Manual of Procedures, PFAS/viral infection, v1.0
Last Revised: January 3, 2022
Evaluating the Association between Serum Concentrations of Per- and Polyfluoroalkyl Substances (PFAS) and Symptoms and Diagnoses of Selected Acute Viral Illnesses
Manual of Procedures
Agency for Toxic Substances and Disease Registry (ATSDR) and the Centers for Disease Control and Prevention’s (CDC) National Center for Environmental Health (NCEH)
2.0. Brief Overview of Study 5
3.2.2. Data access (including REDCap) 7
3.3. Continuous maintenance of staff 7
4.3. Public Access to Data and to Data Management Plan 9
5.1. Communications Plan (notification of study) 9
5.2. Invitation Letter and Informed Consent package 10
6.2. Reminders to participants 11
6.3. Results of Study to participants 11
7.0. Data Management and Security 11
7.1. Collections and management of data 11
7.1.1. Use and protection of personally identifiable information (PII) 11
7.1.2. Data delivery and flow 11
7.1.3. Data Quality Control Checks 12
7.1.4. Access Controls and Security 12
7.1.5. Data Security Measures at CDC/ATSDR 13
7.2. Procedure for Requesting Access to Data 14
7.3. Encrypted Multi-User Share Tool (MUST) 14
7.3.2. Configuration of Shares 15
7.3.3. Granting Access to Shares 15
7.4.1. File Level Encryption 15
7.4.2. Client Whole Disk Encryption 15
7.5. Request to Move PII from Encrypted Share 15
7.7. Securely Receiving / Sending Data 16
7.8. De-identification of Data 16
7.10.1. Review of PII for Accuracy and Relevancy 17
8.0. Study Completion and Close-out Procedures 17
9.0. Manual of Procedures (MOP) Maintenance 18
Appendix A – Rules of Behavior 19
Appendix B – MOP Modification Log 22
Abbreviations
ATSDR |
Agency for Toxic Substances and Disease Registry |
CITI |
Collaborative Institutional Training Initiative |
CDC |
Centers for Disease Control and Prevention |
CSIRT |
CDC Security Incident Response Team |
DM |
Data Management |
DMP |
Data Management Plan |
DUA |
Data Use Agreement |
EA |
PFAS Exposure Assessment |
HHS |
US Department of Health and Human Services |
ICR |
Information Collection Request |
IRB |
Institutional Review Board |
ISSO |
Information Systems Security Officer |
MOP |
Manual of Procedures |
MOU |
Memorandum of Understanding |
MUST |
Multi-User Share Tool |
NCEH |
National Center for Environmental Health |
OMB |
Office of Management and Budget |
PEATT |
PFAS Exposure Assessment Technical Tools |
PFAS |
Per- and Polyfluoroalkyl Substances |
PI |
Principal Investigator |
PIA |
Privacy Impact Assessment |
PII |
Personal Identifiable Information |
PRA |
Paperwork Reduction Act |
RCR |
Responsible Conduct in Research |
ROB |
Rules of Behavior |
SAMS |
Secure Access Management Services |
SAT |
Security and Awareness Training |
This Manual of Procedures (MOP) is a handbook that details this study’s conduct and operations as well as facilitates consistency in data management practices across users of the data. This MOP provides guidance on how to implement data collection. The MOP is provided to each member of the Study Team. The Office of Management and Budget (OMB) approved the information collection request (ICR) under the Paperwork Reduction Act (PRA) on XX/XX/XXXX (OMB Control No. XX-XXXX, expiration date XX/XX/XXXX). The Study Protocol 7360.0 was approved by the CDC Institutional Review Board (IRB) on 11/16/2021. Current IRB Approval of Continuation expires 11/14/2022.
