Data Security Plan Requirements for FSM Research

The Principal Investigator (PI) must complete each section of the DSP. The DSP must be documented and signed by the PI and maintained in the official study files. For IRB-approved studies, the documented DSP must be uploaded to the Research Supplemental System (RSS), which is part of the eIRB workflow. Below are the core elements of the DSP: 

• Identifying primary and secondary Data Custodians.
• Identifying the type of data that will be collected and maintained during the research.
• Describing the flow of research data, where the data will be initially collected, and the ongoing collection of additional information about the participant.
• Describing how the data will be processed, analyzed, and stored.
• Describing who will access the data.
• Identifying the backup and recovery plan for the data.
• Describing the requirements for retaining the information once the project has ended.

The primary data custodian is typically the PI. A secondary individual that can perform as a backup in the absence of the primary data custodian could be a co-primary investigator or research administrator.

The data custodian is responsible for developing and updating the DSP, overseeing compliance with the DSP, and ensuring the data’s ongoing security, which is part of the research effort.

For the purposes of DSP, data classification is the process of categorizing data by sensitivity and criticality used for research studies. Data classification facilitates appropriate security controls, resources, and responses to ensure the ongoing protection of data.

The FSM IT Information Security team reviews DSPs. While a DSP is required as part of your protocol submission to the IRB, the IRB may review and approve your protocol before your DSP is reviewed and formally accepted.

Each study's workflow is unique and requires a slightly different review effort. Our goal is to review each DSP within a few days of submission, but the time depends on the effort and volume of the DSPs submitted.

No, the REDCap DSP form allows you to define as many different data types as you need to describe your complete workflow and all project collaborator effort in a single form.

The link can only be accessed in the eIRB+ system when completing the RSS questions during your protocol submission.

Check out the presentation video and slides for more information.

A link to the DSP will be available for PIs to complete their DSP through a standardized web-based form. A PDF copy of the submission will be available to the PI for uploading into the eIRB+ system.

See our Step-by-step Tutorials on how to upload a DSP for a study.

There is no option to include attachments, but an analyst will follow up with you if additional information is required.

See NMEDW Exception Form. Additionally, review the policy Research Use of Electronic Medical Record Data for more information.

Beginning July 1, 2022, the REDCap form will be the only acceptable version. Any submission using the Word-based template, HRP-503, or custom-written forms will not be accepted.

The FSM IT Information Security will email you for any additional clarifying information.

For modifications to your submitted DSP, please email your modification request to fsmit-policy@northwestern.edu.

No, for any modifications to your submitted DSP, please email your modification request to fsmit-policy@northwestern.edu.

The best practice is to upload the most up-to-date DSP version to the IRB.