Chapter 4 Terms and Conditions

All state, provincial, and tribal wildlife agencies are required to approve the CWD Data Warehouse Data Use Agreement and Terms of Use (DUA) prior to accessing and using the Warehouse. The DUA is an important document that establishes the data sharing relationship between wildlife agencies and the Cornell Wildlife Health Lab, which developed, administers, and manages the Warehouse. The DUA defines how agency data in the Warehouse can and cannot be used and establishes who can access the data and in what capacity. The current CWD Data Warehouse DUA is given below.

The Data Security Plan describes, in more technical terms, the security, user management, and data management measures that are in place to ensure the security and appropriate use of the Warehouse and the data it contains.

The Research Approval Plan describes the process by which researchers may request and use certain data from the CWD Data Warehouse for research purposes.

The current DUA, Data Security Plan, and Research Approval Plan are given below.

4.1 Data Use Agreement & Terms of Use

Cornell Wildlife Health Lab Updated 16 September 2022

The Cornell Wildlife Health Lab (CWHL) is based at the Cornell University College of Veterinary Medicine Animal Health Diagnostic Center. CWHL conducts disease surveillance and collaborative research, develops diagnostic tools, and communicates findings through training, teaching, and public outreach. The CWD Data Warehouse was developed by CWHL personnel and contractors that are System Administrators who oversee the functionality, accessibility, and maintenance of the Warehouse.

This Data Use Agreement and Terms of Use (“Agreement”) sets forth the terms and conditions between Cornell University, a New York non-profit higher education institution (“Cornell”), and the agency or institution (“Provider”) providing data for use in the CWD Data Warehouse for surveillance and management activities and research related to chronic wasting disease (CWD).

Definitions

  1. CWD Data Warehouse” (hereinafter called “Warehouse”) shall mean the online data repository developed through the Surveillance Optimization Project for Chronic Wasting Disease (SOP4CWD). The purpose of the Warehouse is to provide support to wildlife agencies engaged in CWD surveillance, response, and management. The platform provides a structure for CWD sample data management; statistical model execution and data analysis; and data visualization and communication.

  2. Provider Data” shall mean the original data provided by the Provider to the Warehouse, by whatever method (direct data entry, application programming interface (API), importation of csv or text file).

  3. Normalized Data” shall mean the Provider Data standardized within the Warehouse.

  4. Researcher Data” shall mean a subset of Normalized Data approved for release from the Warehouse by System Administrators to Researcher(s) approved by the Provider, as detailed in the Data Security Plan.

  5. Open Data” shall mean a version of Researcher Data deposited under a persistent identifier (i.e.doi) in a Public Repository.

  6. Public Repository” shall mean the final digital repository accessible to all World Wide Web users (e.g., Cornell eCommons Library) used to store Open Data associated with research products.

  7. Data” shall mean the entire set of Provider Data, Normalized Data, Researcher Data, and Open Data.

  8. System Administrator(s)” shall mean any individual(s) employed or contracted by CWHL to manage the Warehouse who will have unrestricted access to the Data and functions within the Warehouse.

  9. Provider Administrator” shall mean any individual employed and authorized by the Provider to have unrestricted access to Data associated with the Provider and the ability to configure and create/edit/delete all Provider Data in the Warehouse. The Provider Administrator will determine the roles of Provider Users within the Warehouse and grant access permission, as detailed in the Data Security Plan.

  10. Provider User” shall mean any employee or collaborator of the Provider who is given a Warehouse user account and granted specific permissions by the Provider Administrator to access Data and features within the Warehouse, as detailed in the Data Security Plan.

  11. Provider Representative” shall mean an individual employed and authorized by the Provider to approve this Agreement enabling use of the Warehouse by the Provider and its Users, as detailed in the Data Security Plan.

  12. Researcher” shall mean any person who will have access to Researcher Data as approved by the Provider and System Administrators, as detailed in the Data Security Plan.

  13. Data Security Plan” shall mean the plan for securing the Data provided under this Agreement and is incorporated by reference and made a part of this Agreement.

  14. Research Approval Plan” shall mean the plan for requesting and approving research uses of Data and is incorporated by reference and made part of this Agreement.

Term & Termination

  1. The term of this Agreement shall begin on the date of Provider’s acceptance or use of the Warehouse and shall remain in effect as long as Provider’s Data is housed in the Warehouse.

  2. Either party may terminate this Agreement for material breach by providing written notice of the breach and if the other party fails to cure such breach within thirty (30) days of such notice.

