Security Requirements for Researchers

Aligning with the UT Health Science Center mission and goals, researchers conduct various types of research. The data is often collected from human subjects and requires strict levels of protection. The UT Health Science Center recognizes its obligation to effectively secure and safeguard this information in terms of confidentiality, integrity, and availability while allowing authorized individuals to access and appropriately share information as needed. To assist with the security of this data, UT Health Science Center has a security program and published Cybersecurity Standards and Practices. UT Health Science Center has defined a number of data classifications, documented in GP-002-Data and System Classification. For our research community dealing with human subject data, Controlled Unclassified Information (CUI), HIPAA data or Classified federal data, the important definitions are:

  • Classified: Data in any format that has been determined: (i) pursuant to Executive Order 12958 as amended by Executive Order 13526, or any predecessor Order, to be categorized national security information; or (ii) pursuant to the Atomic Energy Act of 1954, as amended, to be Restricted Data (RD).
  • Confidential: Data in any format collected, developed, maintained or managed by or on behalf of the UT Health Science Center, or within the scope of UT Health Science Center activities that are subject to specific protections under federal or state law or regulations or under applicable contracts, and/or cause significant financial, reputational loss, or legal liability. Examples include, but are not limited to medical records, social security numbers, financial account covered by the Payment Card Industry Data Security Standard, driver's license numbers, non-directory student records, data used to authenticate or authorize individuals, federal data categorized as Controlled Unclassified Information (CUI), and export controlled technical data.

Systems containing data categorized as Classified require special attention and are not allowed to be connected to the UT Health Science Center network. Contact the Cybersecurity team for more information.

Most of the data UT Health Science Center's research community handles is categorized as Confidential. To ensure that these data or information are adequately protected, specific administrative, physical, and technical protections need to be implemented. If a researcher is unable to comply with any of these requirements, a request for exception may be submitted, GP-001.02-Security Exceptions and Exemptions to ITS Standards and Practices. However, adequate alternative measures must be in place and properly documented before an exception will be granted.