Research Data

Security at Harvard

Kristen Bolt

HRDSPHarvard Research Data Security

Policy

OVPR Maintains the Research Data Security Policy

Maps to the Enterprise Policy with 5 levels and corresponding checklists and corresponding controls

Recognizes that some flexibility is required as applied to the Research enterprise

Partnership and communication: IRB ISO/HUIT Researcher OVPR

Partner Roles

Researchers have the following responsibilities:

Identifying confidentiality and data security obligations (DUA, etc)

Submitting HS research for IRB approval and DSL determination

Implementing the security controls corresponding to the requirements of the data security level and attesting by signing the checklist

Following data security procedures over the course of their projects.

Research oversight bodies have the following responsibilities:

Assessing data security risks associated with the research within their purview and assigning data security levels for the research.

Establishing procedures to set security levels, either on a project by project basis, or by category of research data

Informing researchers about data security risks and working with them to set appropriate data security levels.

ISO/HUIT Information Security are responsible for assisting researchers with implementation of appropriate security controls in accordance with the DSL assigned by the IRB (or outlined in a DUA).

ISO can confirm level 3. Level 4 and 5 require approval by HUIT.

Variances: ISO and the Researcher may apply compensating controls for the assigned data security level, if certain controls for assigned level are not feasible. These compensating controls will be documented and attested to by the researcher and the ISO(s), and the ISO will inform the IRB if the project is under IRB review.

Partner Roles

The Office of the Vice Provost for Research is responsible for:

Implementing this policy

Working with research oversight bodies to identify data security risks and set data security levels

Working with researchers and IT and HUIT as appropriate, to foster awareness and understanding of the policy.

Periodically reviewing adherence to the policy

Managing Through The Lifecycle Of Data

Obtaining data Collecting on encrypted flash drive DUA Secondary use of existing data

Storing data

Sharing access

Posting

University Resources For research data security policy assistance:

rdsap@harvard.edu

HRDSP: http://vpr.harvard.edu/pages/harvard-research-data-security-policy

Research Data Confidentiality Training: http://eureka.harvard.edu/Eureka/aicc_content/Course_851_Rearch_data_Course/index.html

General Information Security Training: http://security.harvard.edu/training

Or contact me directly: Kristen_Bolt@harvard.edu

QIP Ed LongwoodFeb 4, 2015

Kristen BoltResearch Data Officer

Office of the Vice Provost for Research

Harvard University

Kimberley Serpico, MEd, CIP

QIP Education Session

February 4, 2015

Ensuring Data Confidentiality: IRB Considerations and IT Data

Security Measures

Tel: 617-432-7434E-mail: kserpico@hsph.harvard.edu Website: www.hsph.harvard.edu/ohra

Agenda Overview

Background on IRB Application, Review, & Approval Process

How the IRB Makes a Data Security Determination

How the IRB Communicates Data Security Requirements with PIs and HUIT

Data Security Levels (DSL) and Examples

A Fun Pie Chart!

Let’s talk research…

All research involving human subjects, or human subjects data, must be reviewed by the IRB and issued a determination before the project begins.

How do I get my research project reviewed and approved by the IRB?

Submit an application via ESTR (Electronic Submission,

Tracking, & Reporting System) at https://irb.harvard.edu/

Your application will include all of the details about your study as well as an uploaded copy of all applicable study documents (study protocol, consent forms, questionnaires, recruitment materials, etc.)

Your department-assigned IRB Review Specialist will review your application, request clarifications on any part that is unclear, and complete the approval.

Thanks for all of that background info…but where does Data Security come into play?

Data security and data confidentiality review is built in to the IRB review process.

Data confidentiality relates to the treatment of information that a participant has disclosed in a relationship of trust and with the expectation that it will not be divulged to others without permission.

Data confidentiality isn’t exclusive to just data collection – it impacts the entire study. Data security provisions should be in place from the moment the study begins – starting with identification of subjects and ending with the appropriate destruction of data once the study has concluded (Harvard policy is to retain all human research records for 7 years after study closure; Sponsored research is subject to additional record retention policies).

How does the IRB make the Data Security Level Determination?

A few examples of what your Review Specialist is looking for/at: Are individual identifiers being collected or recorded? What information about participants is being collected? Is it sensitive? If there was a breach, and information about a participant was

disclosed, stolen, or lost, would it…damage their reputation, cause embarrassment, jeopardize employability or insurability, put them at risk for civil or criminal liability, psychological harm, injury, or social harm?

How will the PI minimize data security risks? What plans do they have in place to protect the data they are collecting?

Adhere to the Harvard Research Data Security Policy

Utilize the Information Security Level Checklist in our toolkit

Once IRB review is complete…

When the Review Specialist has enough information to make a determination, the IRB review is complete.

The approval is recorded in your ESTR record and a letter is issued that documents all of the regulatory information required by the IRB’s federal oversight body – including review category, waivers, special populations, risk level, drug or device determinations, etc.

While not a federal regulation, the letter also documents Data Security Level as it is a Harvard policy requirement.

