
- They understand their role in the project
- They will take FERPA basics training in myTraining, course nr. UF_PRIV802_OLT
- They will take HiPerGator training on handling restricted data
A scanned or digitally signed agreement for each project participant is stored in the IRM system.
When the procedure is not followed, the project will not be given any resources. If participants fail to follow the steps, the university process for FERPA violations will be followed as described in the FERPA training.
What is needed
To set up a FERPA group on HiPerGator, UFIT Research Computing needs the following:
- PI Information
- Project Name (and suggested short version for a group name)
- Risk Assessment Number
- Specific staff to add to the group (must be listed on the IRB, must have submitted the Data Management Plan)
- Amount of Orange/Blue storage to allocate from new or existing purchase
Special Precautions
If there are special precautions that apply to the project and are called out in the risk assessment, then such actions or requirements will be added to the agreement.
Restricted Data Project Retirement and Removal
All restricted data projects on HiPerGator are required to have a data management plan filed with the security assessment. This data management plan must include a project retirement and removal section. Unless otherwise approved by the director, all restricted data projects will have the following retirement conditions:
- Upon completion of the project, the designated data manager is responsible for removing all data in the project group's folders within the HiPerGator ecosystem. This includes, but is not limited to, all restricted data.
- Once removed, the data manager will contact HiPerGator support and open a request to have the top-level project folders removed.
- The UFIT Research Computing staff will then remove all designated project folders and record the project closure date in the support request and any appropriate internal systems.
Abandoned Restricted Data Projects
If the storage investments for a specific restricted data project expire and are not replaced, then the restricted data project will be considered abandoned. UFIT Research Computing staff will make a good-faith effort to notify the Principal Investigator (PI) when internal processes indicate that a project has been abandoned. If a PI would like to renew their investments, it should be made within 60 days of the previous expiration date. Once a project has been abandoned for more than 60 days, UFIT Research Computing reserves the right to remove all data from the project folders to maintain the security of the data on HiPerGator systems.