This standard operating procedure (SOP) includes the following sections: Purpose, Procedure, Contacts, and Links.
Some links will work for NIAID Staff only.
To ensure the protection of personally identifiable, sensitive, or confidential information resulting from NIH-supported research or belonging to the federal government.
Grantees, contractors, and NIH staff must protect information systems containing identifiable, sensitive, or confidential data, whether electronic or hard copy.
This requirement pertains to data belonging to the federal government or resulting from NIH-supported research. All awardees and NIH staff must protect these data to prevent release or loss.
Some NIH-supported research is also covered by the Federal Information Security Management Act (FISMA; page 48). FISMA applies to contractors and grantees when the government owns the data.
Investigators, Grantees, Contractors, and Institutions
- Do not put personally identifiable, sensitive, or confidential information about NIH-supported research or participants on portable electronic devices such as laptops, CDs, or flash drives. If you must use such devices, encrypt your data.
- Limit access to personally identifiable information through password protection and other means.
- Transmit research data only when you know the recipient's systems are secure.
- See if FISMA applies to you:
- FISMA does not apply to most grantees except cooperative agreements where data is transferred directly to the government.
- FISMA applies when you collect, store, process, transmit, or use information on behalf of any government organization. FISMA applies only when the government owns the data.
- For questions about whether your data falls under FISMA, contact your Information Systems Security Officer.
- Understand that even if FISMA does not apply, you are responsible for protecting sensitive and confidential data and preventing disclosure, release, or loss of sensitive personal information.
- If you provide collected sensitive information to NIAID as a condition of your award, NIAID is responsible for protecting the transfer.
- In the event of a data security breach, do the following:
- Follow your institute's policy.
- Inform your NIAID program officer and grants management or contracting officer.
- Your institute will pay expenses to address the breach out of indirect costs.
- Reviewers can gain access to information by
- Logging into IMPAC II for both the meeting folder files and the recruitment phase (application review site only – no files sent automatically).
- Logging into RSS (proposal review site only – email notices of activities sent only, no files attached).
- Via SEFT (Secure Email and File Transfer Service). Reviewers get a link to SEFT site – (no files attached).
- Via Adobe Portfolio. Password protected/encrypted files (including Adobe portfolios, Adobe security envelopes, and other MS office file types) emailed to reviewer.
- CDs (if preferred).
- If NIAID sends you a CD, use a password to access the CD data. See Accessing a Password-Protected CD: Instructions for Reviewers and Accessing a Password-Protected CD: Instructions for Reviewers (with screenshots).
- In the event of a data security breach such as a lost CD or loss of other application information, notify your scientific review officer immediately.
Scientific Review Officers
- Password protect review materials.
- Emphasize to peer reviewers to immediately report the loss of application information.
- If you learn of any loss of data, immediately contact the NIAID Information Systems Security Officer. Provide the following details:
- Study section designation, name, and meeting dates.
- Your contact information. Office of Extramural Research will work primarily with you to resolve the situation.
- Format of material.
- Circumstances by which the data was lost.
- Be aware that you are responsible for protecting sensitive and confidential data and preventing disclosure, release, or loss of sensitive personal information.
- Follow these mandatory guidelines for protecting your equipment:
- Encrypt laptop computers with an approved encryption software package. Encryption information.
- Encrypt portable media such as flash drives if they contain sensitive data, including personally identifiable information.
- Get more guidance for NIAID staff at Mobile Telecommunication Devices (iPhones, iPads, and MiFi Devices) and Mobile Telecommunication Devices Policy.
- Equipment to be encrypted.
- If you attend a study section meeting, do not take any notes that would identify reviewers, and do not discuss individual reviewer comments with investigators.
- In the event of a data security breach, take the following steps:
- Tell your supervisor and email the NIAID Information Systems Security Officer. Include details on when the breach occurred, scope of data loss, and possible impact if known.
- If you lose an NIH-issued laptop or Blackberry, or you suspect loss of personally identifiable information, also inform the NIH Helpdesk within one hour.
NIH IT Service Desk, 301-496-4357
NIAID Information Systems Security Officer
Use the contacts listed above for questions about your specific situation. If you have a general question or a suggestion to improve this page, email the Office of Knowledge and Educational Resources at email@example.com.
Maintaining Confidentiality in NIH Peer Review
Guide for Identifying Sensitive Information
NIH and HHS Encryption Policies, Guidance, and Tools
Protecting the Security of NIH Grant Applications
Secure One HHS - Protecting America's Health and Human Services