research data security at harvard kristen bolt. hrdsp harvard research data security policy
TRANSCRIPT
Research Data
Security at Harvard
Kristen Bolt
HRDSPHarvard Research Data Security
Policy
OVPR Maintains the Research Data Security Policy
Maps to the Enterprise Policy with 5 levels and corresponding checklists and corresponding controls
Recognizes that some flexibility is required as applied to the Research enterprise
Partnership and communication: IRB ISO/HUIT Researcher OVPR
Partner Roles
Researchers have the following responsibilities:
Identifying confidentiality and data security obligations (DUA, etc)
Submitting HS research for IRB approval and DSL determination
Implementing the security controls corresponding to the requirements of the data security level and attesting by signing the checklist
Following data security procedures over the course of their projects.
Research oversight bodies have the following responsibilities:
Assessing data security risks associated with the research within their purview and assigning data security levels for the research.
Establishing procedures to set security levels, either on a project by project basis, or by category of research data
Informing researchers about data security risks and working with them to set appropriate data security levels.
ISO/HUIT Information Security are responsible for assisting researchers with implementation of appropriate security controls in accordance with the DSL assigned by the IRB (or outlined in a DUA).
ISO can confirm level 3. Level 4 and 5 require approval by HUIT.
Variances: ISO and the Researcher may apply compensating controls for the assigned data security level, if certain controls for assigned level are not feasible. These compensating controls will be documented and attested to by the researcher and the ISO(s), and the ISO will inform the IRB if the project is under IRB review.
Partner Roles
The Office of the Vice Provost for Research is responsible for:
Implementing this policy
Working with research oversight bodies to identify data security risks and set data security levels
Working with researchers and IT and HUIT as appropriate, to foster awareness and understanding of the policy.
Periodically reviewing adherence to the policy
Managing Through The Lifecycle Of Data
Obtaining data Collecting on encrypted flash drive DUA Secondary use of existing data
Storing data
Sharing access
Posting
University Resources For research data security policy assistance:
HRDSP: http://vpr.harvard.edu/pages/harvard-research-data-security-policy
Research Data Confidentiality Training: http://eureka.harvard.edu/Eureka/aicc_content/Course_851_Rearch_data_Course/index.html
General Information Security Training: http://security.harvard.edu/training
Or contact me directly: [email protected]
QIP Ed LongwoodFeb 4, 2015
Kristen BoltResearch Data Officer
Office of the Vice Provost for Research
Harvard University
Kimberley Serpico, MEd, CIP
QIP Education Session
February 4, 2015
Ensuring Data Confidentiality: IRB Considerations and IT Data
Security Measures
Tel: 617-432-7434E-mail: [email protected] Website: www.hsph.harvard.edu/ohra
Agenda Overview
Background on IRB Application, Review, & Approval Process
How the IRB Makes a Data Security Determination
How the IRB Communicates Data Security Requirements with PIs and HUIT
Data Security Levels (DSL) and Examples
A Fun Pie Chart!
Let’s talk research…
All research involving human subjects, or human subjects data, must be reviewed by the IRB and issued a determination before the project begins.
How do I get my research project reviewed and approved by the IRB?
Submit an application via ESTR (Electronic Submission,
Tracking, & Reporting System) at https://irb.harvard.edu/
Your application will include all of the details about your study as well as an uploaded copy of all applicable study documents (study protocol, consent forms, questionnaires, recruitment materials, etc.)
Your department-assigned IRB Review Specialist will review your application, request clarifications on any part that is unclear, and complete the approval.
Thanks for all of that background info…but where does Data Security come into play?
Data security and data confidentiality review is built in to the IRB review process.
Data confidentiality relates to the treatment of information that a participant has disclosed in a relationship of trust and with the expectation that it will not be divulged to others without permission.
Data confidentiality isn’t exclusive to just data collection – it impacts the entire study. Data security provisions should be in place from the moment the study begins – starting with identification of subjects and ending with the appropriate destruction of data once the study has concluded (Harvard policy is to retain all human research records for 7 years after study closure; Sponsored research is subject to additional record retention policies).
How does the IRB make the Data Security Level Determination?
A few examples of what your Review Specialist is looking for/at: Are individual identifiers being collected or recorded? What information about participants is being collected? Is it sensitive? If there was a breach, and information about a participant was
disclosed, stolen, or lost, would it…damage their reputation, cause embarrassment, jeopardize employability or insurability, put them at risk for civil or criminal liability, psychological harm, injury, or social harm?
How will the PI minimize data security risks? What plans do they have in place to protect the data they are collecting?
Adhere to the Harvard Research Data Security Policy
Utilize the Information Security Level Checklist in our toolkit
Once IRB review is complete…
When the Review Specialist has enough information to make a determination, the IRB review is complete.
The approval is recorded in your ESTR record and a letter is issued that documents all of the regulatory information required by the IRB’s federal oversight body – including review category, waivers, special populations, risk level, drug or device determinations, etc.
While not a federal regulation, the letter also documents Data Security Level as it is a Harvard policy requirement.