In 2019 and 2020, the Agency for Toxic Substances and Disease Registry (ATSDR) conducted statistically based biomonitoring PFAS exposure assessments (EAs) in eight communities that had documented exposures to PFAS in drinking water. ATSDR also supported two EAs that were designed to test the PFAS Exposure Assessment Technical Tools (PEATT). PFAS concentrations were measured in serum collected from EA and PEATT assessment participants, and a survey was administered to gather information to characterize each individual’s exposure. During the same period, ATSDR initiated a health study at the Pease International Tradeport that included measurement of participants’ PFAS serum concentrations and collection of information about individual exposures.
This protocol describes a follow-up study that will recruit participants (2,800 adults and 370 children) from the existing EA, PEATT assessment, and Pease Study cohorts who have existing PFAS serum measurements and who have given prior consent for additional contact from ATSDR and the Centers for Disease Control and Prevention’s (CDC) National Center for Environmental Health (CDC/ATSDR).
CDC/ATSDR will invite participants to complete a new series of surveys to determine whether PFAS exposure increases susceptibility to viral infections, including, but not limited to, COVID-19. Surveys (initial hardcopy delivered by mail, with follow-ups delivered through web-based CDC REDCap or optional hardcopy) will be administered in 5 rounds spaced by 3 months, over the course of one calendar year. In total, each participant will be asked to participate in the study for 12-14 months and will spend a total of about 2.5 hours responding to 5 total surveys (i.e., each survey should take about 30 minutes to complete, and this will be done quarterly).
The objectives of this study are: (1) to examine the association between PFAS concentrations in serum collected from existing ATSDR cohorts and the frequency of occurrence of selected syndromes (combinations of self-reported symptoms), which will be used as a proxy for viral infections; and, (2) to examine the association between PFAS concentrations in serum collected from existing ATSDR cohorts and self-reported positive test results indicating specific viral infections.
Prior to initiation of the study, the study team will conduct a pilot test of the initial and follow-up surveys (adult and child) among 9 or fewer internal staff. Participants will complete a hard copy of the surveys and then answer a series of questions to assess comprehension, ease of use, and time burden associated with surveys. Participants will only submit their answers to the pilot testing questions via email to the study team.
Study staff comprises scientists with backgrounds in medicine, environmental health science, epidemiology, toxicology, and public health from CDC/NCEH and ATSDR. The study staff develops and conducts the investigation, evaluates the data, analyzes the data, and prepares reports on the findings for publications. Additionally, the study staff will share the results from this study through community-facing mechanisms. As the study findings are being finalized, the study team will work with ATSDR communications to develop a roll-out plan on how to best share these results with community members. This could potentially include a webinar for community members, distribution of fact sheets, etc.
Initial phases of study planning have been conducted with the assistance of contract staff from Guidehouse. Additionally, Guidehouse staff have helped develop a tracking database to assist iduring study implementation and tracking participants throughout the tenure of the study. Guidehouse staff will not have access to any confidential, health-related data received from participants of this study.
The PIs and study staff, including regional personnel, perform duties including,
Prepare a protocol for the study
Develop all recruitment materials (e.g., fact sheets, recruitment letters, postcards and posters, press releases, etc.)
Develop all data collection instruments, including consent forms and surveys, that will be submitted to and approved by IRB and OMB
Ensure compliance with IRB and OMB requirements
Protect participants' rights during all phases of recruitment and testing
Managing data per the Data Management Plan (DMP) and the Privacy Impact Assessment (PIA) form
Complete data review and analysis
Write the study report
Principal investigators (PIs): Melanie Buser and Rachel Rogers
Data manager: Hao Tian – will assist PIs with data receipt, tracking data received from participants, and preparation of analytic data sets
Data processing and analysis team: Andrea Winquist (NCEH), Arthur Wendel (ATSDR), Melanie Buser (ATSDR), Michelle Zeager (ATSDR), and Rachel Rogers (ATSDR)
Interpretation and communication of study findings: PIs, data management and analysis team
Communications assistance: Ana Pomales and Sophia Minor
Contract staff: Guidehouse
Research Ethics and Compliance Training, provided by the Collaborative Institutional Training Initiative (CITI Program) (https://www.citiprogram.org/?pageID=668)
If you are a CDC employee, you must have a valid CDC ID to access the training
Select Centers for Disease Control and Prevention and login through the Secure Access Management Services (SAMS)
If you are not a CDC employee, you can register with CITI as an independent learner.
