Checklist for reviewing Privacy, Confidentiality and ...

Checklist for reviewing Privacy, Confidentiality and ...

CHECKLIST FOR REVIEWING PRIVACY, CONFIDENTIALITY AND INFORMATION SECURITY IN RESEARCH VA OI&T Field Security Service Seal of the U.S. Department of Veterans Affairs Office of Information and Technology Office of Information Security Design of the Checklist

For use by PI, PO and ISO Provides guidance to PI on issues to document Requirements have subject titles to serve as outline May be independent document or added to facility packet May be paper or electronic IRB may require entire form as is or adapt it Facility-specific questions may be added Design of the Checklist (contd)

Checklist should become part of the IRB protocol file (uploaded in to Hawk IRB) Designed to encourage, PI, PO and ISO to plan for privacy, confidentiality and protection of research information Not intended to be an exhaustive list of requirements, i.e. the need for HIPAA authorization to take a picture or record a voice Requirements may not apply to every study PO or ISO may make a recommendation that is not a requirement Implementation

Develop a data security plan for your study Data Security Plan will be entered in Hawk IRB ( Section X) and should clearly describe the security parameters as outlined in the VA Research Security Checklist May be completed manually or electronically May be sign electronically or with a wet signature PO and ISO may sign once indicating compliance with policy or may recommend changes requiring further review Implementation (contd) The form will work best if the PI documents in a specific section of the application or protocol (Hawk IRB Section X 1- 4).

It is not necessary to document every item in the application or protocol. If a section does not apply, check N/A. Data protection, ownership and data storage location should be clearly identified within the IRB submission. Privacy Requirements and Information Security Requirements The Privacy and Confidentiality Requirements and Information Security Requirements sections should be completed by the PI or a study team member. The questions serve as guidance to the PI regarding the information that should be documented in the study in terms of privacy, confidentiality and information security policy. The PI may use the checklist as a guide to describe in Hawk IRB their plan for information protection. Each item in the privacy, confidentiality and information security requirements sections is preceded by a subject that serves as an outline.

The PI is asked to indicate 1) the specific source document where the requirement is discussed and 2) the page number of the source document. Also, after each requirement, a reference is cited for informational purposes. PIs should document the plan for privacy, confidentiality and information security preferably in a dedicated section (Section X Hawk IRB) of the application or protocol and address all appropriate requirements. It may not be necessary to document every item in the application or protocol. If an item does not apply to the study, it should be so stated on the Checklist. Privacy Requirements and Information Security Requirements PIs should consult with their IRB administrator regarding whether or not a change in data privacy, confidentiality or information security requires an amendment to the protocol.

After the PI completes his/her part, upload into Hawk IRB, the PO and ISO should then evaluate and validate the PIs responses and indicate whether the study meets or does not meet the respective requirements. The PO and ISO should not rely solely on the responses to the Checklist. The PO and ISO also has a space to offer comments to the Institutional Review Board (IRB) and Research and Development Committee (RDC). Web-based Survey Services All commercial web-based survey services must be approved

by VA OI&T prior to being used to collect VA research data. Survey Monkey currently can only be used for internal surveys of VA staff. When used for internal staff surveys the responses must be stored on VA servers and the survey cannot collect any PII or PHI. Web application should be designed to support data capture for research studies, providing: 1) an intuitive interface for validated data entry; 2) audit trails for tracking data manipulation and export procedures; 3) automated export procedures for seamless data downloads to common statistical packages; and 4) procedures for importing data from external sources. Software Installations VA OIT identifies what types of software installations are permitted (e.g., updates and security patches to existing software) and what types of installations are prohibited (e.g., software whose pedigree with regard to being potentially malicious is unknown or suspect).

No software will be installed on VA information systems or VA network by users unless approved by OIT or system management. VA OI&T Develops and maintains a list of software programs authorized and not authorized to execute on the information system and Employs what is allow. Guidance For Use of Use of WebBased Collaboration Technologies VA Directive 6515, Use of Web-Based Collaboration Technologies, Section 2d. states that VA personnel and organizations must exercise sound judgment when utilizing Web-based collaboration tools. The use of VA Web-based collaboration tools must promote the mission, goals, and objectives of VA.

