Data Security

Purpose

To ensure the protection of personally identifiable, sensitive, or confidential information resulting from NIH-supported research or belonging to the federal government.

Procedure

Grantees, contractors, and NIH staff must protect information systems containing identifiable, sensitive, or confidential data, whether electronic or hard copy.

This requirement pertains to data belonging to the federal government or resulting from NIH-supported research. All awardees and NIH staff must protect these data to prevent release or loss.

Some but not all NIH-supported research is also covered by the Federal Information Security Management Act (FISMA; page 48). FISMA applies to contractors and grantees when the government owns the data.

Grantees, Contractors, and Institutions

• Do not put personally identifiable, sensitive, or confidential information about NIH-supported research or participants on portable electronic devices such as laptops, CDs, or flash drives. If you must use such devices, encrypt your data.
• Limit access to personally identifiable information through password protection and other means.
• Transmit research data only when you know the recipient’s systems are secure.
• See if the Federal Information Security Management Act (FISMA) applies to you.
  • FISMA applies when you collect, store, process, transmit, or use information on behalf of any HHS organization.
    • FISMA applies only when the government owns the data.
    • FISMA does not apply to most grantees except cooperative agreements where data is transferred directly to the government.
  • For questions about whether your data falls under FISMA, contact Sally Rockey, Office of Extramural Research, at rockeysa@od.nih.gov or 301-496-1096.
• Understand that even if FISMA does not apply, you are responsible for protecting sensitive and confidential data and preventing disclosure, release, or loss of sensitive personal information.
• If you provide collected sensitive information to NIAID as a condition of your award, NIAID is responsible for protecting the transfer.
• In the event of a data security breach, follow your institute's policy. Also inform your NIAID program officer and grants management or contracting officer. Your institute will pay expenses to address the breach out of indirect costs.

Peer Reviewers

• Use a password to access CD data, such as a grant application, summary statement, appendix, or other materials from a grant folder. See Accessing a Password-Protected CD: Instructions for Reviewers and Accessing a Password-Protected CD: Instructions for Reviewers (with screenshots).
• In the event of a data security breach such as a lost CD or loss of other application information, notify your scientific review officer immediately.

Scientific Review Officers

• Password protect CDs with review materials.
• Emphasize to peer reviewers to immediately report the loss of CDs or other application information.
• If you learn of any loss of data, immediately contact NIAID's Information Systems Security Officer. Provide the following details:
  • Study section designation, name, and meeting dates.
  • Your contact information. OER will work primarily with you to resolve the situation.
  • Format of material (CD or paper; password protected or not).
  • Circumstances by which the data was lost.

NIAID Staff

• Be aware that you are responsible for protecting sensitive and confidential data and preventing disclosure, release, or loss of sensitive personal information.
• Follow these mandatory guidelines for protecting your equipment:
  • Encrypt laptop computers with an approved encryption software package.
  • Encrypt portable media such as flash drives if they contain sensitive data, including personally identifiable information. For acceptable USB drives, see FIPS Certified USB Drives.
  • Configure BlackBerry wireless handheld devices with an access password and other security features provided by the NIH BlackBerry Enterprise Server.
• Do not store sensitive information on a Macintosh laptop due to the lack of National Institute of Standards and Technology-approved encryption software. You can use Mac laptops for sensitive data analysis if you use an encrypted removable device.
• If you attend a study section meeting, do not take any notes that would identify reviewers, and do not discuss individual reviewer comments with investigators.
• In the event of a data security breach, take the following steps:
  • Tell your supervisor and email NIAID's Information Systems Security Officer. Include details on when the breach occurred, scope of data loss, and possible impact if known.
  • If you lose an NIH-issued laptop or Blackberry, or you suspect loss of personally identifiable information, also inform the NIH Helpdesk within one hour.

Contacts

NIH Help Desk, 301-496-4357

NIAID's Information Systems Security Officer -- Contact for NIAID Staff.

If you have knowledge to share or want more information on this topic, email deaweb@niaid.nih.gov with this link and your message. Thanks for helping us clarify and expand our knowledge base.

Links

A Statement from the NIH Director, Elias A. Zerhouni, M.D., on Encryption and Data Security

Encryption, Data Security, and NIH Peer Review (memo to staff)

Guide for Identifying Sensitive Information

NIH/HHS Encryption Policies, Guidance, and Tools

NIH Renews Focus on Protecting Sensitive Data and Information Used in Research

Responding to Loss of Sensitive Data and Other Information in NIH Grant Applications