RC Systems Data Sensitivity

Standard-Security Zone (SSZ) High-Security Zone (HSZ)
Storage Computing Environments Storage Computing Environments
Data Classification Research Project (/project) Research Standard (/standard) Rivanna/Afton (/home & /scratch) High-Security Research Standard Ivy VM (/home) Rio (/home & /scratch) ACCORD
Public
Internal-Use
Sensitive
Highly-Sensitive
Limited Dataset 1
De-Identified Dataset 2
HIPAA 3
CUI 4
Controlled-Access Data 5
FERPA 6
ITAR 7

1 Limited datasets have direct identifiers removed, but may contain indirect identifiers including, complete dates, age, city, state, and complete ZIP code.

2 De-identified datasets contain no identifiers. Note: identifiers can be recoded such that the source information is anonymized (e.g. date shifting, urban/rural determinations vs. ZIP codes, randomly generated subject identifier, etc.)

3 Health Insurance Portability and Accountability Act (HIPAA). Information protected under HIPAA includes any protected health information (PHI) in the medical record that can identify an individual. More information can be found here.

4 Controlled Unclassified Information (CUI). CUI data is information the government creates or possesses that requires safeguarding or dissemination controls when handling. More information can be found here.

5 Controlled-access data are protected NIH data whose access is controlled by implementing security measures to verify the identity of requesters and their inteded data use, even if it is de-identified or lacks explicit limitations on subsequent use. This includes controlled-access data downloaded from the following controlled-access data repositories: Database of genotypes and phenotypes (dbGaP), BioData Catalyst, NCI Genomic Data Commons, ‌‌The NHGRI Genomic Data Science Analysis, Visualization, and Informatics Lab-Space (AnVIL), National Institute of Mental Health Data Archive (NDA), NIA Genetics of Alzheimer's Disease Data Storage Site (NIAGADS). The full list of controlled-access repositories can be found here.
Projects with a data use agreements approved after 1/25/25 are required to protect controlled-access data acquired from a controlled-access repository in compliance with NIST 800-171 security controls. More information can be found here.

6 Family Educational Rights & Privacy Act (FERPA). FERPA is a federal law that governs access to student education records. This includes personally identifiable information (PII) like name, SSN, date of birth, grades, and course schedules. More information can be found here.

7 International Traffic in Arms Regulations (ITAR). This includes military technology and software, technical data, and services. More information can be found here.

|  userinfo    , , , , ,