Once logged in to CITI, you will be asked to complete a survey to identify available training options based on your role and responsibilities. (If you have previously completed the survey, you will be taken to your My Courses page). The CITI website offers easy access to the required courses, as well as an extensive catalog of additional trainings. However, in order to meet the requirement, you are only required to complete one combination of the Basic Overview and Responsible Conduct in Research (RCR) courses (Biomedical- or Social and Behavioral-based courses)
Once you complete the training, you need to submit your completion certificate to [email protected]
You must take a refresher course at least every 3 years
If you have questions about accessing CITI, please contact [email protected]
Annual CDC Security and Awareness Training (SAT)
Manual of Procedures (MOP) and Rules of Behavior (ROB) training, comprising a meeting with study staff to review and discuss any questions about either document and to have all study staff sign the ROB.
After study staff who (based on their role with the study) need access to the health-related data have completed the required training and have signed the rules of behavior, the study PIs will ask staff working with PFAS data repository to grant access to the encrypted MUST share folder for this study (see details below).
Any updates to the Rules of Behavior document will require all staff to review and sign to ensure their access to study data is maintained. The DM Team will ensure all users who have access to the study data are provided the updated Rules of Behavior for their signature.
The current version of the study protocol is available in the folder \\cdc.gov\locker\ATSDR_PFAS_Data\PFAS_Viral_Infections.
The study protocol includes:
Protocol Summary
Introduction
Background information
Justification for Study
Objectives
Procedures and Methods
Overview of Existing Cohorts
PFAS Exposure Assessments and PEATT Assessments
The Pease Study
Recruitment
Recruitment Packet
Letter of Invitation
Consent Form
Data Collection Procedures
Surveys
Initial Survey
Follow-up Surveys
Symptom Diary
Tracing and Follow-up Procedures
Data Handling and Analysis
Data Protection
Certificate of Confidentiality
Data Linkage
Outcomes
Methods of Data Analysis
Confounders
Descriptive Analyses
Analysis of Association
Quality Control for Data Analysis
Statistical Power Calculation
Timeline
Anticipated Risks and Benefits
Limitations of the Study
Anticipated Products
References
Lists of Appendices
This study involves human subjects and is subject to Institutional Review Board (IRB) approval. All IRB forms have been submitted including all appropriate information from the Privacy Act, including
Authority for and purpose of the data collection,
With whom identifiable information will be shared,
The voluntary nature of the information collection process,
Any possible effect on the respondent for not participating, and
Any potential risk involved in participation.
This study requires both completion and approval of an Office of Management and Budget (OMB) submittal that fulfills requirements of the Paperwork Reduction Act (PRA). The intention of the PRA regulations is to ensure that the public is not overburdened by data collection requests from the federal government. This compliance also helps ensure non-duplication of effort between data-collecting governmental agencies. The OMB submission includes all appropriate information, including:
Supporting Statement A: Background for the study, the number of “burden hours” (i.e., the number of hours that DCHI is burdening the public by asking questions) that the study will expend, and the estimated cost of that expenditure.
Supporting Statement B: information on the use of statistical methods to identify respondents.
Consent forms
Survey
IRB approval form
Cleared protocol including all forms and attachments
Privacy Impact Assessment (PIA) form
OMB COVID-19 waiver has been requested for this project. The COVID-19 waiver was approved on 08/26/2021. This waiver covers the study for up to 6 months. During that time, we continued undergoing the full OMB approval process. The OMB submission was approved on XX/XX/XXXX.
The Office of Science ensures compliance with the January 26, 2016 CDC/NCEH policy on public access to data. The policy ensures CDC/NCEH manages and assists with public access to its funded public health data and complies with applicable open government initiatives. The policy requires a Data Management Plan (DMP) for each covered intramural and extramural collection of public health data. The DMP for this study was submitted and approved.