  3. Provider may terminate this Agreement for convenience by providing written notice at least sixty (60) days prior to the termination data

Responsibilities Regarding Data

  1. Cornell shall throughout the term of this Agreement:

    1. Receive, manage, secure, and use Data through the Warehouse in accordance with the Data Security Plan and the Provider’s instructions as consistent with the Data Security Plan and in good faith performance of its obligations under this Agreement. Where disclosure of Provider Data is required by law, Cornell shall notify Provider of such and shall use reasonable efforts to limit the nature and scope of the required disclosure and shall only disclose the minimum amount of Data necessary to comply;
    2. Receive, manage, secure, and use Data in accordance with all applicable privacy, security and data protection laws, rules and regulations;
    3. Notify Provider promptly of any unauthorized uses or disclosures of Data or any security incident involving Data, including without limitation any incident whereby Cornell reasonably believes to involve unauthorized access to or disclosure of Data, of which it becomes aware;
    4. Cooperate with Provider to respond to any inquiries regarding practices related to the collection, use, and disclosure of Data in connection with this Agreement or any requests to access and correct Data in accordance with applicable law;
    5. Obligate any third-party agent or subcontractor to whom it provides the Normalized and/or Researcher Data in writing to the same restrictions and conditions that apply through this Agreement with respect to Use or Disclosure;
    6. Disclose only Researcher Data to Researchers for the execution of activities approved as described in the Research Approval Plan;
    7. Disclose only Open Data to the Public Repository in the event that a journal requires open sharing for formal academic publication.

  2. Provider shall throughout the term of this Agreement:

    1. Provide Data that, to the best of Provider’s knowledge, has been collected and maintained with accuracy and integrity, free from any virus, Trojan horse, worm, or other software routines designed to disrupt the normal operation of the Warehouse.

    2. Provide Data to the Warehouse in compliance with all applicable privacy, security and data protection laws, rules and regulations (including, but not limited to, obtaining consent if required by such laws, rules and regulations).

    3. Exclude from any Data provided to the Warehouse any Sensitive Personally Identifiable Information (“SPII”). Examples include the following:

      1. Full name
      2. Postal address information, other than town or city, State
      3. Telephone number
      4. Email address
      5. Social Security number
      6. Bank account number
      7. Credit card number
      8. Passport number
      9. Driver’s license number
      10. Financial information
      11. Medical records/information

    4. Comply with the Data Security Plan, as applicable.

    5. Notify Cornell promptly of any unauthorized uses or disclosures of Provider’s Warehouse account and/or credentials.

    6. Obligate Provider Administrator(s), Provider User(s), and any other Provider Representative(s) using or otherwise accessing the Warehouse to comply with this Agreement and any related requirements or guidance relating to the Warehouse. Provider acknowledges that any violation of this Agreement by its Administrators, Users, or epresentatives may result in suspension of such individual from access to the Warehouse.

    7. Cooperate with Cornell to respond to any applicable inquiries regarding practices related to the collection, use, and disclosure of Data in connection with this Agreement or any requests to access and correct Data in accordance with applicable law.

Ownership of Data

  1. As between the parties, ownership of Data will be retained by Provider and will be cited as such in all publications and research outputs, as provided in the Publication section below.

  2. No right or options under any patent, copyright, trademark, or other intellectual property rights are granted by this Agreement.

Access to the Data

  1. Access to the Provider Data within the Warehouse will be limited to the Provider Administrator, Provider User(s), and System Administrators, as detailed in the Data Security Plan.

  2. Access to the Normalized Data will be limited to the Provider Administrator and System Administrators and specific Provider User(s) as designated by the Provider Administrator, as detailed in the Data Security Plan.

  3. Access to the Researcher Data will be limited to the Provider Administrator and System Administrators and specific Researcher(s) as approved by the Provider Administrator and System Administrator(s), as detailed in the Data Security Plan and the Research Approval Plan.

  4. Access to the Open Data will be in accordance with the guidelines of the Public Repository into which data associated with works resulting from the products of the Warehouse are stored.

Use of the Data

  1. The Data may be used by the Provider within the Warehouse for activities related to CWD surveillance, response, and management.

  2. The Data will be used within the Warehouse for statistical model execution, analysis, and visualizations related to CWD surveillance, response, and management for the benefit of participating wildlife agencies. Model results and visualizations using the Data will be presented only in aggregate form to other Warehouse users.

  3. Researcher Data may be used by Researcher(s) approved by the Provider and System Administrator(s).

  4. Use of the Data will be consistent with Cornell’s policies regarding scientific integrity and ethics (https://policy.cornell.edu/policy-library/research-integrity).

