Data Security Plan

Att 6_LEAP Data Security Plan.docx

Formative Research and Tool Development

Data Security Plan

OMB: 0920-0840

⚠️ Notice: This form may be outdated. More recent filings and information on OMB 0920-0840 can be found here:

Document [docx]

Download: docx | pdf

Shape1

local effectiveness assessment project (LEAP): A case study of a local jurisdiction providing hiv services to msm

Draft Data Security Plan

Contract # 200-2013-57339

February 9th, 2015

Prepared for:

Monique Carry, PhD

Prevention Research Branch
Division of HIV/AIDS Prevention
Centers for Disease Control & Prevention
1600 Clifton Road, Mailstop E-37
Atlanta, GA 30333

Submitted by:

Atlas Research

3240 Prospect Street, NW, Suite 100

Washington, DC 20007

Table of Contents

1. Data Security Contact Information 2

2. Study Overview 3

2.2 Study Information 3

3. Description of Study Data and Study Procedures (Narrative) 4

3.2 Security Procedures 4

3.3 Systems and Security 5

4. Staff Training on Data Security and Monitoring 6

5. Deliverables 7

Data Security Contact Information

Study Team Contacts:

Sean Owen

Director, Information Security

4550 Montgomery Ave #800N

Bethesda, MD 20814

Phone: 301-347-5734

[email protected]

Cynthia Klein

Senior Associate

Abt Associates

2200 Century Parkway, Suite 950

Atlanta, GA 30345

Phone: 404-946-6310

[email protected]

Alex Mijares

Senior Analyst

Abt Associates

2200 Century Parkway, Suite 950

Atlanta, GA 30345

Phone: 404-946-6378

[email protected]

Jamie Hart

Executive Vice President

Atlas Research

3240 Prospect Street NW, Suite 100

Washington, DC 20007

Phone: 202.717.8716
[email protected]

Client Contact:

Monique Carry, Ph.D. (Technical Monitor) and James Carrey, Ph.D. (COR)

Operational Research Team, Prevention Research Branch

Division of HIV/AIDS Prevention, NCHHSTP

1600 Clifton Road, Mailstop E-37

Atlanta, GA 30333

Phone: 404.639.1903

[email protected]

Study Overview

2.1 Overview

Our objective in the development and implementation of this written data security plan is to create effective administrative, technical, and physical safeguards for the protection of data from the CDC Local Effectiveness Project (LEAP): A Case Study of Local Jurisdiction Providing HIV Services to MSM. This plan is for use by the study team (including CDC), Institutional Review Board, and information security team.

The sections that follow in this document outline the type of data we will be safeguarding and our approach to protecting this information 1) commensurate with the level of sensitivity of the data and 2) in accordance with requirements from relevant regulations.

Please note that reference to “Atlas” within this document refers to the broader “Atlas Team” which includes both Atlas Research and Abt Associates.

This is a living document that will be updated as needed throughout the study and lifecycle of the data.

Study Information

Exhibit 1. Basic Study Information
	Study Title and Nickname	Long: Local Effectiveness Project (LEAP): A Case Study of Local Jurisdiction Providing HIV Services to MSM Short: CDC LEAP
	Contract Number	200-2013-57339
	IRB Number and Status	Pending
	Division	Public Health and Epidemiology
	Client Organization Name	CDC
	Prime Contractor	Atlas Research

Exhibit 2. Key Study Dates
	Start Date	End Date
Study	09/05/2014	3/4//2016
Data Collection	~08/2015	~12/2015

Exhibit 3. Study Partner Information
Organization	Point of Contact	Contract Number	Data Agreement #, if any
Atlas Research	Jamie Hart	200-2013-57339	None

Description of Study Data and Study Procedures (Narrative)

3.1 Types of Study Data

The study will rely on 4 primary sources of data to inform the barriers and facilitators of HIV Care experienced by providers.