Prior to initiation of the study, we will use communication materials to inform stakeholders of this study. There are multiple stakeholders that will require different communication details depending on their relation to the study:
Inform past participants of the EA, PEATT, and Pease Study cohorts about their eligibility to participate in the PFAS and infection susceptibility study and increase study enrollment;
Raise awareness among the PFAS EA, PEATT, and Pease Study communities about the PFAS and infection susceptibility study and to set study participation expectations; and,
Provide clear and timely information about study objectives and activities to local, state, and federal agency partners.
At the onset of this present study, a package containing an invitation letter, study fact sheet, consent/permission/assent forms, Privacy Act Statement, initial survey, symptom diary, and pre-paid return envelope will be mailed to all participants included in the previous studies discussed above who agreed to be contacted for follow-up studies. An additional copy of the Consent/Permission/Assent form will be included in the package for participants to keep. The invitation letter will explain the purpose and how the study will be conducted over the study period. Potential participants will be provided a telephone number and email contact information for contacting study personnel and will have the opportunity to ask questions about this study prior to enrollment.
We will obtain written consent (permission/assent for children) for participation in the study. The consent form tells the participants about the study and their rights as a participant. Participants will be instructed in writing to sign and date the signature page and return in a self-addressed, stamped envelope that will be provided in the package. The original signed copy of the consent form (permission/assent form for children) will be securely stored in a locked cabinet at NCEH/ATSDR.
A hard copy of the initial survey will be mailed to participants in the recruitment package, and once completed, will be mailed back to the study team in a self-addressed, stamped envelope provided. Follow-up surveys will be administered via email from CDC’s secure web-based platform, REDCap, or via paper-based mail for those who do not want to use REDCap. Any paper-based surveys received (including all initial surveys) will be entered into REDCap by study personnel.
Upon receipt of the signed consent form, each enrollee will be randomly assigned a new participant ID. This participant ID will be included on all follow-up surveys. This will be used to link the surveys together and link to the previously collected PFAS serum measurements to protect the privacy of the participants.
A tracking database using Power Apps and SharePoint will be used for study implementation and tracking throughout the study. This database will track when surveys are sent, by what means they are sent, when they are returned, any reminders sent, incentives sent, etc. All study personnel will have access to this database and be able to input the information. No personal identifying information will be included in this tracking database. The tracking database will use the participant’s ID for tracking. The linkage between PII and participant ID will be stored in a separate database on the encrypted MUST share folder.
Reminders for initial study participation will be made by telephone only. Once a participant agrees and consents to participate in this study, reminders for survey completion will be sent to participants by the method chosen on the consent form (email, phone, text message, or mail).
The results of the study will be disseminated through abstracts, professional meeting presentations and manuscripts for publication in peer reviewed journals.
We will share the results from this study through community-facing mechanisms. As the study findings are being finalized, the study team will work with ATSDR communications to develop a roll-out plan on how to best share these results with community members. This could potentially include a webinar for community members, distribution of fact sheets, etc.
This section of the MOP describes the computer system and data management approach that will be used to support this study and details how data are to be collected and protected.
The study staff will receive, manage and store PII in an already established record system (System of Records Notice [SORN] No. 09-19-0001 titled “Records of Persons Exposed to Toxic or Hazardous Substances”).
During the recruitment and informed consent/permission/assent process, we will collect PII (i.e., name and date of birth). This will be used to link the survey data collected in this study with the PFAS serum measurements from the previous ATSDR study. After receiving the consent/permission/assent, study staff will randomly assign each participant a unique identifier to be used for the remainder of the study. With this, no other PII will be collected for the remainder of the study.
ATSDR will store the PII in a separate master key dataset along with a study-generated ID in a designated CDC/ATSDR encrypted share drive (i.e. MUST share).
Figure 1. Data flow diagram
Data quality control checks may identify potential data anomalies such as:
Missing data or forms
Out-of-range or erroneous data
Inconsistent and illogical dates over time
Data inconsistency across forms
Study staff involved with data management will perform the data quality checks and resolve any identified data quality issues. Analytic data sets will be prepared after data quality issues have been resolved.
