Form OPM 5110 OPM 5110 Research Agreement Application for the Use of OPM Record

Research Agreement Application
for the Use of OPM Record-Level Data
Name of Research Entity:
Name & Title of Principal Researcher:
Contact Address: Provide street address, city, state, zip code, department and building name,
and office / room number

Phone Number:

Email:

Title of Proposed Research Project:
First-time Application?

Yes

No

If no, provide all previous application reference number(s):

To be completed by OPM:
Application Reference Number:
This proposal was:
Approved
Denied
Returned for modification
Date data must be destroyed by:

Proposed Research Project
Please include the following information, and any other supporting information needed to
describe the overall study aims, not to exceed five pages. Please include a one paragraph
summary of the proposed research project.
1. Overall summary:

2. Briefly describe your research objective.

3. What is the dataset or datasets you will need access to for your research? What data
elements do you need? (Please include a justification for each data element, with
detailed description of the use of any potentially identifying data elements.)

4. What methods will you use to analyze the data?

5. What is the scientific and/or policy value of your proposed research to the field? What
potential value does it have for the federal workforce?

6. What is the timeline for the proposed research project? How long will you need access
to the data?

7. Who will work on the project? What are their qualifications and subject matter
expertise? (Include CVs, if relevant.)

Security Plan
Please describe your security plan by providing specific information for each item below.

Computer and Security System Information
1. Provide a detailed description of the physical computing environment, including the
computer(s), where the data will be stored and analyzed to include encryption at rest,
encryption in transit, access controls, malware protection, audit logs, etc.

2. Describe overall security safeguards in place for the system, network, and physical
location?

3. Describe the procedure for back-ups for this computer system. How will the requested
data be excluded from routine back-ups?

4. Who has physical access to the equipment? Who has permission to use the
equipment? (Only authorized users who have signed affidavits and/or required
documents agreeing to data confidentiality and handling procedures should have
access to the room with the secure computer and hard copy data. If you propose an
alternate arrangement, please describe in detail.)

5. Will any of the components used in this project be used for other projects? How will
you keep the data requested isolated from other users and systems (i.e., not allowing
for data collision)?

6. Describe how “user access” (privileged and non-privileged) to the system (or any of its
components) is controlled and monitored.

7. Will hard copy output of the data/information be printed? If so, describe the storage
location, security, and disposal methods for hard copy output.

Communication of Data
1. Describe the rules for communication or transmission of data between team
members.

2. Describe any circumstances under which analytic output from the data will be
transferred electronically (e.g., what are the restrictions on the content of electronic
transfers?).

Research Team Training and Monitoring
1. Describe the plan for training research team members in the restrictions and security
provisions of this agreement.

2. Describe the plan for monitoring the periodic aspects of this plan, such as back-ups,
password changes, and erasure of temporary directories and files.

Security, Privacy, and Data Use Attestation
The following physical location and computer security procedures must be implemented
when in possession of PII data. By checking the box next to each security procedure, you
signify that these procedures will be implemented for the duration of the project and
Research Agreement period:
Only authorized users listed on the License will have access to the record-level data, files
derived from the data, and the secure location in which the data is housed. For any
physical copies, access will be limited to the secure room/project office by locking office
when away from the office.
Data will only be secured, accessed, and used only in secure locations and/or on secure
devices. A password (following adequate complexity requirements as defined below) will
be required as part of the computer login process.
The password for computer access will be unique and at least 8 characters with at least
one non-alphanumeric character and a mix of upper- and lower-case characters.
The computer password will change at least every 3 months or when project staff leave.
Read-only access will be initiated for the original data.
An automatic password protected screensaver will enable after 3 minutes of inactivity. No
routine backups of the data will be made.
Project office room keys will be returned, and computer login will be disabled within 24
hours for any user who leaves the project. The PPO will notify OPM of staff changes.
Record-level or potentially identifiable data will not be placed on an external server or
network, CD, USB memory stick, or external hard drive.
If requested, the Research Entity must make available for inspection, at reasonable hours,
by OPM the physical housing and handling of all data files and any other information,
written or electronic, relating to this agreement.
The Entity will, at the conclusion of the Research Agreement period or completion of the
research, whichever comes first, destroy all copies made of the data, and provide
confirmation of such action to OPM IT security personnel.
The Entity will not add to the list of authorized users of the data nor reduce any security
arrangements without first notifying OPM.

The Entity agrees that it has no interest in the identity of individuals in the data file and
will make no attempt to determine, through computer matching or other means, the
identity of individuals in the file.
No cell describing 10 or fewer cases (small cell) shall be released or be obtainable by
subtraction to people not on the list of authorized users of the data.
The Entity will inform OPM in case of suspected breach within two hours.
If OPM determines that confidentiality has been breached, the Entity will immediately
destroy or return all copies of the data and will be denied further access to these or any
other data.
The Entity will attribute OPM as the source of these data in all reports and other data
products produced with these data.
The Entity will not share any form of the data with anyone not pre-specified in the
memorandum of understanding, including but not limiting to any journals or other
clearinghouses that request research data.
The Entity agrees to provide OPM with copies of the documents that present these data
and to provide additional reports and briefings to OPM, as requested.
OPM may review periodically the Entity’s ability to maintain the confidentiality of the data
and any security safeguards required. These reviews may result on revocation of the
Entity’s access to the data if there is sufficient evidence that the Entity has not maintained
adequate safeguards.
Principal researcher

Signature

Date

Public Burden Statement
The public reporting burden to complete this information collection is estimated at 60
minutes per response, including time for reviewing instructions, searching data sources,
gathering and maintaining the data needed, and the completing and reviewing the collected
information. An agency may not conduct or sponsor, and a person is not required to
respond to a collection of information, unless it displays a currently valid OMB control
number and expiration date. Send comments regarding this burden estimate or any other
aspect of this collection information, including suggestions for reducing this burden to
[email protected]. Current information regarding this collection of information –
including all background materials -- can be found at https:/www.reginfo.gov/public/do/
PRAMain by using the search function to enter either the title of the collection
(Research Agreement Application) or the OMB Control Number (3206-NEW).