  5. For avoidance of doubt, nothing in this Agreement restricts Providers’ use of the data Provider has shared with the Warehouse, for other purposes.

Data Security

  1. Cornell and Provider shall comply with the Data Security Plan for protecting the security of the Data provided under this Agreement

Disposition of Data upon Termination of Agreement

  1. Upon termination of this Agreement, the Provider may delete all Provider Data and Normalized Data within the Warehouse and disable all Provider Administrator and User accounts. Cornell or the Warehouse shall retain no copies of the Data received or managed from Provider, except those archived in the Public Repository or as may be required by applicable law. In the event Cornell determines that returning or destroying the Provider Data or Normalized Data is not feasible, Cornell shall provide to Provider notification of the conditions that make return or destruction infeasible. In such case, Cornell shall extend the protections of the Agreement to such Provider Data or Normalized Data for as long as it is retained by the Warehouse. This provision shall survive expiration or termination of this Agreement.

  2. Cornell may archive the Open Data in a Public Repository in order to satisfy academic journal requirements. In such an event, it is acknowledged and agreed that Cornell will cite each source and may grant a copyright license for the Open Data in the Public Repository. The Open Data will then be assigned a formal persistent identifier (e.g. doi), and the persistent identifier will be shared with the Provider and referenced in the final copies of publication and products.

Publication

  1. Provider acknowledges and agrees that Researchers may publish and/or present the results of analyses using the Open Data.

  2. Cornell shall apply the following requirements to Researchers using the Open Data in such publications or presentations. Researchers shall be required to:

    1. Provide the Provider with a copy of any deliverable that utilizes the Open Data. For journal articles, a copy will be provided at the time it is submitted for review; for lectures or presentations, at the time the abstract is submitted and a copy of the full presentation at the time of the meeting; for online resources, when it is uploaded into the public domain. Deliverables include (but are not limited to) publications, conference presentations, conference posters, webinars, medias, and other written or online materials.

    2. Formally cite the Open Data in journal articles, presentations, or other online and written products.

    3. Include the Provider Administrator(s) and relevant System Administrator(s), if applicable, as co-author(s) in the list of authors of journal articles, presentations, or other online and written products resulting from use of the Data. Co-authors are those individuals that played a substantial intellectual role in the data collection, analysis, and writing of the final publication.

    4. Include relevant Provider User(s) and System Administrator(s) in the Acknowledgments section of journal articles, presentations, or other online and written products resulting from use of the Data. Acknowledgeable individuals or entities are those that played an instrumental role in data procurement or management, such as but not limited to the collection, processing, curation, QA/QC, standardization, or transfer of the Data.

    5. Include relevant funding sources in the Acknowledgments section of journal articles, presentations, or other online and written products resulting from use of the Data.

    6. Indicate in journal articles, presentations, or other online and written products resulting from use of the Data and Warehouse products that the Provider and/or funder have not reviewed nor endorsed the Researcher’s work, and the results expressed herein do not necessarily reflect the positions of the [above-named Provider/funder], its directors, officers, managers, affiliates, nor its agents.

  3. Neither Cornell nor the Provider shall otherwise be permitted to use the other’s name or that of any member of the other’s staff without prior written approval of the other party.

General Terms

  1. This Agreement contains the entire understanding between the parties with respect to the Data and the uses, security, and handling described herein.

  2. This Agreement supersedes all prior understandings whether written or oral between the parties regarding the Data.

  3. Each party to this Agreement is and will be responsible for the acts and omissions of its respective users, employees, agents, contractors, and representatives in respect of the Warehouse.

  4. Should any court of competent jurisdiction later consider any provisions of this Agreement to be invalid, illegal, or unenforceable, such provisions shall be considered severed from this Agreement. All other provisions, rights, and obligations shall continue without regard to the severed provision, provided that the remaining provisions of this Agreement are in accordance with the intentions of the parties.

  5. Should any change in law or circumstance necessitate modification to any material term of this Agreement, Cornell shall give Provider written notice at least thirty (30) days prior to the effective date of such modification. Within twenty (20) days of receipt of such notice, Provider may either accept such modification or terminate this Agreement by providing written notice. Regarding any modifications to processes or non-material terms that do not affect Provider’s rights or obligations under this Agreement, Cornell shall provide thirty (30) day’s prior written notice. Any other modification, amendment, or waiver of the terms of this Agreement shall require the written approval of authorized representatives of both parties.

  6. Nothing contained in this Agreement shall be construed as an obligation to enter into any further agreement between the parties concerning the Data or otherwise.