All study staff will provide a signed Rules of Behavior that will outline the access and use of study data. Least privilege access will be employed, and users will only be given access to the minimum data required for their particular analysis. Once approved by study PI, the study data manager will set up or grant appropriate permissions to users.
Upon completion of the project and once CDC/ATSDR has received all approved study related paper documents, the recipient will destroy those hardcopy documents not necessary to complete the study analyses or to contact study participants, as applicable. Records are retained, disposed, stored, handled, and viewed in accordance with the ATSDR Comprehensive Records Control Schedule (B-371), GSR 20.2c& d, and GSR 20.6. Current procedures allow the system manager to keep the records for 20 years unless needed for further study.
Data security measures at ATSDR will comply with the CDC/ATSDR Protection of Information Resources Policy and the CDC/ATSDR IT Security Program Implementation Standards. These policies apply to all authorized ATSDR employees. All incidents involving a suspected or confirmed breach of PII must be reported to OCISO according to the policy titled OCISO/CDC Standard for Responding to Breaches of Personally Identifiable Information (PII).
The CDC/ATSDR issues identity credentials based on the Federal Information Processing Standards (FIPS) Publication 201 for Personal Identity Verification (PIV) authentication of government employees’ identities. Security measures for physical access to secured facilities include the use of PIV Cards, security guards, and closed circuit TV monitoring.
CDC/ATSDR policy requires employees to gain authorized logical access to its information systems through a unique electronic identity (User ID). The computer-controlled limits on what can be done by the user are assigned based on program roles and privilege requirements.
Authorized recipient researchers and CDC/ATSDR employees are required to:
• Complete required privacy and information security refresher training.
• Read, acknowledge, sign (if online completion is not available), and comply with the HHS Rules of Behavior, as well as other applicable CDC/ATSDR- and system-specific rules of behavior before gaining access to the CDC/ATSDR’s systems and networks.
• Adhere to the requirements set forth in the CDC/ATSDR IT Security Program Implementation Standards, and other security policies and procedures that minimize the risk to CDC systems, networks, and data from malicious software and intrusions.
• Abide by all applicable acceptable use policies and procedures regarding use or abuse of CDC/ATSDR IT resources.
Records will be retained and disposed of in accordance with the CDC/ATSDR Scientific and Research Records Control Schedule. Physical copies of assessment materials and reports will be maintained at ATSDR until no longer needed by program officials and will be kept in accordance with the corresponding retention schedules. Computer documents will be disposed of when no longer needed by program officials. Personal identifiers will be deleted from records when no longer needed and will be retained no longer than five years. Disposal methods will include erasing computer files, shredding paper materials, or transferring records to the Federal Records Center when no longer needed for evaluation and analysis. Records are retained for 20 years after the retirement of the record system.
The PI or data steward of the study shall maintain a data access spreadsheet with the following information at a minimum:
Date
First Name
Last Name
Contractor/FTE
CDC User ID
Approved By
Approved By Date
Data Store (share, database, etc.)
Data Set
PII Indicator
Role (data access level)
Access Granted By
Access Granted Date
Access Removed By
Access Removed Date
This spreadsheet will be stored in the \\cdc.gov\locker\ATSDR_PFAS_Data\PFAS_Viral_Infections folder of the encrypted MUST share for this study. This folder will permit Full access to the PI/data steward and Read access for other users.
When a user requests access to data or changes the type of access to the data, a new entry will be added to this spreadsheet. PI and data steward must ensure that the user has signed the Rules of Behavior (ROB) for the study before the user is granted access to any study data.
Share Location (URI): \\cdc.gov\locker\ATSDR_PFAS_Data\PFAS_Viral_Infections
Admin: Principal investigator (PI) and those that will be administering permissions and encryption for the share
Study staff that will be working (analyzing, matching, linking, etc.) with the data.
Data Reader: Users that will only need to review the data but will not or should not be able to alter it.
