Acceptable Data Use Policy

1. Purpose

The University of Florida (“UF”) manages data in support of its educational, research and service missions. This Policy establishes requirements for the generation, management, sharing, retention and transfer of UF Data to ensure ethical stewardship and compliance with applicable laws as well as UF regulations, policies and contracts.

2. Applicability

This Policy applies to UF, its direct support organizations (“DSOs”), and its affiliated legal entities, as well as any other UF Personnel who create, access, use, manage, share, or transfer UF Data in connection with UF activities.

3. Definitions

Data Trustees means institutional officers (i.e., Vice Presidents, Vice Provosts, Deans, etc.) appointed by the President and Provost to oversee a data domain across UF, aligned with the functions of their reporting units. Data Trustees are accountable for data management within their unit, including data policies, definitions, usage, retention and access. For additional information, refer to the UF Data Governance webpage.

Data Custodian means a UF staff member that is responsible for implementation of security controls for UF Data. For additional information, refer to the UF Data Governance webpage.

Data Management Plan (“DMP”) means a formal document that defines how data will be handled throughout the lifecycle of a project, from acquisition through retention and archival.
Data Owner means UF leadership, typically at the dean, director or department chair level, with the ultimate responsibility for the use and protection of UF Data.

Personnel means all UF faculty, staff, students, or other individuals involved in the design, conduct and reporting of UF activities.

UF Data means data in any format collected, developed, maintained or managed by or on behalf of UF, or within the scope of UF activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the UF information security program.

4. Policy Statement

UF requires responsible data stewardship to support its education, research and service missions, maintain trust, and ensure compliance with applicable laws, as well as UF regulations, policies, guidelines and contracts governing data management and privacy.

4.1. Ownership

UF owns all UF Data, except as otherwise specified in a legally binding agreement or approved by an appropriate UF authority.

4.2. Access and Protection

Access to UF Data is granted by the Data Trustee or their delegate in accordance with the framework described on UF’s Data Governance webpage. UF Data must be protected using appropriate information technology (“IT”) controls based on its data classification, in accordance with Policy 12-011, Data Classification Policy, except where such data is explicitly designated for public display or publication. Personnel granted access to UF Data are responsible for complying with all applicable handling requirements throughout the data lifecycle, including ensuring that individuals under their supervision are properly trained and that access is regularly reviewed.

4.3. Data Classification and Handling Requirements

Personnel must adhere to all applicable UF regulations, policies, and contracts throughout the data lifecycle, regardless of whether UF Data is created by UF or acquired through UF activities. Requirements vary based on data classification (open, sensitive or restricted) which determines the level of protection, access, and handling required, in accordance with Policy 12-011, Data Classification Policy, as well as any applicable terms and conditions specified in an appropriately executed data sharing agreement or similar instrument. Such requirements may include the use of designated IT resources for data storage and processing, or the submission of a DMP to the Data Owner as part of an access request.

4.4. Use and Sharing

All UF Data use and sharing must comply with applicable laws, as well as UF regulations, policies, guidelines, and contracts. Data sharing arrangements must be reviewed and executed through the appropriate UF office based on the nature of the activity:

• Data sharing for research purposes must be coordinated through UF Research (e.g., data transfer and use agreements or similar research agreements).
• Data sharing involving protected health information (“PHI”) outside of research must be coordinated through UF Health Legal Services in accordance with applicable Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requirements.
• All other data sharing requests not otherwise assigned to a specific responsible office above must be submitted through UF’s Data Access Request webpage.

5. References and Related Information

Office of Science and Technology Policy, Ensuring Free, Immediate, and Equitable Access to Federally Funded Research
National Institutes of Health (NIH), Final NIH Policy for Data Management and Sharing
2 C.F.R. § 200.315(e), Intangible Property
Regulation 1.0102, Policies on Information Technology and Security
Regulation 1.0103, Policies on Restricted Data
Policy 1-006, Responsible Use of AI
Policy 12-002, Acceptable Use Policy
Policy 12-011, Data Classification Policy
Policy 14-002, Export Control Compliance
Policy 14-004, Research Integrity
Policy 14-006, Intellectual Property Policy
UF Research Integrity, Security and Compliance Webpage
UF Data Governance Framework webpage
UF Data Access Request webpage
UF Guidelines for AI Use
UFIT Fast Path Solutions (IRM-Approved Applications)

History