Procedures for Keeping Data Confidential

Population Assessment of Tobacco and Health (PATH) Study (NIDA)

Attachment 16
PATH Study
Procedures for Keeping Data Confidential

Population Assessment of Tobacco and Health (PATH) Study (NIDA)

Westat’s Procedures for Keeping Data Confidential
Following is a description of the procedures Westat will take to keep confidential the study
data collected from the PATH study respondents.
•

Study data will be identified and retrieved by a study number only. Investigators will
not have access to Personally Identifiable Information such as social security number
(SSN), name, or address.

•

Personally Identifiable Information (name, address, email address, and telephone
numbers, etc.) will be stored in a secure database environment that is compliant with
FISMA Moderate security guidelines.

•

Hard-copy data forms will be identified only by a study identification number and will
be stored in locked files at the contractor’s facilities.

•

All computerized data will be maintained in a manner that is consistent with FISMA
Moderate security controls and guidelines identified in NIST Special Publication 80053.

•

All systems and databases handling or storing PII and/or PHI will be reviewed for
FISMA compliance by the NIDA Chief Information Officer (CIO) and Information
Systems Security Officer (ISSO), and will not be operated in production mode until
granted an Authority To Operate (ATO) by NIDA.

•

No reports or data files will contain personal identifiers.

•

All contract staff working on the study will be required to sign a statement pledging to
keep all study data confidential.

•

All contract staff members are required to undergo background screening
commensurate with their role on the project and their access to study data.

•

All contract staff are required to complete NIH Computer Security Awareness
Training as well as Privacy Awareness Training.

•

Access to study data will be limited to the staff working on the study.

•

When the study is complete or until the data is no longer required for research, the
data will be stored or destroyed so that only necessary and useful records are
retained in the files of NIH offices and laboratories for as long as required and
reasonable and that records with lasting historical, legal or scientific value are
preserved.

1