This web page describes the procedures implemented at the Center for Advanced Power Systems for the control of technical data requiring protection from unauthorized disclosure.
The mandate for control of Technical Data at CAPS is imposed by one or more of the following:
- The United States Department of Commerce Export Administration Regulations (EAR)
- The United States Department of State International Traffic in Arms Regulations (ITAR)
- United States public law dealing with control of confidential information/ trade secrets entitled to protection from disclosure.
The Florida State University (FSU) Intellectual Property and Technology Handbook deals with controlling, protecting and transitioning to the private sector, intellectual property and technology originated by FSU staff. The emphasis of this Document Control Procedure is to establish a means to protect applicable technical data received from other organizations while that data is at FSU for research and performance of contract activities at the CAPS facility.
Technical Data must be controlled and protected if:
- It is identified in writing as "Proprietary", "Confidential", "Competition Sensitive" or similarly designated by the originating organization. Documents may also be marked in accordance with the National Archives' Controlled Unclassified Information (CUI) marking requirements. Such information is protected from release under federal and state law, and CAPS is obligated to protect against any unauthorized disclosure or release of the information to any source, foreign or domestic.
- It satisfies the criteria for control by the EAR or ITAR (Export Controls), which imposes further restrictions on release of technical data to foreign persons.
- Special terms or conditions of the particular contract apply which limit access or distribution of technical data.
Appendix A provides more detailed information on specific ITAR criteria.
The primary responsibility of the Directors of CAPS is to maintain CAPS' integrity and stature as an academic research institution. In recognizing that the imperatives of a research institution differ from those of a corporation, the Directors will work with contracting corporations to ensure that restrictions, whether proprietary- or export control-related, are imposed only when authorized.
The Directors of CAPS are responsible for implementation of this procedure. The Directors may delegate required tasks at their discretion. Clarifications or issues regarding the application and/or execution of this procedure will be referred to the Directors for resolution.
The Document Control Manager, under authority of the Directors, will assist the Directors in execution of this procedure and will perform the day to day administrative tasks.
Access requirements and determination of authorized personnel
For each contract, the Directors shall endeavor to make the contracted work as open as possible and shall ensure that control of technical data is imposed when deemed necessary.
When control measures are deemed to be necessary, the Director shall determine the personnel authorized to access data for the task. The determination shall include such factors as need and status as foreign or US persons as defined by Export Controls.
All CAPS personnel and visitors shall display identification badges. The badges will be color-coded to indicate the individual's status as a US Person or Foreign Person as defined by ITAR section 120.16.
On a project by project basis, each authorized person shall sign a briefing statement that acknowledges the required access and distribution restrictions for the contract. A sample briefing statement is shown in Appendix B.
The Document Control Manager shall catalog and maintain all original, signed briefing statements.
The Document Control Manager shall prepare and maintain an access list that clearly identifies the contract and the authorized personnel; the access list shall be signed by the Director with cognizance over the contract.
The Document Control Manager shall disseminate the access list to all authorized personnel on the contract, to confirm who is authorized to access data for the particular contract.
Receipt, Inventory and Control of Data
Immediately upon receipt, all controlled data or documents shall be provided to the Document Control Manager for inventory. If it is impractical to provide the data, such as for data that exists only in an electronic form, a brief description of the data should be provided.
The Document Control Manager shall maintain an inventory of all controlled data. The inventory must include, at a minimum, the date received, the source of the data, the originator of the data, the task/contract to which the data relates, the nature of the restriction, to whom the item was released/distributed, the export classification number (EAR ECCN or ITAR Category), and sufficient description to uniquely identify the item. Space should also be provided to record the date of destruction or disposition of the item from the system. (Note that "source of data" means what external organization provided the data to FSU; "Originator of data" means the organization that originally prepared the data.)
When inventorying hard copy materials, to the extent practical, the Document Control Manager will confirm each sheet of controlled data is marked to indicate its restriction. Any missing markings will be added. The Document Control Manager shall provide a conspicuous document cover sheet for each document. A sample document cover sheet is shown in Appendix C.
Electronic media (CDs, Zip Drives, etc.), to the extent practical, will be externally marked as well as any storage cases/ covers.
If electronic data is received via electronic means (i.e. via email or FTP), such that there is no physical media, the information provided to the Document Control Manager should be of sufficient detail that the description of the data can be recorded in the inventory.
If data is received by persons other than the Document Control Manager, the data should first be delivered to the Document Control Manager for processing.
Electronic data requiring protection, stored on computers and/or servers, must be segregated into password protected directories or network paths to assure that only those with authorized access can access the files. The Document Control Manager, in conjunction with the Network Administrator, shall ensure that the electronic access privileges are consistent with the applicable access list.
Controlled data shall not be accessible to unauthorized persons. This includes briefings or even oral discussions that might release controlled data.
Controlled data shall not be released to third parties via reports or briefings without written authority of the originating organization.
Any duly authorized data transfers shall be performed through the Document Control Manager who will provide tracking and documentation of all such transfers.
Controlled data shall not be reproduced by users. If additional copies are needed, they shall be generated and inventoried by the Document Control Manager.
Controlled data shall be under the physical control of an authorized person at all times. When not in use, data shall be in a locked container or desk; electronic files or programs should be closed so that access to them is denied to unauthorized users.
If access to controlled data is infrequent, it should be returned to the Document Control Manager for long-term secure storage.
If controlled data becomes obsolete or is no longer needed, it should be returned to the Document Control Manager for disposition. Unless otherwise directed by the terms and conditions of the specific contract, such data shall be destroyed or obliterated in such a way as to prevent reconstruction and unauthorized use, such as by shredding, disc/media destruction, file erasure, etc. The Document Control Manager shall update the inventory to record the date and means of destruction, and who performed it.
Controlled data shall only be displayed or processed in areas where physical access to displays or printouts is limited to authorized persons. If it is impractical to restrict access to an entire area or lab, the operator shall assure that visitors or unauthorized persons are not permitted access to view materials.
Notes: Throughout this procedure the term "controlled data" is used to mean any data, in any format (e.g. hard copy or electronic) for which distribution or access restrictions apply.