Additional user roles may be created when needed.
The following information serves as an example of how sub-shares/folders will be set up on CDC/ATSDR encrypted multi-user share drive to illustrate the data management approaches and activities.
The encrypted MUST share will have the following folders:
Folder |
Folder Description |
Permissions |
Admin |
Data used only by administrators like spreadsheets, signed RoBs, procedures manuals, etc. |
Admin (full), General User (no access), Data Reader (no access) |
Raw Data |
Data that needs to be preserved in its current form and not altered. |
Admin (full), General User (read), Data Reader (read) |
Working |
Data that is being worked on by staff. |
Admin (full), General User (read/write), Data Reader (read) |
PII |
PII data for participants |
Admin (full), General User (no access), Data Reader (no access) |
The PI will grant users access to the MUST encrypted share (depending on the user’s role) using the MUST administration tool at http://itsotools.cdc.gov/must/.
Any data containing PII must be encrypted at the file level using Symantec Encryption Desktop when not in use. Information about installing the software, configuring the encrypted share, or encrypting individual files can be found in the documents listed below:
OCISO Installation Procedure for PGP Desktop 10.1.2
OCISO Quick User Guide for PGP Desktop 10.1.2
Note: When the encrypted share is setup, the PI and the data manager (at a minimum) should be configured as administrators. Anyone who needs to use the share should be configured as a user so that they can decrypt and encrypt files in the share. MUST share permissions will be used to limit what the user can access and modify.
CDC laptops have whole disk encryption (MS Bitlocker, Check Point, etc.) installed and enabled. CDC desktops do not have this software by default. If a desktop is to be used for processing or storage of study PII, then submit an ITSO helpdesk ticket to inquire whether the desktop is encrypted using whole disk encryption. If it is determined that the desktop is not encrypted, please have ITSO install the software and encrypt the hard drive.
Every effort should be made to keep data in the encrypted MUST share. If data needs to be moved from the share to another location, the move must be approved by the principal investigator (PI) and logged in a PII Transfer spreadsheet. The PI and data manager are responsible for maintaining this spreadsheet. The spreadsheet should contain the following information at a minimum (\\cdc.gov\locker\ATSDR_PFAS_Data\PFAS_Viral_Infections):
Date
First Name
Last Name
Contractor/FTE
CDC User ID
Approved By
Approved By Date
Data Set
PII?
Data Transferred To (Laptop Name, System Name, etc.)
Purpose
Data Deleted By
Data Deleted Date
Notes (Describe how data was deleted)
This spreadsheet should be stored in the Admin folder of the encrypted MUST share for this study.
Study participants will enter survey responses in REDCap if they choose to utilize the online platform. Each participant will have a unique study ID that they will use. Paper-based surveys received by study staff will be entered into REDCap by study staff using the unique study ID that is printed on the paper-based surveys. The study PI will determine who will administer the study’s data in REDCap and approve any access to the data in that system using the data access spreadsheet in the MoP.
Use CDC’s Secure Access Management System (SAMS) electronic authentication level 3 to electronically send or receive PII (https://sams.cdc.gov). Use of systems or methods, other than SAMS, to electronically send or receive PII must be approved in writing by the NCEH/ATSDR Information Systems Security Officer (ISSO).
At the end of data collection, data manager will lead and coordinate the re-identification risk assessment for the whole data set to evaluate and finalize the PII in the study data set. Once PII is finalized, all PII will be separated from non-PII data and stored and managed on the encrypted MUST share following CDC security policy and requirements.
De-identified data will be used in publications. In order to protect participants, study personnel will adhere to deidentification standards for these publications; for example, results with cell counts less than 5 participants will not be included in publications.
Incidents involving the study data or systems storing, processing or transmitting this data should be reported to the CDC Computer Security Incident Response Team within 1 hour. Definitions of an incident can be found in the CDC security awareness training and in the references below.
