Human Subjects Research Data Security
“Some types of research involving sensitive information may require a system security plan (SSP) that clarifies the physical and technical safeguards that will be implemented and maintained by the researcher/research team. These requirements are set forth in federal and institutional policies. If your research is supported by a grant or contract, or requires a formal agreement with an outside entity, such as a data use agreement or nondisclosure agreement, data security and confidentiality requirements and applicable policies may also be specified in the award documents or agreement.
Why Is This Necessary?
SSPs are required for projects involving restricted use data sets; protected health information (PHI) subject to HIPAA, including limited data sets; and projects involving use of controlled unclassified information (CUI) as determined by governmental agencies. Health information is one of several subcategories of CUI that may be used in research with human subjects.
What Do I Need to Do?
First, review your IRB approval letter or contact the IRB Director ([email protected]) to determine whether an SSP will be necessary for your project.
Second, based on your research agenda and future plans, determine the scope of your SSP—a single project, or a series of similar studies that have the same data protection requirements (e.g., several studies using protected health information).
Third, download and complete the System Security Plan – template and instructions coming soon. If you have questions while filling out the template, please contact the Director of the Office of Research Integrity ([email protected]).
Fourth, submit your completed SSP to the UTC IT Security Team ([email protected]). The team will review your plan, contact you if more information is needed, and notify you once your plan is approved.