Recordkeeping

License for the Use of Personally Identifiable Information Protected Under the E-Government Act of 2002, Title V and the Privacy Act of 1974

Data_License_Application (2016)

Recordkeeping

OMB: 2528-0297

Document [docx]
Download: docx | pdf


OMB #2528-0297

Date XX-XX-XXXX



APPLICATION FOR DATA LICENSE

Name of Receiving Institution / Organization:

Name & Title of Principal Project Officer (PPO):

PPO Address:

(Provide street address, city, state, zip code, department and building name, and office / room number)

PPO Phone Number: PPO Email:

Title of Research Project:
To be completed by HUD:

Circle one: Approved Denied Returned for modification

Date data must be destroyed unless written extension provided by HUD:

Shape1 PROPOSED RESEARCH PROJECT

  1. List the survey name, year and wave description (if any) of the data file(s) you wish to access.

  2. Briefly describe your research objective and how you will use the requested data. (You may also attach a research proposal.)

  3. Explain why the public-use files cannot meet your research need.

  4. If you plan to link the requested data to any other data, list these other dataset names and describe how linking the data will allow you to achieve your research objectives.

  5. What is the scientific and/or policy value of your proposed research? Which sector(s) of the housing and urban development community will be served by your work?

  6. Do you agree that the requested data will not be used for any administrative or regulatory purpose?

  7. Shape2 How long will you need access to this data?


SECURITY PLAN

Please describe your security plan by providing specific information to answer each of the questions below. You may attach or insert additional materials as needed.

Physical Location of Data

Project Office Address:

(Provide street address, city, state, zip code, department and building name, and office / room number)

Project Office Phone Number:

Note: The PII data and computer must be secured and used only at this location. When the data are not being used, the data must be stored under lock and key at this location. Only authorized users of the data, as listed on the License, may have key access to the secure project office/room.

Shape3 Computer System Information

  1. Provide a detailed description of the physical computing environment, including the computer(s), where the PII will be stored and analyzed.

  2. Describe the procedure for back-ups for this computer system. How will the requested data be excluded from routine back-ups?

  3. Who has physical access to the equipment? Who has permission to use the equipment? (As a general matter, only authorized users who have signed affidavits agreeing to data confidentiality procedures should have access to the room with the secure computer and hard copy data. If you propose an alternate arrangement, please describe in detail.)

  4. Is this system used by other projects?

  5. Where will hard copy output be printed? Describe the storage and disposal methods for hard copy output.

Shape4 Note: Receiving institutions must provide a secure computing environment. In general, this means a physically secure PC(s) not attached to the institutional network or to the Internet, a local printer using easily identified paper not to leave the secure facility, and a local shredder for discarded paper. Back-up of processing programs is permitted, but back-up of data files is not. Use of a laptop computer, external hard drive, CD, or USB memory stick is strictly prohibited. Absolutely no PII data may be copied onto a server or computer that is attached to the Internet or an institutional network. Researchers may propose an alternative computing set-up, but the stand-alone PC in a secure environment accessible only to authorized users is the accepted method and the standard against which alternatives will be evaluated.


Security System Information

  1. Describe the BIOS configuration (e.g., boot the computer from the hard drive only, plus password protection of BIOS so changes cannot be made to the BIOS without authorization).

  2. Describe the physical security of the location where data are to be stored and used.

  3. Describe the installed encryption software for directories containing secure data (i.e. Windows 2000 encryption).

  4. Describe the installed secure erasure program and the protocol for running it.

  5. Will the network interface card (NIC) be removed or disabled so it cannot be used?

Shape5 File Access Management

  1. Describe the number and location of copies of the data.

  2. Describe the rules for creation of and access to temporary (i.e., analytic) files.

  3. How will hard copy data be handled, stored, and disposed of?

  4. How will data access be restricted to the Principal Project Officers and authorized team members?

  5. Describe the rules for passwords and screen saver activation.

Shape6 Communication of PII Data

  1. Describe the rules for communication or transmission of detailed data tabulations.

  2. Describe any circumstances under which analytic output from the MTO data will be transferred electronically (e.g., what are the restrictions on the content of electronic transfers?).

Shape7 Research Team Training and Monitoring

  1. Describe the plan for training research team members in the restrictions and security provisions of this agreement.

  2. Describe the plan for monitoring the periodic aspects of this plan, such as back-ups, password changes, and erasure of temporary directories and files.

End of Project Procedures

  1. Describe the steps to be taken at the completion of the research project.

  2. Please provide any additional information relevant to the security of the PII data.

In submitting this application, the researcher agrees to comply with the security protocols outlined above. Additionally, the following physical location and computer security procedures must be implemented when in possession of PII data. By checking the box next to each security procedure, you signify that these procedures will be implemented for the duration of the project and License period:

Shape9

Only authorized users listed on the License will have access to the PII data, files derived from the PII data, and the secure room in which the data is housed. Access will be limited to the secure room/project office by locking office when away from the office.

Data will only be secured, accessed and used within the secure project room/office A password will be required as part of the computer login process.

The password for computer access will be unique and at least 8 characters with at least one non-alphanumeric character and a mix of upper- and lower-case characters.

The computer password will change at least every 3 months or when project staff leave. Read-only access will be initiated for the original data.

An automatic password protected screensaver will enable after 3 minutes of inactivity. No routine backups of the PII data will be made.

Project office room keys will be returned and computer login will be disabled within 24 hours for any user who leaves the project. The PPO will notify HUD of staff changes.

PII data will not be placed on a server (network), laptop computer, CD, USB memory stick, or external hard drive.

The Receiving Institution must make available for inspection, at reasonable hours, by HUD the physical housing and handling of all data files and any other information, written or electronic, relating to this agreement.

The data will be removed from the project computer and overwritten, whether at the end of the project, or when reattaching a modem or LAN connection.

The receiving institution will, at the conclusion of the license period or completion of the research, whichever comes first, return the original data transfer medium to HUD and to destroy all copies made of the data.


Shape10

The Receiving Institution and researcher further agree:

The Receiving Institution will not add to the list of authorized users of the data nor reduce any security arrangements without first notifying HUD.

The Receiving Institution agrees that it has no interest in the identity of individuals in the data file and will make no attempt to determine, through computer matching or other means, the identity of individuals in the file.

No cell describing 10 or fewer cases (small cell) can be released, or be obtainable by subtraction to people not on the list of authorized users of the data, unless agreed to by HUD.

The Receiving Institution will immediately inform HUD in case of suspected breach.

Shape11

In the event that HUD determines that confidentiality has been breached, the Organization will return all copies of the data to HUD and will be denied further access to the data until the Organization provides sufficient assurance, acceptable to HUD, that the data disclosure will not be repeated.

Shape12

The Organization will attribute HUD as the source of these data in all reports and other data products produced with these data. The Organization agrees to provide HUD with copies of the relevant portions of all documents that present these data.

HUD will review annually the Organization's ability to maintain the confidentiality of the data and may revoke the Organization's access to the data if there is sufficient evidence that the Organization has not maintained adequate safeguards.



Paperwork Reduction Act Notice. Public reporting burden for this collection of information is estimated to be 1 hour per applicant, and includes time for reviewing the instructions, and completing and reviewing the responses. Your completion of this information collection is voluntary. HUD may not collect this information, and you are not required to complete this form, unless it displays a current, valid OMB control number.


File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
AuthorHill, Ronald M
File Modified0000-00-00
File Created2021-01-15

© 2024 OMB.report | Privacy Policy