Skip to main content

Data Security Plan Requirements for FSM Research

The FSM IT Information Security provides guidelines, oversight, and consultation to the research community on Data Security Plans (DSP). The Data Security Plan Requirements for FSM Research Policy establishes the use of DSP for studies collecting personal or health-related information. Below are some frequent questions and topics for individuals new to DSP as part of the study submission to the eIRB+.


Getting Started

 What are the steps for submitting a DSP?

The Principal Investigator (PI) must complete each section of the DSP. The DSP must be documented and signed by the PI and maintained in the official study files. For IRB-approved studies, the documented DSP must be uploaded to the Research Supplemental System (RSS), which is part of the eIRB workflow. Below are the core elements of the DSP: 

  • Identifying primary and secondary Data Custodians.
  • Identifying the type of data that will be collected and maintained during the research.
  • Describing the flow of research data, where the data will be initially collected, and the ongoing collection of additional information about the participant.
  • Describing how the data will be processed, analyzed, and stored.
  • Describing who will access the data.
  • Identifying the backup and recovery plan for the data.
  • Describing the requirements for retaining the information once the project has ended.

 Who is the Data Custodian on research projects, and what are the responsibilities?

The primary data custodian is typically the PI. A secondary individual that can perform as a backup in the absence of the primary data custodian could be a co-primary investigator or research administrator.

The data custodian is responsible for developing and updating the DSP, overseeing compliance with the DSP, and ensuring the data’s ongoing security, which is part of the research effort.

 What is Data Classification and why is it important?

For the purposes of DSP, data classification is the process of categorizing data by sensitivity and criticality used for research studies. Data classification facilitates appropriate security controls, resources, and responses to ensure the ongoing protection of data.

 Who will review the DSP after I submit it to the IRB?

The FSM IT Information Security team reviews DSPs. While a DSP is required as part of your protocol submission to the IRB, the IRB may review and approve your protocol before your DSP is reviewed and formally accepted.

 How long does the DSP review process take?

Each study's workflow is unique and requires a slightly different review effort. Our goal is to review each DSP within a few days of submission, but the time depends on the effort and volume of the DSPs submitted.

 Do I need to submit separate DSPs to account for different data levels or project collaborators, such as internal vs. external?

No, the REDCap DSP form allows you to define as many different data types as you need to describe your complete workflow and all project collaborator effort in a single form.

 Where can I find the link to the DSP?

The link can only be accessed in the eIRB+ system when completing the RSS questions during your protocol submission.

 Where can I find additional resources?

Check out the presentation video and slides for more information.


 How do I upload a DSP?

A link to the DSP will be available for PIs to complete their DSP through a standardized web-based form. A PDF copy of the submission will be available to the PI for uploading into the eIRB+ system.

See our Step-by-step Tutorials on how to upload a DSP for a study.

 How do I check the approval status of my DSP?

The status of your DSP is available through the Compliance tab in Study Tracker.

 If a sponsor uses a Contract Research Organization (CRO), does the CRO need to be added to the DSP?

Yes, any external service provider(s) that may capture, hold, or process University data must be indicated in the DSP.

 Can I upload or attach supplemental information to the DSP?

There is no option to include attachments, but an analyst will follow up with you if additional information is required.

 Where can I apply for an exception to the NMEDW policy?

See NMEDW Exception Form. Additionally, review the policy Research Use of Electronic Medical Record Data for more information.


 My previous DSP was submitted using the Word format. Should I use the REDCap form for updates and modifications?

Beginning July 1, 2022, the REDCap form will be the only acceptable version. Any submission using the Word-based template, HRP-503, or custom-written forms will not be accepted.

 How will I know if additional information for the submitted DSP is needed?

The FSM IT Information Security will email you for any additional clarifying information.

 How do I modify the DSP form?

For modifications to your submitted DSP, please email your modification request to

 Do I need to fill out a new DSP form if there are changes to the study?

No, for any modifications to your submitted DSP, please email your modification request to

 After modifying the DSP, do I need to upload the revised version to the IRB?

The best practice is to upload the most up-to-date DSP version to the IRB.


Please contact for additional support.