Such use must also be consistent with applicable laws, regulations, and policy, as well as prudent operational, security, and privacy considerations. Social media sites are NOT secure. These are public websites. Mobile Devices Mobile devices include portable cartridge/disk-based, removable storage media (e.g., floppy disks, CDs, USB flash drives, external hard drives, and other flash memory cards/drives that contain non-volatile memory). Mobile devices also include portable computing and communications devices with information storage capability (e.g., notebook/laptop computers, PDAs, cellular telephones, digital cameras, and audio recording devices). In order to ensure the protection of VA information, VA mobile

devices will be encrypted using FIPS 140-2 (or its successor) validated encryption, if technically possible. If not technically possible, the documented justification and review/approval by the local ISO and CIO is required. Data Security Think about how you would feel if a data breach were to occur with your personal information. Never leave sensitive personal information unattended Physically Properly secure offices and labs (lock the door when you leave) dispose of sensitive personal information Take

caution with laptops and removable media - use hard drive encryption, cable locks, up-to-date anti-virus/firewall protection and current security software patches Remember that only government-issued encrypted flash drives are permitted Encrypt emails use Public Key Infrastructure (PKI) or Rights Management Services (RMS) when electronically communicating sensitive information Data Security

Store data in the right place. A mobile device should not contain the only copy of VA data. Store your information on a shared network drive to ensure that data is properly backed up. If your device is lost, stolen, or malfunctions, data can still be accessed and recovered. Use strong passwords. Passwords should contain a combination of uppercase and lowercase letters, numbers, and symbols. Steer clear of obvious passwords: Never use your birth date, mothers maiden name or the last four digits of your Social Security number. The easier it is to remember, the easier it is for an identity thief to crack. Emailing Veterans VA Office Research Development (ORD) does not have a policy regarding email within research. Research will follow information security guidance and researchers are NOT

allowed to email veterans unless they are using the MyHealtheVet system. This includes the recruitment of prospective subjects. Questions Report all security and privacy incidents immediately to your Supervisor, Privacy Officer or Information Security Officer VA Research Security Checklist Directions Information Security Issues: Randall

(Randy) Smith 319-338-0581 x6266 Robert Hensley 319-338-0581 x6265 Privacy and Confidentiality Issues : Amber Smith 319-338-0581 x6092

Recently Viewed Presentations

  • School of Sanctuary

    School of Sanctuary

    Happy, contended, feels like you're in heaven, calm, adventurous, peaceful, delightful, relaxed, excited, 'my happy face' Charli: it feels like I am in a different part of the world not Sandy Row. McCoist: the garden makes me feel calm and...
  • International trade: What can the G20 do? Mark

    International trade: What can the G20 do? Mark

    Extend the standstill for at least another two years plus an upgrade and enhanced WTO surveillance. Save the WTO from the Doha Round: set a hard 'kill or complete' deadline post-Bali. Encourage the WTO to focus on a new 21st...
  • Intuition in Strategy - Handelshøyskolen BI

    Intuition in Strategy - Handelshøyskolen BI

    His textbook in quantum physics is a classic. In summarizing, on the the first of the three questions we are addressing, why is intuition important in strategy, we may say that the ability to intuitively synthesize numerous parts or pieces,...
  • Conditioned Inhibition - Memorial University of Newfoundland

    Conditioned Inhibition - Memorial University of Newfoundland

    Conditioned Inhibition Procedures for producing CI Conditional (standard) Procedure ... illness is the US The same saccharin could serve as the US L Saccharin The animal would approach the L The Novelty of Conditioned and Unconditioned Stimuli The behavioral impact...
  • PROPERTIES OF MINERALS Chapter 2, Section 1

    PROPERTIES OF MINERALS Chapter 2, Section 1

    PROPERTIES and MINING of MINERALS. Steps in Obtaining Mineral Commodities Prospecting- finding places where ores occur Mine exploration & development- learn whether ore can be extracted economically Mining- extract ore from ground Beneficiation- separate ore minerals from other mined rock...
  • Riboflavin deficiency and toxicity

    Riboflavin deficiency and toxicity

    Exercise. Physical exercise ... hyperemia and edema of the oral mucosa . seborrheic dermatitis around the nose and mouth and scrotum/vulva. normocytic, normochromic anemia with reticulocytopenia, leukopenia and thrombocytopenia . Cheilosis .
  • Class 5 - University of Rhode Island

    Class 5 - University of Rhode Island

    b) How much proeutectoid phase is present at the eutectoid temperature c) What is its composition? d) Upon quenching the steel from 950oC to ­50oC what phases will be present and what will be the composition?
  • Presentazione standard di PowerPoint - Fieri

    Presentazione standard di PowerPoint - Fieri

    However, I suggest to define them just as potential counterweights, because they have not always acted as protectors of immigrant rights. Many pro-immigrant, but also some adverse rulings of Constitutional or Supreme courts are reported in the book I edited...