The ITS Team will be performing maintenance on Confluence beginning at 6:00 pm Tuesday, May 6. During this time the service may go offline. It should be available again by 8:00 pm. Please refrain from editing pages during this time to avoid losing your work.
Your project team members will receive a notification to sign the Research Use Data Agreement (RUDA). Track the status of your project and make changes at your project URL.
The purpose of this Agreement is to ensure the integrity, security, and confidentiality of the data that is used, received, transmitted, maintained or created on the Ivy Secure Computing (Ivy) platform as well as that of the Ivy virtual environment itself.
The Ivy Secure Computing platform is intended for use to analyze data that is considered highly sensitive data as defined by the UVA Policy: IRM-003: Data Protection of University Information (https://uvapolicy.virginia.edu/policy/IRM-003). Such data is any personal information that can lead to identity theft if exposed and health information that reveals an individual’s health condition and/or history of health services use. Examples include data protected by HIPAA regulations, social security numbers, and driver’s license numbers. Other acceptable data types for analysis on Ivy are data protected by FERPA (student records data) and data protected by intellectual property restrictions.
All data imported into Ivy must be treated as highly sensitive data. Data and results exported from Ivy must be protected and managed appropriately according to UVA's data protection policies, standards, and procedures (https://security.virginia.edu/information-policy). Guidance regarding these guidelines and data types is available from UVA Information Security (InfoSec) by emailing it-compliance@virginia.edu.
Data specifically NOT permitted to be stored or analyzed on Ivy: U.S. government classified information, controlled unclassified information (CUI)*, covered defense information (CDI)*, credit card or other data containing financial account information (e.g., bank account). Ivy has not been configured to meet the controls required for these type data. The Principal Investigator is responsible for ensuring that Ivy is an appropriate environment for the data and is urged to contact Information Security (InfoSec) at it-compliance@virginia.edu for assistance in making this determination.
CUI and CDI may be stored and analyzed in the separate IvyCUI environment which complies with NIST SP 800-171 and DFARS 252.204-7012 requirements.
The undersigned acknowledges and agrees that the data this study team will analyze and store in Ivy complies with the requirements set forth above.
The undersigned agrees to protect all data associated with his/her use of the Ivy Secure Computing platform (Ivy) in accordance with the terms of this Agreement, the HIPAA Privacy and Security Rules, and the University Data Protection Standards (UDPS; https://security.virginia.edu/university-data-protection-standards).
The undersigned shall ensure that any computer or device s/he uses to connect to Ivy meets, at a minimum, the guidelines described at: https://security.virginia.edu/device-security or is either a computer administered and maintained by HSTS or is one that has been approved by HSTS Exception Request (http://www.healthsystem.virginia.edu/auth/login.cfm?referringurl/alive/Computing/forms/ServiceRequest/formSvcReq.cfm) or is one that is allowed to connect to the HSC Clinical subnet.
The undersigned shall ensure that any data or files moved from the Ivy Secure Computing platform, if they are highly sensitive data (e.g., HIPAA-regulated data) are stored in accordance with the UVA policy: IRM-003: Data Protection of University Information (https://uvapolicy.virginia.edu/policy/IRM-003) and the University Data Protection Standards (UDPS; https://security.virginia.edu/university-data-protection-standards). The undersigned is responsible for knowing if the data to be removed from Ivy are highly sensitive or sensitive under UVA guidelines and storing it according to those guidelines.
The undersigned shall not share or permit anyone else to access Ivy using his/her login credentials.
The undersigned shall change the password used to access Ivy at least annually. Passwords must meet or exceed the UVA guidelines at https://security.virginia.edu/authentication#User%20Authentication%20Requirements.
The undersigned has completed the High Security Awareness Training (HSAT) and must retake HSAT annually. Information about HSAT is available at https://security.virginia.edu/isat-workday#HSAT.
The undersigned will promptly notify UVA Information Security (InfoSec) of any suspected or actual unauthorized use, disclosure, breach, or exposure of the data, account credentials, or other security incident, as defined by the UVA policy IRM-004: Information Security of University Technology Resources (https://uvapolicy.virginia.edu/policy/IRM-004) and the Reporting an Information Security Incident Standard (https://security.virginia.edu/reporting-information-security-incident-standard).
The undersigned shall use the Security Incident Reporting Form at: https://security.virginia.edu/report-information-security-incident for such notification. Reports should be made within one (1) hour from the time the incident is identified.
The undersigned shall ensure that this agreement is reviewed, renewed and re-signed once a year as long as access to Ivy is needed.
The undersigned shall notify UVA Information Technology Services (ITS) within 24 hours (1 day) of his/her departure from either the study team or UVA by contacting the UVA Help Desk by either calling 434-924-4357 or emailing 4Help@Virginia.edu.
The undersigned PI shall ensure that if the data are part of an IRB-approved study, anyone granted access to his/her Ivy virtual environment is listed in the IRB protocol as part of the study team.
The undersigned PI shall ensure that if the data have HIPAA-identifiers, all study team members have completed all appropriate and applicable IRB required training, including the HIPAA modules of the CITI training.
The undersigned PI shall notify UVA Information Technology Services (ITS) within 24 hours (1 day) of any study team member no longer needing access to Ivy and/or departure from either the study team or UVA by contacting the UVA Help Desk by either calling 434-924-4357 or emailing 4Help@Virginia.edu.
The undersigned PI shall maintain copies of this Agreement for each his/her study team members authorized to have access to Ivy.
The undersigned PI shall ensure that every person of his study team granted access to his/her Ivy virtual workspace reads, understands, and signs an Ivy Research Use Data Agreement before being granted access and must have their own unique login id and password. No user is permitted to let another use their login credentials. Passwords must meet or exceed the UVA authentication standard (https://security.virginia.edu/authentication).
The PI shall retain all the Agreements for all his/her project team members with the other research project related documents for five years after the completion of the project per Commonwealth of Virginia Records Retention Schedule or the document retention schedule of the project’s grant, whichever is longer.