Computer Security Incident Response Team (CSIRT)
Email: [email protected]
Phone: 866-655-2245
References
Computer Security Incident Response: Host Isolation, Removal, and Mitigation (CDC-IS-2009-01)
CDC Information Security Enterprise Incident Response Plan Version 5.2
CDC/ATSDR personnel will determine whether the PII collected via consent/parental permission/assent forms and questionnaires are accurate. Participants will be provided CDC/ATSDR contact information to allow them to inform CDC/ATSDR if their contact information changes (e.g., if they move their residence or update a phone number).
Any inquiries from individuals related to their PII in this study will be reviewed by the study PI’s. The PI’s will decide what action to take (update information, remove the individual’s information, etc.) and communicate that decision to the individual within 60 days.
If an individual is concerned that his/her PII has been used inappropriately and communicates that to the CDC, the study PI will evaluate the concern and report the incident to the CDC Chief Privacy Officer within 48 hours.
This section of the MOP outlines the Study Completion and Close-out procedures. These include the following:
CDC/ATSDR will verify that all aspects of the study have been completed:
data have been collected and analyzed
a deidentified data set has been prepared as described above
a report has been finalized and presented to CDC/ATSDR
results from the study have been shared through community-facing mechanisms
Assurance provided by the PI that:
correspondence and study files are accessible for Freedom of Information Act (FOIA) requests.
study records (those that are not required to be destroyed or deleted) are appropriately maintained.
the IRB will be notified of the study’s completion and store a copy of the notification.
PII and any links to PII will be destroyed as soon as allowable by law after all analyses are complete and the manuscript describing the study has been published.
Records will be retained and disposed of in accordance with the CDC/ATSDR Scientific and Research Records Control Schedule.
Each page of the MOP is numbered, dated, and contains a version number to facilitate any changes and/or additions. The MOP will serve as a history of the study process, documenting the time and nature of any changes in procedures and policies. All MOP modifications will be recorded in the MOP Modification Log (Appendix B).
Rules of Behavior for Data Access and Use
Evaluating the Association between Serum Concentrations of Per- and Polyfluoroalkyl Substances (PFAS) and Symptoms and Diagnoses of Selected Acute Viral Illnesses
Purpose: The Rules of Behavior for Data Access and Use (ROB) provide study staff with the rules that govern the access and use of data and ensure that all investigators working on the study agree to these rules.
Description of Project: In 2019 and 2020, the Agency for Toxic Substances and Disease Registry (ATSDR) conducted statistically based biomonitoring PFAS exposure assessments (EAs) in eight communities that had documented exposures to PFAS in drinking water. ATSDR also supported two EAs that were designed to test the PFAS Exposure Assessment Technical Tools (PEATT). PFAS concentrations were measured in serum collected from EA and PEATT assessment participants. During the same period, ATSDR initiated a health study at the Pease International Tradeport that included measurement of participants’ PFAS serum concentrations.
This follow-up longitudinal study will recruit participants from the above studies who have existing PFAS serum measurements. CDC/ATSDR will invite participants to complete a new series of surveys to determine whether PFAS exposure increases susceptibility to viral infections including, but not limited to, COVID-19. Surveys will be administered in 5 rounds spaced by 3 months, over the course of one calendar year. Survival analysis will be used to assess associations between the previously collected serum-PFAS concentrations and incident viral infections for outcomes that are expected to occur only once during the follow-up period (e.g., diagnosis of COVID-19). Recurrent-event survival analysis, using the counting process approach, will be used for outcomes that are expected to occur multiple times during the follow-up period (e.g., upper respiratory illness). Models will control for potential confounders (e.g., age, gender, race/ethnicity) and account for clustering within households (in both types of analyses) and within individuals (in the recurrent events analysis). The analysis will be a within-community analysis to control for the local COVID-19 transmission level, combining information across communities.
In the course of a study, investigators will collect, manage, and transfer personal identifier information (PII) and non-PII data as outlined in the protocol. Access to PII and non-PII data will be limited to those investigators who have a demonstrated need, and will be subject to the ROB set forth below.