  7. Provider represents that it is duly authorized to enter into this Agreement.

  8. Provider further represents that the terms of this Agreement are not inconsistent with other legal or contractual obligations to which they are bound.

4.2 Data Security Plan

Last updated 16 September 2022 This Data Security Plan describes the specific tools and methods that will be used for the CWD Data Warehouse and is part of the Data Use Agreement between Provider and Cornell. The Warehouse System Administrators are committed to strong data security measures and to maintaining the privacy and integrity of Data in the Warehouse. It is also expected that Provider will maintain the security of its access to the Warehouse and comply with all applicable laws relating to the provision of Data.

User Access Control

Access to the Warehouse will be given through the provision of unique user accounts and passwords. User authentication is required and strictly enforced.

The Warehouse uses a role-based access control model to secure access to resources in the Warehouse. Roles grant users access to system resources and determine user privileges to perform specific actions in the Warehouse. The Warehouse has three basic roles: System Administrator, Provider Administrator, and Provider User. User management is hierarchical. System administrators can create User accounts and assign any role, including Provider Administrator. Provider Administrators can create User accounts and assign any role except System Administrator. Provider Users can be created by either the System Administrators or by Provider Administrators. However, Provider Users cannot change their own roles.

Provider Administrators may grant specific privileges, such as, but not limited to, the privilege to create, update, and delete data, to Provider Users. All roles and associated privileges are documented in the system documentation (https://pages.github.coecis.cornell.edu/CWHL/CWD-Data-Warehouse/) and examples are listed in the following table.

Examples of user roles and privileges in the Warehouse.
Role Affiliation Warehouse Privileges
Administrators
System Administrator Cornell University Administration of Warehouse with access to all Data from all Providers, all internal software for data management, models, visualizations. Ability to grant access to Representatives, Administrators, and Users and designate role(s) of Users
Provider representative (enabled by System Administrator) State/provincial agency Approval of this Agreement enabling use of the Warehouse by the Provider and its Users
Provider administrator (enabled by System Administrator) State/provincial agency Full access to Provider Data, including configuration and ability to create/edit/delete Data; ability to use Data in models and visualizations; ability to grant access to Users and designate role(s) of Users.
Users designated by Provider Administrators
User State/provincial agency Read-only access to Provider Data and limited administrative data such as audit logs.
Sample editor State/provincial agency In addition to User access, ability to create/edit sample data.
Sample importer State/provincial agency In addition to User access, ability to import sample data.
Cervid facility editor State/provincial agency In addition to User access, ability to create/edit cervid facility data.
Processor editor State/provincial agency In addition to User access, ability to create/edit processor data.
Demography editor State/provincial agency In addition to User access, ability to create/edit demographic data.
Agency expense editor State/provincial agency In addition to User access, ability to create/edit agency expense data.
Annual surveillance editor State/provincial agency In addition to User access, ability to create/edit annual surveillance data.
Test alignment editor State/provincial agency In addition to User access, ability to create/edit test alignment data.
Special Roles designated by system administrator
Disabled Warehouse access and all previous abilities are disabled; user is retained in system for auditing purposes.

Initial Setup

Following the expressed interest of a Provider to become an active collaborator in the Warehouse, a System Administrator will create a user account for at least the Provider Representative. The Provider Representative will follow instructions to access the Warehouse and initiate the Provider entity in the Warehouse by accepting the Data Use Agreement and Warehouse policies. The Provider Administrator, which may be the same user as the Provider Representative, may then initiate creation of additional user accounts and configuration of the Provider account as needed.

User Account Management

Provider Administrators are responsible for managing Provider User accounts in the Warehouse. This includes activating and deactivating User accounts, assigning appropriate roles, and granting appropriate privileges. It is strongly recommended that Provider Administrators grant access based on the principle of least privilege, meaning each User should be granted the fewest privileges necessary to complete their tasks. System Administrators may assist Provider Administrators with User access control responsibilities by express permission from the Provider Administrator.

Sensitive or Personally Identifiable Information (SPII)

Providers shall not include in its Provider Data any SPII. System Administrators may require access to and use of SPII of Provider Representatives, Administrators, and/or Users (e.g., login credentials, name, email address) in order to perform administrative, operational, and technical support functions.

Application Programming Interface (API) keys

Providers may use the Warehouse Application Programming Interface (API) to securely access Warehouse resources. An API key is required to authenticate access and securely access Warehouse resources. API keys can be generated by System or Provider Administrators by creating a dedicated User identity and assigning appropriate roles and privileges as needed for the API key.

