Murphy’s Law

If anything can go wrong,it will.

2

Data Security and Confidentiality

“… a firm belief in Murphy’s Law and in the necessity to try and circumvent it.”

3

What is VA Sensitive Information?

VA sensitive information is defined in VA Directive 6504 as all Department data, on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information.

4

What is Sensitive VA Research Information?

Sensitive VA research data consist of information that has been collected for, used in or derived from the conduct of VA research that fits the definition of VA sensitive information.

Always err on the side of caution. Unless you are certain that specific research data are NOT sensitive, you should treat them as if they ARE.

5

How Can You Protect VA Research Data?

Three-legged stool

1. Technical safeguards (e.g., passwords, encryption, antivirus protection)

2. Physical safeguards (e.g., locking up portable media)

3. Good work practices (e.g., knowing all the requirements, using common sense)

6

Best Practices to Help Ensure Security

• Whenever possible, store VA research data on network drives with restricted access, not on your desktop computer

• Keep data in one file location for ease in making backups

• Better yet, simply backup all your VA research data in one location on a VA server

7

File Sharing

• Must not be on a device that you use for remote computing

• Only through authorized VA servers

8

Data Storage and Security Outside the VA

• Only on specifically designated systems and approved in advance

• Only where the non-VA systems or devices conform to, or exceed, applicable VA requirements

9

Non-VA System Requirements

• Must meet all requirements set forth in Federal Information Security Act (FISMA)

• Includes Federal Information Processing Standards (FIPS) 140-2 certification of all hardware/software

• Contact your local Information Security Officer (ISO) on how to obtain verification of this requirement

10

Principal Investigator Responsibilities

• Storage provisions• Security measures• Transportation or transmission

methods• Provisions for controlling access to the

data• Plans for how long identifiable

information or linkages will be kept• Provisions for disposition of the data at

the end of the study

11

For all new research protocols, the principal investigator (PI) must certify that:

• Use, storage and security of all information collected for, derived from, or used during the conduct of the research will be in compliance with all VA and VHA requirements.

This will require that the PI complete two forms:

• Data Security Checklist• Principal Investigator’s Certification: Storage &

Security of VA Research

Certifying Each Protocol

12

De-identified Data

• Must meet both HIPAA and Common Rule requirements• Remove all 18 HIPAA identifiers• Removal of all information that alone or

in combination could reveal identity of the individual

Submit questions through your local research office to

ResearchData@va.gov