The ROB described below are specific for this project and supplement the following ROB and policies:
CDC Implementation of the HHS Rules of Behavior for Use of HHS Information Technology Resources (2014)
HHS Rules of Behavior for Use of HHS Information Resources (2013)
CDC Protection of Information Resources Policy (2010)
Use of CDC Information Technology Resources (2014)
These ROB apply to ALL original data, copies of data, and manipulated data. Data here refers to Personally Identifiable Information (PII) and non-PII data. Users with access to data agree that:
They will comply with all conditions set forth in these ROB for this project.
They will comply with all conditions set forth in any applicable data use agreements for the PFAS Exposure Assessments.
They shall not share any data with any personnel or entity inside or outside of CDC without an approved Memorandum of Understanding (MOU) or Data Use Agreement (DUA). Study Investigators and Study Data Manager should be parties to this agreement.
Study PII will ONLY be saved on common share \\cdc.gov\locker\ATSDR_PFAS_Data\PFAS_Viral_Infections, created with CDC’s Multi-User Share Tool (MUST). Only approved users will have access to the share. All PII data must be encrypted using file level encryption.
Before they can access the data, they must have a signed ROB, which will be stored in the shared drive.
They shall only transfer data between CDC and external entities using CDC’s Secure Access Management Services (SAMS), e-Authentication Level 3, and approved FIPS 140-2 encryption.
They will not download data to a non-encrypted CDC desktop or laptop.
If data must be downloaded for offline or desktop analyses, they will provide written notification on need and use, and duration of access of copy of data to the Study Investigators and Data Manager. In addition, a log of all additional copies must be maintained in the common share.
All computers and laptops storing, processing, or transmitting data from this study must be provided by CDC and encrypted using CDC FIPS 140-2 approved whole disk encryption.
All CDC systems processing the data must be authorized to operate by CDC and categorized as moderate or higher and approved to store, process or transmit personally identifiable information (PII). They acknowledge that they must obtain approval from the CDC/ATSDR Information Systems Security Officer (ISSO) before any additional CDC systems are used to process, store or transmit these data.
They will not print out any data. If printing is absolutely necessary, they will provide written notification on need, use, and duration of use of printouts to the Study Investigators and Data Manager. The printouts must be stored in locked cabinets when not in use and shredded when no longer needed. They shall provide written notification to Study Investigators and Data Manager when they destroy or shred the printouts.
They shall not transfer this data to external electronic media e.g. CD’s, DVD’s, thumb drives, portable hard drives. If absolutely necessary to transfer data on external electronic media, they shall get approval from CDC/ATSDR ISSO.
They shall not transfer or save this data to a non-CDC personal computing device such as personal or contractor laptop, smart phone, etc.
They shall not record or photograph any data to CDC or non-CDC personal computing device such as personal or contractor laptop, smart phone, etc.
They shall not transfer or save any data to non-CDC authorized cloud-based storage such as DropBox, Google Drive, etc.
They shall not email any PII or sensitive data to a CDC, personal, state, university, or any other non-CDC email address.
Only non-sensitive reports and statistical analyses may be transmitted via email. These emails and/or reports cannot contain personally identifiable information (PII).
They are responsible for data compromise or breaches resulting from inappropriate uses of data or violations of any of the data use and access rules set forth within this Rules of Behavior for Data Access and Use agreement.
They will report any security breach immediately (within 1 hour) to both the CDC/ATSDR ISSO ([email protected], (770) 488-6447) and the CDC Security Incident Response Team (CSIRT) ([email protected], (866) 655-2245).
They will keep a copy of the signed Rules of Behavior for Data Access and Use for their records and as a reference.
Name (printed): _____________________________________________________
CDC User ID: ____________
Organization: __________________________________________
Date: _________________________
Signature (please use blue ink): __________________________________________
Author |
Date |
Version |
Changes made (including page numbers) |
Reason for Change |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
Author | Michelle Zeager (ATSDR/OAD/OCHHA) |
File Modified | 0000-00-00 |
File Created | 2022-03-31 |