Primary data collection

Key Participant Interview (KPI) Guides – We will collect data using three interview guides tailored to each level of the Modified Social Ecological Model. The interview guide will include open-ended questions that allow for in-depth inquiry of the factors that issues and accomplishments in HIV prevention for MSM in the selected jurisdiction. The structured response questions will capture demographic characteristics and assist in contextualizing participant’s open-ended responses
Structured response questions – Data will be collected via a brief structured response questionnaire on such items as a gender/transgender status, sexual orientation, languages spoken, years in position, and organizational affiliations. Demographic data will not be linked to qualitative interview data, will not be delivered directly to CDC, and will only reported in aggregate summary form.
Observation Data – Observational data will be collected on: engagement in risk behaviors (e.g. observations dating sites), and prevention activities (e.g. HIV testing/awareness events).
Document Review Tool – Additional data will be recorded through the review of key documents to aid in identifying features and issues of the local jurisdiction that influence policy and prevention programming for MSM.

Security Procedures

Procedures to maintain the confidentiality of data:

The Atlas team will collect all data during site visits to Philadelphia, PA. Data will be collected using approved devices and via secured systems.

The following outlines procedures for each data source:

Provider interview data will be collected by the Atlas Team. One hour interviews will be conducted with each participant in a private setting (e.g. participant’s office). All interview data will be recorded by Atlas using secured digital audio-recorder (not video-tape) with the consent of interview participants. Upon completion of the site visit, Atlas staff will securely upload interview recordings. Notes will also be taken using encrypted laptops in MS Word. Participants will be reminded by the interviewer not to use full names or identifying information during the discussion. Atlas will perform the transcription of all audio-recordings. Any reference to full name or other identifying information that arises unintentionally during the discussion will be redacted from the transcripts by Atlas, and reviewed for quality assurance by Abt staff. All qualitative analyses will be conducted by Atlas and Abt using the redacted interview data on NVivo 10 (stand-alone version). All transcripts and NVivo datasets will be stored on encrypted and password-protected laptops that will not be connected to a server or the internet. At the end of the contract, redacted interview data and coded NVivo dataset will be delivered to CDC via secured transfer.
Structured response questions All questionnaire data will be recorded manually onto paper forms by participants during the site visit as part of the interview. The hard copy information will be entered by Atlas into SPSS which will be stored on secured laptops. At the end of the contract, Abt will deliver the SPSS datasets to CDC via secured data transfer. Atlas will destroy the hard copy questionnaire forms.

Observation data. No PII will be collected. Observational data will be collected on: engagement in risk behaviors (i.e. observations of gay dating website), and prevention activities and service delivery (e.g. HIV testing/awareness events)

Dating site observations: The Atlas Team will conduct observations at 3-4 time periods of promotion of local events and risk behaviors on gay dating websites (using a separate computer that does not contain study data).. Adam4adam website will be observed, this will require the study team to register/log in. The page on the website that will be reviewed will be “Parties & Events”. The “AREA filter” will be set for “North America/Pennsylvania/Philadelphia. The terms and conditions for this website does not prohibit researchers observing these website without identifying themselves. Text of event postings will be copied in to a word document. The event planners will be given a unique identifier. Any reference to full name or other identifying information will be redacted from postings by Atlas, and reviewed for quality assurance by Abt staff. All qualitative analyses will be conducted by Atlas and Abt using the redacted observation data on NVivo 10 (stand-alone version) on a computer different from the one used to collect the postings and that is not connected to the network. . All observation data and NVivo datasets will be stored on encrypted and password-protected laptops that will not be connected to a server or the internet. At the end of the contract, redacted observation data and coded NVivo dataset will be delivered to CDC via an encrypted flash drive, and Atlas and Abt will destroy the observation data.

Events with HIV Prevention Activities: The Atlas Team will conduct observations at 2-3 events that include HIV prevention activities. If approached by someone asking about our observation, staff will inform about the purpose of the study based on language in the consents. The event data will be collected on hard copy forms and entered into SPSS, and stored on encrypted and password-protected laptops that will not be connected to a server or the internet. Data will be entered by one staff member and reviewed by another staff member for quality assurance. T he hardcopies will be stored in locked file cabinets in Atlas and Abt secured facilities.

Further, location and types of events and risk behaviors will be given a unique identifier and mapped by neighborhood or zip code for web-posts that provide a location, and for special events. At the end of the contract, Abt will deliver the SPSS file, and maps to CDC via an encrypted flash drive, and Atlas and Abt will destroy the hard copy forms.

