Research Data Security Plan (RDSP) Reviewer Training January 6, 2014 Duke Medicine Information Security Office DATA CLASSIFICATION: PUBLIC
RDSP Purpose Institutional oversight and management of Research Data Storage During an internal or external audit, can the auditors validate intended vs actual data storage? Can we guide our researchers into more secure methods of data storage? 2
History of RDSP Implemented November 2011 for all new non-exempt submissions through Duke Medicine IRB. Retrospective survey in REDCap was administered by Duke Office of Clinical Research (DOCR) to all existing approved, non-exempt studies at that time. 3
RDSP review Paper review is done by CRU/Study Owning Organization - Research Practice Manager or equivalent Electronic review is done by designated IT supporting CRU/Study Owning Organization Final approval should come after communication between paper and electronic reviewers assures that all data storage is listed and is compliant with Duke Medicine Information Security Standards and regulatory requirements. 4
but IRB approved my study The human subjects must understand where data are going and authorize the arrangements which, within Duke, are accomplished via informed consent. IRB does not review the RDSP. The Research Study Team and CRU/Study Owning Organization are responsible for ensuring that what is listed in RDSP is reflected in the IRB submission (consent, waivers, summary). Communication with the study team and between reviewers is a critical aspect of the review process. 5
01. Storage Media Types Reviewer Note: If both sections are blank, this should be questioned as it is rare that a research study would not generate ANY paper or electronic data. Notice that this section does not mention PHI, so unless a study has generated no paper or electronic data at all (extremely rare) then something should be checked. 6
02.1 Storage of Paper or Non-digital Media Reviewer Note: Check to ensure that yes or no is selected for each dropdown option in the section labeled "Indicate if paper or nondigital media, even if the storage is temporary, contain:" The PHI dropdown box should almost always be Yes. If No is the selection, inform the PI/CRC that nearly all of the data collected for a research study at Duke Medicine is PHI. Even if it only has the date of a clinical service, it qualifies as PHI. Reviewer Note: SSNs require "two keys" for paper storage. Temporary storage of paper SSNs (permanently redacted at earliest possible time) may be permitted for participant payment purposes, but all other paper SSN storage requires institutional approval through Duke Medicine ISO. All storage, temporary or permanent, must be listed within RDSP. 7
02.2 Storage of Electronic Information Reviewer Note: Temporary storage of electronic SSNs (permanently redacted at earliest possible time) may be permitted for participant payment purposes, but all other electronic SSN storage requires institutional approval through Duke Medicine ISO. All storage, temporary or permanent, must be listed within RDSP. 8
02.2 Storage of Electronic Information (continued) Reviewer Note: This section, as of January 2014, contains two additional options for storage within: Duke University, OIT Managed Service Campus Department Supported IT Service. If either of these options are selected, IT reviewer should email Duke Medicine Information Security Office (infosec@mc.duke.edu) for review with subject RDSP Pro000XXXXX. 9
02.2 Storage of Electronic Information (continued) Additional Reviewer Notes: All places (both internal and external to Duke Medicine) where study data is managed must be reflected. Study data may be managed by more than one IT Support group. Research data stored within Duke Medicine is governed by Duke Medicine Security Standards. Research data maintained outside of Duke (such as another University, sponsor, or 3 rd party contractors or subcontractors) is protected by that entity. However, the human subject must understand where data are going and authorize the arrangements which, within Duke, are accomplished via informed consent. If questions arise about the propriety of the consent form, direct them to the CRU reviewer who may discuss them with IRB Office. IT Staff is not responsible for reviewing consent forms, but should be able to understand that authorization within a consent form may be needed and communicate this to the CRU reviewer who will point researchers to the appropriate department (IRB) if necessary. 10
03 Duke Electronic Storage Details Reviewer Notes: SEI is not prohibited from being stored on a workstation (local home drive) or networked personal home drive in all instances, but it is strongly discouraged. Thought should be given toward data availability in the event that an employee leaves Duke or is gone for an extended period. Storage on media other than a server should have a business justification. 11