Data Storage and Transmission

System Administrators will take reasonable and appropriate steps consistent with current technological developments to ensure the security of Provider Data and to safeguard the integrity of Provider Data in storage and transmission. When possible, encryption technology will be utilized for both storage and transmission.

The Warehouse is configured for data encryption in transit and during communication between the Warehouse and Provider-side software, such as a web browser. In addition, the Warehouse is configured to encrypt data at rest, when static data are stored on the database server.

Provider Data will not be transmitted or stored outside of the Warehouse without approval by the Provider.

Researchers interested in conducting CWD research or developing models to be included in the Warehouse for use by participating wildlife agencies may submit proposals to System Administrators indicating specific data required for the proposed project, as detailed in the Research Approval Plan. Approved Researcher Data will be downloaded from the Warehouse by System Administrators and transmitted to the Researcher in a secure manner as indicated below.

Storage and transmission of Provider Data, such as but not limited to transmission between the Provider and System Administrators or between System Administrators and Researchers, will only be permitted using cloud storage services that comply with industry standards, including the encryption of data during transmission and the encryption of data in storage. Data transfer by email or other insecure methods will not be permitted. Provider Data will be retained by the Researcher only as long as required for the Researcher to complete their intended work as described in the data request.

Data Backup

The Warehouse and all Provider Data contained within the Warehouse are backed up to reduce the likelihood of data loss and reduce the likelihood and duration of service interruptions.

Corrupt or invalid backup points may occur. System Administrators will provide support and attempt to troubleshoot any known or discovered issues that may affect the backup and/or restoration of Warehouse content. But the Provider acknowledges that System Administrators have no liability related to the integrity of Data or the failure to successfully restore Data to a usable state.

For the highest level of data protection, it is recommended that the Provider maintain a complete and accurate copy of any Warehouse data in a location independent of this service.

Non-production environments

For continued Warehouse development and testing purposes, one or more non-production working environments may be created and used. The data security plan as detailed in this document will apply to both production and non-production environments. These working environments are considered part of the Warehouse and may contain Provider Data.

User Responsibilities

Users are responsible for safeguarding their accounts and passwords. Users should not disclose their passwords to any third party. Users must notify System Administrator(s) immediately upon becoming aware of any breach of security or unauthorized use of a User account. Failure to do so may result in immediate account termination.

While using the Warehouse, Users must adhere to any existing Provider policies, such as non-disclosure agreements and data privacy or data security policies. It is the responsibility of Provider Administrators to ensure that Provider Users are informed of and comply with Provider policies.

The Provider is responsible for providing, to the best of its ability and knowledge, accurate and reliable data. Provider Users shall not intentionally enter into the Warehouse erroneous data or data known not to represent real entities and events. The Provider shall enter data generated by only the Provider.

4.3 Research Approval Plan

Last updated 16 September 2022 This Research Approval Plan describes the process by which Researchers may request and use certain Data from the CWD Data Warehouse for research purposes and is part of the Data Use Agreement between Provider and Cornell.

Researchers may request use of certain data (referred to as “Researcher Data”) extracted from the Warehouse by System Administrators to conduct CWD research or develop CWD models that can ultimately be used by wildlife agencies within the Warehouse. For avoidance of doubt, the Data does not include SPII; therefore, SPII shall not be the subject of any research request.

A person may submit a proposal to System Administrators to request the use of Researcher Data for scientific research. The proposal must describe the objective and methods of the research, specific data requested and how it will be used in the research, expected outcomes and products, and include a data security plan that meets or exceeds the standards described in the Data Security Plan. The individual requesting data may be required to submit additional information or modify their request. System Administrators will approve or deny the proposal based on the applicability of the proposed products to wildlife agency activities related to CWD surveillance, response, and/or management and their potential use within the Warehouse.

Following proposal approval by System Administrators, a copy of the proposal including the data request will be forwarded to the Provider(s). The Provider will have 10 business days to reply to the request. Before the 10-business day period has concluded, the Provider may reject the proposal, approve the proposal, or request additional information. If the Provider does not reply within the initial 10-business day period, the System Administrators may release the requested Researcher Data to Researcher.

The Provider may choose to allow the Researcher Data to be included in the Open Data or to be contacted prior to publication to review data to be published.

The Researcher Data, if released, will be provided in a file format that is agreeable to all parties, such as a CSV, JSON, or RData file.

If System Administrators and the Provider approve the proposal, the Researcher will agree to adhere to all Cornell data use policies and agreements for the proposed project. The Provider may request that the Researcher sign a Data Use Agreement separate from this Agreement. The Researcher will retain Researcher Data only as long as required to complete the proposed project.