Document review data. No PII will be collected of patients, providers or staff. As available, data reviewed may include: local policies, planning documents, Medicaid expansion related policy documents, local jurisdiction surveillance documents, local jurisdiction viral load documents, government agency reports, organizational reports and web-site or social media content from local NGOs and private providers, epidemiological research in local jurisdiction, and others. This is a document review therefore interviews will not be conducted to collect this data. However, organization staff can be consulted for specific clarifying questions as necessary. The data will be collected on hard copy forms and entered into to SPSS, and stored on secured laptops. The hardcopies will be stored in locked file cabinets in Atlas secured facilities. At the end of the contract, the team will deliver the SPSS datasets to CDC via secured data transfer, and Atlas Abt will destroy the hard copy forms.

The following steps will be taken to minimize the risk of breach of confidentiality during recruitment:

Roster of Potential Participants. The roster of potential participants will be either faxed or obtained in person and delivered directly to Atlas and Abt offices. The roster will not include a study name. Electronic copies of the roster will be stored on a password and encrypted computer not connected to the server, and hard copies will be kept in a locked filed cabinet and destroyed after the completion of the study.
Schedule of Interviews. The schedule of interviews will include: time, date, facility and name of provider. This information will be kept separate from data collected. Electronic copies of interview schedules will be password protected and hard copies of schedules will be immediately destroyed after interviews. Schedules will not be linked to participant ID or facility ID.

Systems and Security

The Atlas Team is committed to conducting research in conformity with basic ethical principles, and federal and other regulatory requirements that govern research involving human subjects, as well as information security regulations. We protect the confidentiality of data through the following processes:

Data security – We utilize password protected and encrypted laptops, digital recorders and cameras for this project that are not connected to the network, internet or cloud. Additionally, we will store in locked and separate facilities at least two back-ups of all study data.
Physical security – Access to the data processing areas is controlled, with only authorized personnel allowed in the offices. Locked storage areas are protected by assigned group memberships, passwords and other techniques (e.g., Access Control Lists), which prohibit access by unauthorized users.

Staff Training on Data Security and Monitoring

Prior to data collection, key staff from Atlas Research and Abt Associates will 1) complete study-specific data collection trainings, 2) receive a copy of the data security plan, and 3) complete the following general trainings to promote data security and compliance. Management of trainings is handled within each organization and occurs annually or biannually. A list of some of the trainings completed by Abt Associates and their partner organizations is provided in Exhibit 4.

Exhibit 4. Annual or Bi-annual Trainings
Team Member	Topic
Abt Associates	HIPAA Rules of the Road – Practical Information for Ensuring Compliance IRB 101 Training General Security Awareness Training CITI Human Subjects Training
Atlas Research	HIPAA Rules of the Road- Practical Information for Ensuring Compliance General Security Awareness Training CITI Human Subjects Training

All project staff will be trained on the project-specific data security plan (which includes the regulations and requirements for handling data for the study).

Monitoring and supervision of the staff who are handling data and/or are interviewing program staff at Abt Associates and Atlas Research will allow for additional opportunities to identify and correct any security or procedural issues. All project staff will be made aware of the project-specific data regulations and best practices associated with handling data for the study. These practices will be incorporated in the study protocol and will be detailed in training plans for interviewers, as well as for support and data analytic staff.

Deliverables

The following are key deliverables associated with tasks relevant to this data security plan. In all reports no PII will be included and all reported data will be aggregated at either the site or multi-site level. Interview data will include programmatic information alone.

Exhibit 5. Deliverables
Data Source	Deliverable	Deliverable Date
None	Draft data collection instruments	11/7/14
None	Draft sampling plan	11/07/14
None	Draft data plan	11/07/14
None	Draft study protocol	11/21/14
None	IRB submission	12/18/14
None	OMB submission	1/24/15
All: Structured response questions, KPIs (i.e., redacted interview transcripts), Observation Data, and Document Review Data.	Submit final dataset and supporting documents to CDC	2/19/16

Within two weeks of the end of the task order, we will provide CDC with all data collected as part of this project, to include but not be limited to: Sampling Plan, Data Plan and Study Protocol; IRB/OMB documents; redacted interview transcripts, document review/observation checklist data, results of any literature reviews and any other guidance. If a participant refuses audio-recording, notes will be taken, and redacted for coding. Raw interview notes will not be shared or transitioned to CDC during or at the conclusion of the project.