03.1 Mobile Storage Device Details Reviewer Notes: If mobile devices are listed, PI/CRC has been told that no SEI may be stored on mobile devices without encryption. PGP for Windows; PGP or FileVault2 for Mac. Non-Duke owned mobile devices are not allowed to be used to store Duke SEI. 12
03.1 Mobile Storage Device Details Additional Reviewer Notes: Mobile Devices (general) -- security of Mobile devices are governed by the Duke Medicine Mobile Computing and Storage Device Standard. Laptops no personal (non-duke owned) laptops may be used to store human subject research protocol study data. Item #15 in the Duke Confidentiality Agreement states, With the exception of accessing Duke email on a personal smartphone (e.g., iphone or Android device) or tablet (e.g., ipad), I WILL NOT store Confidential Information on non-duke systems including on personal computers/devices. Other mobile devices (including external hard drives, flash drives and smart devices) The data or device must be encrypted. Item #16 in the Duke Confidentiality Agreement states, I WILL NOT maintain or send Confidential Information to any unencrypted mobile device in accordance with Duke policies and procedures. The encryption algorithm must be the Advanced Encryption Standard (AES) with a block size of 256 bits or greater. PGP is the preferred encryption method. 13
04 Software Environment & Survey Tools Reviewer Notes: Look for Survey tools, Cloud storage, Social Media, Mobile Devices, 3 rd party websites, etc. Remember, ALL data storage, both internal and external, must be listed. If PI/CRC listed Other entity outside of Duke Medicine it should be adequately described. Application, database, and operating system software: Only currently supported (able to be patched) systems are allowed. IT Staff is responsible for checking versions and sending protocol back to research team if not listed. 14
04 Software Environment & Survey Tools Reviewer Notes: Require specific details (e.g. rather than sponsor website ask PI/CRC to list link for data entry http://sponsor.website. ) If a sponsor, vendor, or contractor website or tool external to Duke Medicine (including websites for 3 rd party affiliates of sponsor) is used as an interface to collect or enter study data, one of the following must occur: The human subject must understand where data are going and authorize the arrangements which, within Duke, are accomplished via informed consent. Formal review and signoff by Duke Medicine Information Security Office. 15
04 Software Environment & Survey Tools: Mobile Apps Reviewer Notes: If the submitter indicates use of a mobile app, as of January 2014, IT reviewer should email Duke Medicine Information Security Office (infosec@mc.duke.edu) for review with subject Mobile App Pro000XXXXX. 16
General Notes CRU/Owning Org & IT Staff are expected to document completion of the review and items that must be remedied in the RDSP. If there are unresolved concerns, those remarks must be recorded in the comments section. The CRU/Study Owning Organization is responsible for stopping any protocol from further IRB action if there is no reasonable plan to remedy deficient IT controls. If there is a question about the significance of an issue, contact the Information Security Office. For questions regarding non-digital media or data de-identification, contact the SOM Compliance Office or ISO. New RDSP reviewers must be given training by the Information Security Office prior to beginning the RDSP review process and a current list of all RDSP reviewers will be maintained by ISO for annual refresher training. CRU/Study Owning Organization is responsible for informing ISO when reviewers leave or new reviewers are added. Reviewers are encouraged to communicate within their CRU/Study Owning Organization and to ask questions of ISO and SOM Compliance Office if they are unsure about how to aid a researcher in a particular RDSP submission. Study teams should be trained in RDSP submission by CRU/Study Owning Organization, but ISO and Duke Office of Clinical Research (DOCR) is available to assist with group training upon request. 17
Worth Repeating The human subjects must understand where data are going and authorize the arrangements which, within Duke, are accomplished via informed consent. IRB does not review the RDSP. The Research Study Team and CRU/Study Owning Organization are responsible for ensuring that what is listed in RDSP is reflected in the IRB submission (consent, waivers, summary). Communication with the study team and between reviewers is a critical aspect of the review process. 18