Restricted-Use Data Hosting Agreements
At-a-Glance Requirements
| Requirement Area | Summary |
| Hosting model | Restricted-use data may be hosted only in an institutionally managed, enterprise-level server environment operated as an internal service of the receiving institution. |
| Administrative ownership | The environment must be administered by a professional institutional IT unit with authority over security operations, access control, patching, monitoring, incident response, backup/recovery, and media sanitization or destruction. |
| Security baseline | All systems, storage, backups, and transmission paths that store, process, or transmit the data must be protected at a level consistent with the UNC Information Security Controls Standard (MSS) at the High protection obligation level. |
| Agreement requirement | The institutional IT unit responsible for the environment must sign a Restricted-Use Data Hosting Agreement with Add Health. |
| Data release | Execution of the hosting agreement does not by itself authorize release of the data; required safeguards and reviews must be completed first as well as one signed Restricted-Use Data Use Agreement by an investigator at the institution and the responsible IT person. |
| Data destruction | When access ends or the agreement expires, all copies of the data must be destroyed or sanitized so they are no longer recoverable, using methods consistent with applicable NIST media sanitization guidance. |
Institutional Server Configuration and Administration
Add Health restricted-use data may be hosted only in an institutionally managed, enterprise-level server environment that is operated as an internal service of the receiving institution.
The hosting environment must be administered by a professional IT unit that is responsible for secure server operations, access control, patching, monitoring, incident response, backup and recovery, and media sanitization or destruction.
This hosting service must be established for institutional research use. Small departmental servers, lab-managed systems, ad hoc environments, and individually administered servers do not meet this requirement.
The designated IT unit must provide and manage the service as an institutional offering that can support eligible faculty, staff, and students, subject to internal approvals and Add Health authorization requirements.
In general, Add Health expects one designated hosting IT unit per institution to support restricted-use data hosting under this model unless an exception is approved in advance.
The hosting environment must remain under the receiving institution’s direct administrative control. General-purpose or commodity cloud hosting is not the default model for this arrangement.
The designated IT unit must be able to demonstrate operational authority, staffing, security oversight, and technical controls sufficient to manage the environment throughout the full data lifecycle.
Security Requirements
A Windows or Linux server may be used to host Add Health restricted-use data. However, the server—and all systems, services, storage locations, backups, and transmission paths that store, process, or transmit the data—must be protected at a level consistent with the UNC Information Security Controls Standard (MSS) at the High protection obligation level.
Under the Data Hosting Agreement, these safeguards must be implemented before the institution receives any copy of the data.
For Add Health restricted-use data, the required security posture is intended to reflect a high-assurance institutional research environment.
At a minimum, the environment should include a documented security plan; clearly assigned accountable and responsible personnel; a secure physical location; supported and hardened operating systems and software; prompt patching; vulnerability management; access control; logging and monitoring; incident response capability; and secure transfer and disposal practices.
The receiving institution is not required to replicate UNC-specific technical implementations. Instead, the institution’s hosting IT unit should implement controls with equivalent rigor using its own enterprise infrastructure, identity management systems, security tools, and institutional policies.
What matters is that the hosting environment achieves protections consistent with the High protection obligation level required by the Agreement.
Expected controls
- Administration by an institutional IT unit with defined security and operational responsibilities.
- Documented system ownership, service ownership, and security contacts.
- Supported operating systems and software, with timely application of security patches.
- Documented system hardening and the removal or disabling of unnecessary services and functions.
- Endpoint protection or equivalent anti-malware / endpoint detection controls.
- Routine vulnerability scanning and a defined vulnerability remediation process.
- Strong authentication and institutionally managed authorization processes, including multi-factor authentication where appropriate.
- Strict limitation of access to specifically authorized users with a need to know.
- Secure transmission methods for any transfer of restricted-use data.
- Logging, monitoring, and retention of records sufficient to support investigations and incident response.
- A tested security incident response capability, including notice to Add Health in the event of an actual or suspected security incident.
- Secure sanitization or destruction of data and media at the end of use or upon termination of the agreement.
| Important: Execution of a Data Hosting Agreement does not by itself authorize release of the data. Add Health will not provide the data until the hosting IT unit has implemented the required safeguards and any required security documentation or review has been completed. |
Data Destruction and Sanitization
When Add Health restricted-use data must be removed—whether because a project has ended, access is no longer authorized, or an agreement has expired or terminated—the receiving institution must ensure that the data are destroyed or sanitized so that they are no longer recoverable.
The Agreement requires destruction or sanitization of all copies of the data maintained in any form and written confirmation of destruction using the Agreement’s destruction certification process.
Institutions may use their own established enterprise media sanitization and destruction procedures, provided those procedures achieve a level of protection consistent with applicable NIST media sanitization guidance and render the data unrecoverable.
The important outcome is that all Add Health restricted-use data—including copies, derivatives, temporary files, backups, and other retained instances—are securely removed or sanitized in a manner appropriate to the media and the institution’s security program.
Data Hosting Agreement
The institutional IT unit responsible for securing, operating, and administering the hosting environment must sign a Restricted-Use Data Hosting Agreement with Add Health.
This agreement is between Add Health and the receiving institution’s designated data hosting IT unit, which acts as an internal institutional service provider rather than as part of a single research team.
The Agreement establishes the institution’s responsibilities for authorized access, privacy and security safeguards, incident response, secure transmission, confidentiality, and secure destruction or return of data.
The Data Hosting Agreement is intended for an institutional hosting service that supports multiple approved users or projects under the institution’s governance structure.
Researchers and project teams may still need separate Add Health Restricted-Use Data Use Agreements, but the hosting IT unit must first establish and maintain the approved server environment required for restricted-use data [3][4].
Eligibility Notice
Please note that eligibility for a Restricted-Use Data Hosting Agreement is also dictated by U.S. Federal regulations. See Eligibility Requirements for more information.
Contact
If you are interested in a Restricted-Use Data Hosting Agreement, please contact Add Health Contracts at addhealth_contracts@unc.edu.