Data Security Plans for Information Used in Clinical Research
The FSM IT Information Security provides guidelines, oversight, and consultation to the research community on Data Security Plans (DSP). The Data Security Plans for Information Used in Clinical Research Policy establishes the use of DSP for studies collecting personal or health-related information. Below are some frequent questions and topics for individuals new to DSP as part of the study submission to the eIRB+.
The Principal Investigator (PI) must complete each section of the DSP. The DSP must be documented and signed by the PI and maintained in the official study files. For IRB-approved studies, the documented DSP must be uploaded to the Research Supplemental System (RSS), which is part of the eIRB workflow. Below are the core elements of the DSP:
- Identifying primary and secondary Data Custodians.
- Identifying the type of data that will be collected and maintained during the research.
- Describing the flow of research data, where the data will be initially collected, and the ongoing collection of additional information about the participant.
- Describing how the data will be processed, analyzed, and stored.
- Describing who will access the data.
- Identifying the backup and recovery plan for the data.
- Describing the requirements for retaining the information once the project has ended.
The primary data custodian is typically the PI. A secondary individual that can perform as a backup in the absence of the primary data custodian could be a co-primary investigator or research administrator.
The data custodian is responsible for developing and updating the DSP, overseeing compliance with the DSP, and ensuring the data’s ongoing security, which is part of the research effort.
For the purposes of DSP, data classification is the process of tagging data by sensitivity and criticality used for clinical research studies. Data classification facilitates appropriate security controls, resources, and responses to ensure the ongoing protection of data.
The FSM IT Information Security team reviews DSPs. While a DSP is required as part of your protocol submission to the IRB, the IRB may review and approve your protocol before your DSP is reviewed and formally accepted.
Each study's workflow is unique and requires a slightly different review effort. Our goal is to review each DSP within a few days of submission, but the time depends on the effort and volume of the DSPs submitted.
Do I need to submit separate DSPs to account for different data levels or project collaborators, such as internal vs. external?
No, the REDCap DSP form allows you to define as many different data types as you need to describe your complete workflow and all project collaborator effort in a single form.
The link can only be accessed in the eIRB+ system when completing the RSS questions during your protocol submission.
A link to the DSP will be available for PIs to complete their DSP through a standardized web-based form. A PDF copy of the submission will be available to the PI for uploading into the eIRB+ system.
See our Step-by-step Tutorials on how to upload a DSP for a study.
If a clinical trial sponsor uses a Contract Research Organization (CRO), does the CRO need to be added to the DSP?
There is no option to include attachments, but an analyst will follow up with you if additional information is required.
My previous DSP was submitted using the Word format. Should I use the REDCap form for updates and modifications?
Beginning July 1, 2022, the Word format of the DSP will no longer be accepted. DSP submissions must be completed in REDCap.
The FSM IT Information Security will email you for any additional clarifying information.
For modifications to your submitted DSP, please email your modification request to email@example.com.
No, for any modifications to your submitted DSP, please email your modification request to firstname.lastname@example.org.
The best practice is to upload the most up-to-date DSP version to the IRB.
Please contact email@example.com for additional support.