Sensitive Data Transfer and Sharing User Guide
Introduction
Globus provides a secure and convenient way to manage your sensitive research data. Please review the requirements and guidelines below when using the Globus Transfer service to access, move, and share files containing sensitive research data.
Data Transfer
HIPAA regulated data must be covered under a BAA.
If you are disclosing Protected Health Information (PHI) to Globus, you must use a high assurance collection, and your institution must have a HIPAA compliant Business Associate Agreement (BAA) with the University of Chicago. You can email support@globus.org to find out if your institution has a BAA with the University of Chicago.
High assurance collections are for managing sensitive research data.
High assurance collections have additional features for managing sensitive research data. We recommend always using high assurance collections when accessing and sharing sensitive research data. To identify high assurance collections, look for the lock icon next to the collection in the Globus Web app. If you need a high assurance collection, contact the unit that manages your storage system to inquire whether your institution has a high assurance Globus subscription.
Do not enter sensitive data into user input fields.
You should never enter sensitive data in user input fields, such as Transfer Label, Collection Name, Descriptions, Keywords, Group Name, and email text. Sensitive data should not be stored in file names or directory paths, unless the files are accessible through high assurance collections.
Transfer sensitive data to secure locations.
When transferring sensitive data, remember that high assurance collections, identified by the lock icon , provide extra features for managing sensitive data, and verified collections, identified by the check icon , have been verified by a Globus subscriber to be owned and operated by the subscribing organization.
Data Sharing
Share with your collaborator’s institutional account.
It is best practice to choose a person’s institutional identity when sharing sensitive data.
For example, share with your collaborator’s work or school identity, rather than their personal identity such as their gmail.com account.
You may not share data on a high assurance collection with a GlobusID ("user"@globusid.org)
or with an email address from a provider that is not recognized by Globus, for example a yahoo.com or outlook.com.
Use high assurance groups with high assurance collections.
If you grant sharing permissions to a Globus Group on a high assurance collection, you must configure the group to also be high assurance.
Share only with people who need access.
Limit sharing of sensitive data to people who need to access the data. For example, do not share sensitive data with a Globus Group unless every group member needs access to your data.
Share only as long as necessary.
Delete sharing permissions when they are no longer necessary. We recommend you set an expiration time on the permissions. Permission expiration is only available on high assurance collections.