Communicating Data Security Requirements with PIs and HUIT

DSL 0-2 can be approved outright by the IRB (documented in letter)

DSL 3 can be approved, but requires additional documentation in conjunction with HUIT (documented in letter)

DSL 4 & 5 cannot be approved by the IRB until consultation between the PI & HUIT has occurred, and the appropriate documentation has been completed and sent to the IRB

Data Security Levels & Examples from the IRB – DSL = 0

DSL = 0 is used when the HRDSP does not apply

Examples: Not Research determinations Curriculum development Quality Assurance/Quality Improvement

projects

Data Security Levels & Examples from the IRB – DSL = 1

Research usage of human subjects data that has no direct, or indirect, identifiers

Example: Examine publicly available, de-identified mortality dataset from the CDC to understand the effects of economic downturns on health

Example: Analyze de-identified insurance claims from U.S. hospitals to look at C-section rates

Anonymous, non-confidential data collection where no identifiers are recorded

Example: Survey sent to parenting list-serv asking questions about the costs and logistics of childcare

Data Security Levels & Examples from the IRB – DSL = 2

Research where identifiable or coded data (i.e. there is a key linking the code to personal identifiers) is collected, but would not result in material harm if disclosed

Example: Analyze coded specimens and data to investigate relationship between dietary habits and urine samples

Example: Follow up phone call to patients post-surgery to discuss recovery (where name, phone number, and medical record number are recorded)

Data Security Levels & Examples from the IRB – DSL = 3

Research where identifiable or coded data is collected and could be damaging to the participants’ financial standing, employability, insurability, reputation, or be stigmatizing

Example: Coded blood sample and questionnaire collection from HIV-positive mothers to analyze antiretroviral drug therapy progress

Example: Coded tooth sample and survey collection to evaluate chemical and radiation levels in subjects affected by nuclear bomb tests after 1945

Example: Identifiable survey collection and audio-taped interviews with women who have terminated a pregnancy

Data Security Levels & Examples from the IRB – DSL = 4

Research where identifiable or coded data is collected and could present the risk of civil liability, criminal prosecution, psychological harm, or social harm

Example: Coded survey asking women about intimate partner violence, depression, and substance abuse history

Collecting Social Security Number for compensation, per the Harvard Finance Policy (http://policies.fad.harvard.edu/pages/human-subject-payments)

Example: A study in which compensation exceeds $100 and is issued by check to the participant

Data Security Levels & Examples from the IRB – DSL = 5

Research where individually identifiable information is collected that could cause significant harm to an individual if disclosed, including serious risk of criminal liability, serious psychological harm, significant injury, loss of insurability or employability, or significant social harm

Example: Studies on illegal activities that are directly linked to participant identities

No DSL 5 research projects exist at HLMA IRB.

Data Security Levels & Examples from the IRB - A few special circumstances…

International Research:If Harvard researchers are managing the research data, either at Harvard or abroad, the Harvard Research Data Security Policy (HRDSP) applies. Additionally, if Harvard researchers are obtaining, accessing, or generating human subjects research data, the HRDSP applies whether the study is international or not.

PIs with Dual Appointments:When a Principal Investigator has a dual appointment at Harvard and another institution, and Harvard is only engaged in the research as a result of receiving the primary funding award, the HRDSP applies. Even if there is no research data physically housed at Harvard and even if the PI is wearing their “other institution’s hat” for their role in the research.

However, if the same situation occurs but Harvard is not the primary awardee of the funding, the HRDSP does not apply.

Initial DSL Determinations Made by IRB*January 1 – December 31, 2014

DSL = 1439 (65%)

DSL = 2142 (21%)

DSL = 381 (12%)

DSL = 413 (2%)

*DSL = 0 is not included as we only recently obtained functionality in ESTR to record 0, DSL = 5 is not included because the HLMA IRB does not have any level 5 projects

Resources

Office of Human Research Administration: http://www.hsph.harvard.edu/ohra

HLMA IRB Department-Assigned IRB Review Specialists list:

http://www.hsph.harvard.edu/ohra/department-assignments/

Quality Improvement Program (QIP): http://www.hsph.harvard.edu/ohra/qip/

Services Include: Study Management Tools and Resources, Research Support Services, On-Site Reviews, Study Consultation, Submission Assistance, etc.

ESTR Resources: http://estrsupport.fss.harvard.edu/

Harvard Catalyst Data Protection Group investigator resources: http://catalyst.harvard.edu/programs/regulatory/data-protection.html

Feel free to contact me as well!Kim Serpico, MEd, CIP

IRB Review Specialist

617-432-7434, kserpico@hsph.harvard.edu

Miguel Sanchez; InfoSec Spec.

QIP Education Session

February 4, 2015

I Know My DSL, Now What? How to Protect Your Data

Tel: 617-496-8500E-mail: miguel_sanchez@harvard.edu

Website: security.harvard.edu

Agenda Overview

Research Data Security Checklists

Amazon Web Services (AWS)

What Do I Want To Do With This Data?

Use Existing Resources

De-identify Data

Data Security Checklists

For Level 3, 4 and 5

Researcher vs. IT Requirements

Is It Necessary?– 40 L3 Controls– 60 L4 Controls– L5 You Don’t Even Want to Know

Amazon Web Services (AWS)

HRDSP Still Applies

Requires Expertise

Is It Necessary?

Think Before You Build

What’s Your Ultimate Goal?

Create a Data Flow Diagram

Understand That Diagram

Use Existing Resources!

Pre-Approved Tools and Environments

Encrypted Storage Devices (i.e. Ironkeys)

De-Identify Data

Less is Best De-Identification Methods

– Statistical – Heuristic– Use Variables

Things to Keep in Mind

When In Doubt…

ASK!