Quantitative data will be delivered as datasets that are compatible with SPSS. Qualitative data will be delivered in NVivo 10.0 (stand alone, non-network version) compatible datasets unless otherwise specified by CDC. A data dictionary will be developed and delivered to document data files to include a listing and description of the data files and the variables in each data file, and, for interview or form data, and annotated questionnaires/forms. Each data source collected will be given a unique participant and facility ID:

Structured Response Questions (i.e. demographic) will have the following form of ID: DQ (demographic questions), first letter of city, organization and participant number (different from transcript). For example: DQP01_P1.

KPI transcripts will have participant ID and organization ID, and be linked to the variables in exhibit 6, observation tool data and document review data. KPI transcripts will have the following form of ID: IT (interview transcript), first letter of city, organization number and participant number (different from structured response questions). For example: ITP01_P1011.

Observations tools will be given a unique identifier. Completed observation tools will have establishment/organization/event ID and if applicable will be linked to transcripts, and document review data. They will have the following form of ID: OT (observation tool), first letter of city, and # of organization (same for all data points). For example: OTP01.

Document Review tools will have the following form of ID: DR (document review), first letter of city, and # of organization (same for all data points). For example: DRP01. Data will be entered in SPSS. All document review notes will be destroyed by Atlas and Abt staff at the conclusion of the study.

_Exhibit 6_._{Linked variables between structured response questions and interview transcripts}
Variable	Description
Type of Key Participant	Public Policy: government agency representatives Community: government agency representatives, NGO representatives, and private providers Individual/Social and Sexual Networks: leaders in the gay community and MSMs
Type of Organization	Government, NGO, private

Final report to CDC will include:

Summary demographic data – Aggregate demographic data will be reported by city/facility type and type of provider.
Interview data – Data will be reported by themes analyzed. Quotes used in report only include type of provider, city, type of facility location (urban, rural, suburban), type of facility (Ryan White vs. Non-Ryan White) and amount of time providing care for HIV infected patients.
Observation data – Data will be reported by themes analyzed and descriptive quantitative summaries. Facility data will be linked to provider transcripts and document review data via facility identifier. Observation results will be reported by type of facility, city, and type of facility location.
Document review data – Data will be reported by themes analyzed and descripted quantitative summaries. Facility data will be linked to provider transcripts and observation data via facility identifier. Document review data will be reported by type of facility, city and type of facility location.

The report will be submitted to CDC as a final deliverable. Summary data may also be analyzed for manuscript publication in academic journals and/or poster and oral presentations at conferences (e.g. American Public Health Association) as feasible.

Physical Record Lifecycle

Pathway of Physical Records
Source	Data Types	Destination	Transport		Storage (Destination)	Destruction (Destination)
Atlas Team Site Visit Data – Structured Response Questions	Structured Response Data (hard copy which will then be recorded electronically into SPSS)	Atlas Research/Abt	Paper Encrypted CD/DVD Tape Encrypted thumb drive Encrypted Hard drive	USPS (Registered) UPS FedEx Licensed/bonded carrier Hand-delivery by project member	Locked file cabinets in Atlas/Abt secured facilities	At the end of the contract
Atlas Team Site Visit Data – Observation Tool	Observation tool data (hard copy which will then be recorded electronically into SPSS)	Atlas Research/Abt	Paper Encrypted CD/DVD Tape Encrypted thumb drive Encrypted Hard drive	USPS (Registered) UPS FedEx Licensed/bonded carrier Hand-delivery by project member	Locked file cabinets in Atlas/Abt secured facilities	At the end of the contract
Atlas Team Site Visit Data – Document Review Tool	Document Review Tool data (hard copy which will then be recorded electronically into SPSSs)	Atlas Research/Abt	Paper Encrypted CD/DVD Tape Encrypted thumb drive Encrypted Hard drive	USPS (Registered) UPS FedEx Licensed/bonded carrier Hand-delivery by project member	Locked file cabinets in Atlas/Abt secured facilities	At the end of the contract
Atlas Team Site Visit Data – Roster of Potential Participants	Roster of potential participants (hard copy either faxed or picked up in person or delivered to Atlas or Abt offices)	Atlas Research/Abt	Paper Encrypted CD/DVD Tape Encrypted thumb drive Encrypted Hard drive	USPS (Registered) UPS FedEx Licensed/bonded carrier Hand-delivery by project member	Locked file cabinets in Atlas/Abt secured facilities	At the end of the contract
Atlas Team Site Visit Data – Schedule of Interviews	Schedule of potential participants	Atlas Research/Abt	Paper Encrypted CD/DVD Tape Encrypted thumb drive Encrypted Hard drive	USPS (Registered) UPS FedEx Licensed/bonded carrier Hand-delivery by project member	Locked file cabinets in Atlas/Abt secured facilities	At the end of the contract
Atlas Team Observation Data – Roster of Dating Website Event Planner	Roster of dating website event planner	Atlas Research/Abt	Paper Encrypted CD/DVD Tape Encrypted thumb drive Encrypted Hard drive	USPS (Registered) UPS FedEx Licensed/bonded carrier Hand-delivery by project member	Locked file cabinets in Atlas/Abt secured facilities	At the end of the contract

