Information Privacy and Security
Data will be collected and subsequently analyzed during the Manage stage, based on protocols developed in the Plan/Propose stage. During the Setup stage, the protocol for collecting data should be reviewed to identify those logistical requirements (if any) that must be met before data can be collected. Such requirements might include the procurement of instrumentation or software specific to the measurements to be taken. Access to existing sources of data may be needed. In addition, certain data will require the establishment of privacy and/or security infrastructure. For example, data must be collected in a verifiable and secure manner and then stored. For digital data, this might involve special software and hardware that will authenticate or otherwise validate the data collected and will protect the data from intentional or unintentional breaches, preserving the data from corruption for analysis. Some data to be collected may be personal or sensitive, such as names or social security numbers of individuals or locations of potentially vulnerable or hazardous materials, requiring special privacy and/or security measures be implemented before data collection can begin.
- The Principal Investigator (PI) is responsible for the overall conduct and results of the research, including data collection and any associated privacy and security considerations.
- All members of the study team who handle or otherwise have access to data are responsible for observing privacy and security precautions.
- A statistician or other data analyst on the study team may be involved in data privacy and security matters.
- Clinical studies may engage a Data Safety and Monitoring Board (DSMB) or similar body to monitor adverse events during the conduct of the study. Information reviewed by a DSMB may include data requiring privacy and/or security measures.
- Information technology professionals may be responsible for hardware and software data privacy and security matters.
Policy, Regulation, and Guidance
- APS 2.4 Information Security and Privacy Roles, Responsibilities, and Definitions
- Office of the Chief Information Security Officer: Laws
- APS 2.6 Information Security Controls and Operational Practices
- NIH: What is FISMA?
- Federal Information Security Management (and Modernization) Act (FISMA)
- Federal Certificate of Confidentiality (CoC) Kiosk
- Guidance: Certificate of Confidentiality (CoC)
- Certificate of Confidentiality: Apply, Extend, Modify
- NIH: Certificate of Confidentiality
- CoC Decision Tree: Is my research subject to CoC?
- Privacy Office: European Union – General Data Protection Regulation (EU…
- Office for Human Research Protection (OHRP): EU General Data Protection…