REDCap (Research Electronic Data Capture)

3. Service Provider Information

Service Providers are trusted to ask for only the information necessary to make an appropriate access control decision, and to not misuse information provided to them by Identity Providers. Service Providers must describe the basis on which access to resources is managed and their practices with respect to attribute information they receive from other Participants.

3.1 What attribute information about an individual do you require in order to manage access to resources you make available to other Participants? Describe separately for each service ProviderID that you have registered.

Only the authenticated user name (eduPersonPrincipalName) is required.

3.2 What use do you make of attribute information that you receive in addition to basic access control decisions? For example, do you aggregate session access records or records of specific information accessed based on attribute information, or make attribute information available to partner organizations, etc.?

All changes made to the system are tracked by authenticated user name (ePPN).

3.3 What human and technical controls are in place on access to and use of attribute information that might refer to only one specific person (i.e., personally identifiable information)? For example, is this information encrypted?

No attribute information is used other than the authenticated user name (ePPN). The user list is accessible only by authorized "Super Users" of REDCap. Each project's user list is accessible by that project's owner.

3.4 Describe the human and technical controls that are in place on the management of super-user and other privileged accounts that might have the authority to grant access to personally identifiable information?

Access to the system is granted by submitting an On-Line Access Request. Outside (non-UCDHS) users will be required to have an On-Line Access Request submitted by a UCDHS sponsor. Authorization is granted dependent on the REDCap User Permissions Matrix submitted by each REDCap project owner.

3.5 If personally identifiable information is compromised, what actions do you take to notify potentially affected individuals?

The UCDHS Compliance representative will be notified and UCDHS Compliance notification procedures will be followed.