Skip to main content

Data Security Plans for Information Used in Clinical Research

The FSM IT Information Security provides guidelines, oversight, and consultation to the research community on Data Security Plans (DSP). The Data Security Plans for Information Used in Clinical Research Policy establishes the use of DSP for studies collecting personal or health-related information. Below are some frequent questions and topics for individuals new to DSP as part of the study submission to the eIRB+.

 What are the steps for submitting a DSP?

The Principal Investigator (PI) must complete each section of the DSP. The DSP must be documented and signed by the PI and maintained in the official study files. For IRB-approved studies, the documented DSP must be uploaded to the Research Supplemental System (RSS), which is part of the eIRB workflow. Below are the core elements of the DSP: 

  • Identifying primary and secondary Data Custodians.
  • Identifying the type of data that will be collected and maintained during the research.
  • Describing the flow of research data, where the data will be initially collected, and the ongoing collection of additional information about the participant.
  • Describing how the data will be processed, analyzed, and stored.
  • Describing who will access the data.
  • Identifying the backup and recovery plan for the data.
  • Describing the requirements for retaining the information once the project has ended.

 Who is the Data Custodian on research projects, and what are the responsibilities?

The primary data custodian is typically the PI. A secondary individual that can perform as a backup in the absence of the primary data custodian could be a co-primary investigator or research administrator.

The data custodian is responsible for developing and updating the DSP, overseeing compliance with the DSP, and ensuring the data’s ongoing security, which is part of the research effort.

 What is Data Classification and why is it important?

For the purposes of DSP, data classification is the process of tagging data by sensitivity and criticality used for clinical research studies. Data classification facilitates appropriate security controls, resources, and responses to ensure the ongoing protection of data.

 How do I upload a DSP?

A link to the DSP will be available for PIs to complete their DSP through a standardized web-based form. A PDF copy of the submission will be available to the PI for uploading into the eIRB+ system.

See our Step-by-step Tutorials on how to upload a DSP for a study.

 How do I check the approval status of my DSP?

The status of your DSP is available through the Compliance tab in Study Tracker.

 How will I know if additional information is needed for my submitted DSP?

The FSM IT Information Security will email you for any additional clarifying information.

 My previous DSP was submitted using the Word format, should I use the REDCap form for updates and modifications?

Beginning July 1, 2022, the Word format of the DSP will no longer be accepted. DSP submissions must be completed in REDCap.

 If a clinical trial sponsor uses a Contract Research Organization (CRO), does the CRO need to be added to the DSP?

Yes, any external service provider(s) that may capture, hold, or process University data must be indicated in the DSP. 

Questions?

Please contact fsmit-policy@northwestern.edu for additional support.