RSS data security plan

“Understanding Barriers and Facilitators to HIV Prevention, Care, and Treatment”

7b. RSS Data Security Plan

Task Order 0001 Barriers and Facilitators to HIV prevention and care for PLWH

Information Security Plan

The RSS team will centralize all electronic data at IMPAQ International. IMPAQ will be responsible for the development and maintenance of electronic data management and storage systems for the data IMPAQ receives from the other RSS team members , since IMPAQ has pursued and achieved a level of data protection and security beyond the other RSS team members. RSS and Emory will each be responsible for the security of any electronic and paper data at their sites as explained in this plan.

IMPAQ has successfully and securely managed and stored sensitive research data for clients, including offices and agencies within DHHS, the Department of Labor, the Department of Education, and others. For the Centers for Medicare & Medicaid Services they have successfully stored and processed data sets consisting of tens of millions of individually identifiable healthcare claims records. IMPAQ has never had a data breach or other data-security incident.

Data collected in the field, both on paper and recordings, will be securely managed at RSS and Emory, where recordings will be transcribed using standalone computers not networked or connected to the Internet. Transcript data will be transmitted to IMPAQ by secure methods described below. Coded and sorted analysis files will be sent to Emory and RSS as necessary, again following CDC approved protocols. At Emory and RSS, those files will only be used on standalone computers, not networked, and without Internet access. For coding and sorting of data, IMPAQ will use N-Vivo. We will use N-Vivo 10.1, standalone (not network) version and configuration to comply with CDC security requirements.

Specific procedures on management of the information for Task Order 0001 iQual project are described below.

Transferring data:

Interview data will be collected via audio recordings and paper questionnaires. Neither of these will contain PII by design. Should a respondent inadvertently give PII during a recorded interview, this sensitive information will not be included in the typed transcripts. Transcribers will use bracketed descriptors in place of PII when transcribing interviews (i.e. “When [PARTNER 1] said that…”)

On this Task Order all personally identifiable information (PII) will be maintained in paper and audio recordings form only. All these materials at RSS and Emory will be kept in locked cabinets in secured locations. PII contact information will be kept separate from any screeners, instruments or recordings. Each of these two organizations will be responsible for the materials kept at their site, as they normally do in all studies. Transcripts will be completed on password protected standalone (non-networked) computers without internet access. Access to the transcript files on these computers will require password, and will only be allowed for staff working on this project and with a need to access. Although transcripts will not contain PII, all transcripts will also be encrypted. The transcripts will then sent on encrypted flash drives using FedEx using security protocols or as directed by the CDC COR.

The RSS team is committed to ensuring the confidentiality, integrity and availability of all project data, as well as the privacy and confidentiality of any individuals represented in the data.

On this task, no PII will be stored in electronic format. It is anticipated that only transcripts without PII will be kept on electronic media. PII information included on contact forms, consents, receipts, and interviewer and staff notes will be kept in paper format only and will remain in locked secured areas at EMORY and RSS. Audio recordings of the interviews will be also be kept in locked cabinets in secure areas.

IMPAQ information technology security personnel routinely review system logs for inappropriate activities and take corrective action.

If any PII (from materials held at RSS or Emory) or other sensitive project data is disclosed inadvertently or is at risk of disclosure due to a lost, missing, or intercepted transfer, this will be documented and follow-up reports provided to the COR. IMPAQ holds privacy notification insurance with the Chubb Insurance Group. Emory and RSS will follow the same procedures should any incident occur that might compromise paper or audio recording information.