Secure Data Lab

The Education Innovation Institute provides a secure computing space for UNC affiliates conducting research using personally identifiable education data.  The secure server meets and exceeds the requirements of FERPA, HIPAA, and applicable Colorado Privacy Laws. Arrangements can typically be made to meet the requirements of even the most stringent data use agreements.

User manual for routine access to the secure server
WWW Departmental Form for VPN access to the privileged realm

Highlights

  • 2-Factor Authentication
  • Access from key-card-controlled room via desktops used exclusively for accessing the secure data server (highly restricted and monitored internet)
  • Project-specific folders encrypted at rest
  • Managed file permissions within project folders
  • Data encryption in transit
  • Encrypted daily back up
  • Remote VPN for PIs as allowable by data use agreement

secure lab RCT

Summary

Project researchers connect to a data folder through a secure file server housed on the University of Northern Colorado campus. All data is viewed and modified on the server over an encrypted network connection via Pulse Secure. All storage and analysis of data will take place exclusively on the secure server. Data may not be downloaded to local workstations, or to any external devices, including laptops. Desktop and laptop workstations may be used only for remote access to the secure server. Portable storage devices, including laptops, will not be used for downloading or storing data.

Project data will not be shared with any other institution or any investigator not currently listed in the data use agreement. This restriction applies to source data as well as all derived data files. Project investigators, including the PI, do not have discretion to modify access to the source data. As appropriate per the relevant data use agreement, any changes in access to the data on the secure server require explicit prior approval by the data owner.

All data security protections apply to the original data, derived files, and temporary analysis files.

Location

Secure Room

The server is located in the:
Carter Hall Secure Data Center,
1700 9th Ave.
Greeley CO, 80639.

Physical Access in Carter Hall is restricted to server admins on the IT Staff and support personnel. Access is controlled by key card and the location is alarmed and monitored by video. 

User access to the data occurs in a secure lab environment located in McKee Hall 103A.

  • Computing Platform

    Storage systems on campus export data to users through 128bit encrypted RDP session using TLS1.1 or higher, allowing for secure access from windows and mac environments.  Connections are only allowed from persons accessing the system from a specific and restricted network range through the VPN.

    Users authenticate to the storage system with their campus username and password (which is 12+ length requiring alpha (upper and lower), numerals, and special characters as well as an additional randomly generated, time sensitive access code, using 2-factor authentication.  Access is controlled via user permissions based on the user’s identity in active directory.

  • Security Systems

    The data are protected end to end via encrypted channels (User to Server and Server to Backup Server).  On the file server, access is policed through a series of folder permissions, as well as folder or file level encryption which is independent from the institutional IT department.  

  • Principal Investigators Responsibilities

    It is the PI's responsibility to discuss the protection requirements with the EII director to ensure that the protection requirements can be met. Once that has been established, compliance with all data use and confidentiality agreements is the responsibility of the principal investigator. Each PI must share current copies of all relevant data use and confidentiality agreements with EII before data will be stored and access granted for specified users. These documents will be used to help EII and the PI keep track of expiring agreements, but all responsibility for keeping agreements up to date lies with the PI.