Communicating Data Security Requirements with PIs and HUIT
DSL 0-2 can be approved outright by the IRB (documented in letter)
DSL 3 can be approved, but requires additional documentation in conjunction with HUIT (documented in letter)
DSL 4 & 5 cannot be approved by the IRB until consultation between the PI & HUIT has occurred, and the appropriate documentation has been completed and sent to the IRB
Data Security Levels & Examples from the IRB – DSL = 0
DSL = 0 is used when the HRDSP does not apply
Examples: Not Research determinations Curriculum development Quality Assurance/Quality Improvement
projects
Data Security Levels & Examples from the IRB – DSL = 1
Research usage of human subjects data that has no direct, or indirect, identifiers
Example: Examine publicly available, de-identified mortality dataset from the CDC to understand the effects of economic downturns on health
Example: Analyze de-identified insurance claims from U.S. hospitals to look at C-section rates
Anonymous, non-confidential data collection where no identifiers are recorded
Example: Survey sent to parenting list-serv asking questions about the costs and logistics of childcare
Data Security Levels & Examples from the IRB – DSL = 2
Research where identifiable or coded data (i.e. there is a key linking the code to personal identifiers) is collected, but would not result in material harm if disclosed
Example: Analyze coded specimens and data to investigate relationship between dietary habits and urine samples
Example: Follow up phone call to patients post-surgery to discuss recovery (where name, phone number, and medical record number are recorded)
Data Security Levels & Examples from the IRB – DSL = 3
Research where identifiable or coded data is collected and could be damaging to the participants’ financial standing, employability, insurability, reputation, or be stigmatizing
Example: Coded blood sample and questionnaire collection from HIV-positive mothers to analyze antiretroviral drug therapy progress
Example: Coded tooth sample and survey collection to evaluate chemical and radiation levels in subjects affected by nuclear bomb tests after 1945
Example: Identifiable survey collection and audio-taped interviews with women who have terminated a pregnancy
Data Security Levels & Examples from the IRB – DSL = 4
Research where identifiable or coded data is collected and could present the risk of civil liability, criminal prosecution, psychological harm, or social harm
Example: Coded survey asking women about intimate partner violence, depression, and substance abuse history
Collecting Social Security Number for compensation, per the Harvard Finance Policy (http://policies.fad.harvard.edu/pages/human-subject-payments)
Example: A study in which compensation exceeds $100 and is issued by check to the participant
Data Security Levels & Examples from the IRB – DSL = 5
Research where individually identifiable information is collected that could cause significant harm to an individual if disclosed, including serious risk of criminal liability, serious psychological harm, significant injury, loss of insurability or employability, or significant social harm
Example: Studies on illegal activities that are directly linked to participant identities
No DSL 5 research projects exist at HLMA IRB.
Data Security Levels & Examples from the IRB - A few special circumstances…
International Research:If Harvard researchers are managing the research data, either at Harvard or abroad, the Harvard Research Data Security Policy (HRDSP) applies. Additionally, if Harvard researchers are obtaining, accessing, or generating human subjects research data, the HRDSP applies whether the study is international or not.
PIs with Dual Appointments:When a Principal Investigator has a dual appointment at Harvard and another institution, and Harvard is only engaged in the research as a result of receiving the primary funding award, the HRDSP applies. Even if there is no research data physically housed at Harvard and even if the PI is wearing their “other institution’s hat” for their role in the research.
However, if the same situation occurs but Harvard is not the primary awardee of the funding, the HRDSP does not apply.
Initial DSL Determinations Made by IRB*January 1 – December 31, 2014
DSL = 1439 (65%)
DSL = 2142 (21%)
DSL = 381 (12%)
DSL = 413 (2%)
*DSL = 0 is not included as we only recently obtained functionality in ESTR to record 0, DSL = 5 is not included because the HLMA IRB does not have any level 5 projects
Resources
Office of Human Research Administration: http://www.hsph.harvard.edu/ohra
HLMA IRB Department-Assigned IRB Review Specialists list:
http://www.hsph.harvard.edu/ohra/department-assignments/
Quality Improvement Program (QIP): http://www.hsph.harvard.edu/ohra/qip/
Services Include: Study Management Tools and Resources, Research Support Services, On-Site Reviews, Study Consultation, Submission Assistance, etc.
ESTR Resources: http://estrsupport.fss.harvard.edu/
Harvard Catalyst Data Protection Group investigator resources: http://catalyst.harvard.edu/programs/regulatory/data-protection.html
Feel free to contact me as well!Kim Serpico, MEd, CIP
IRB Review Specialist
617-432-7434, [email protected]
Miguel Sanchez; InfoSec Spec.
QIP Education Session
February 4, 2015
I Know My DSL, Now What? How to Protect Your Data
Tel: 617-496-8500E-mail: [email protected]
Website: security.harvard.edu
Agenda Overview
Research Data Security Checklists
Amazon Web Services (AWS)
What Do I Want To Do With This Data?
Use Existing Resources
De-identify Data
Data Security Checklists
For Level 3, 4 and 5
Researcher vs. IT Requirements
Is It Necessary?– 40 L3 Controls– 60 L4 Controls– L5 You Don’t Even Want to Know
Amazon Web Services (AWS)
HRDSP Still Applies
Requires Expertise
Is It Necessary?
Think Before You Build
What’s Your Ultimate Goal?
Create a Data Flow Diagram
Understand That Diagram
Use Existing Resources!
Pre-Approved Tools and Environments
Encrypted Storage Devices (i.e. Ironkeys)
De-Identify Data
Less is Best De-Identification Methods
– Statistical – Heuristic– Use Variables
Things to Keep in Mind
When In Doubt…
ASK!