Electronic Record Lifecycle

Pathway of Electronic Records
Source	Information Types	Destination	Transport	Storage System	Destruction Date
Atlas Team Site Visit Data – Structured Response Questions	Structured Response data (SPSS dataset)	Abt/Atlas	Abt MoveIT DMZ Secure web portal Fax Encrypted flash drive	Locked file cabinets in Atlas and Abt secured facilities	At the end of the contract, Abt will deliver the SPSS datasets to CDC via an encrypted flash drive. Both Atlas and Abt will destroy the hard copy questionnaire forms.
Atlas Team Site Visit Data – Interview Data	Interview recordings (transcripts and NVivo datasets)	Abt/Atlas	Abt MoveIT DMZ Secure web portal Fax Encrypted flash drive	Locked file cabinets in Atlas and Abt secured facilities	At the end of the contract, redacted interview data and coded NVivo dataset will be delivered to CDC via an encrypted flash drive, and Atlas and Abt will destroy the interview recordings.
Atlas Team Site Visit Data – Observation Data	Observation Data (SPSS and NVivo dataset)	Abt/Atlas	Abt MoveIT DMZ Secure web portal Fax Encrypted flash drive	Locked file cabinets in Atlas and Abt secured facilities	At the end of the contract, Abt will deliver the SPSS files to CDC via an encrypted flash drive, and Atlas and Abt will destroy the hard copy forms.
Atlas Team Site Visit Data – Document Review Data	Facility Document Review Data (SPSS dataset)	Abt/Atlas	Abt MoveIT DMZ Secure web portal Fax Encrypted flash drive	Locked file cabinets in Atlas and Abt secured facilities	At the end of the contract, Abt will deliver the SPSS datasets to CDC via an encrypted flash drive, and Atlas and Abt will destroy the hard copy forms.
Atlas Team Site Visit Data – Schedule of Interviews	Schedule of potential participants (Word or Excel file)	Atlas Research/Abt	Abt MoveIT DMZ Secure web portal Fax Encrypted flash drive	Locked file cabinets in Atlas and Abt secured facilities	At the end of the contract, Atlas and Abt will destroy the hard copy forms and delete electronic versions.
Atlas Team Observation Data – Roster of Dating Website Event Planner	Roster of dating website event planner	Atlas Research/Abt	Abt MoveIT DMZ Secure web portal Fax Encrypted flash drive	Locked file cabinets in Atlas and Abt secured facilities	At the end of the contract, Atlas and Abt will destroy the hard copy forms and delete electronic versions.

Physical Security

Physical Access Chart
Organization	Building Access	Room Access	Media Access
Atlas Research	Key card Biometric imprint Other method: _____________	Key card Biometric imprint Other method: _____________	Key card Biometric imprint Other method: Secure/lock doors; locked file cabinets
Atlas Research	Key card Biometric imprint Other method: _____________	Key card Biometric imprint Other method: _____________	Key card Biometric imprint Other method: Secure/lock doors; locked file cabinets_____________

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
Author	Alex Mijares
File Modified	0000-00-00
File Created	2021-01-30