Instructions for Preparing the Data Protection Plan
Purpose of the Data Protection Plan: The Data Protection Plan becomes part of the signed agreement between ICPSR and the Restricted Data Investigator(s). If the agreement is executed, all members of the research team with access to the data are contractually obligated to follow all aspects of the Data Protection Plan. The fundamental goal of the protections outlined in this plan is to prevent persons who are not signatories to the Restricted Data Use Agreement or the Supplemental Agreement With Research Staff from gaining access to the data. The agreement will not be executed if the plan is not written with sufficient specificity, or if data protections are not deemed adequate by ICPSR.
What should be covered by the plan: The Data Protection Plan applies to both the raw data file received from ICPSR as well as any copies made by the research team, and any new data derived solely or in part from the raw data file. The plan also should address how computer output derived from the data will be kept secure. This applies to all computer output, not only direct data listings of the file.
Components of the plan: Your Data Protection Plan should contain the following components:
- Make reference to Title of Research Project and Principal Investigators.
- List and describe all locations where copies of the data will be kept.
- Describe the computing environment in which the data will be used:
- Computing platform (PC, workstation, mainframe platform)
- Number of computers on which data will be stored or analyzed
- Whether personal computers used in the research project will be attached to a network or will operate independently (stand-alone)
- Physical environment in which computer is kept (e.g., in room with public access, in room locked when not in use by research staff)
4. List and describe how data will be stored: (e.g., on PC hard drive, on removable storage media such as CD, diskettes, or Zip(R) drive.)5. Describe methods of data storage when data are not being used.
6. Describe methods of transmitting the data between research team members (if applicable).
7. Describe methods of storage of computer output (in electronic form as well as on paper).
Types of protection expected: Although there are alternative ways to assure security for the data and applicants should prepare their plans in a manner that best meets their needs, some or all of the following features are typically found in successful data protection plans:
- Password protection for all files containing data (note that password protection is not regarded as sufficient protection by itself)
- Removable storage media holding the data (e.g., CDs, diskettes, zip disks, etc.) kept in a locked compartment/room when not in use
- Printouts derived from data analysis stored in a locked compartment/room when not in use
- No storage of the data any network, including LANs, Internet enabled, etc.
- No transmittal of data or analysis output derived from the data via e-mail, e-mail attachments, or FTP (either over the Internet, an Intranet system, or within a local area network)
- Use of the data on a dedicated computer kept in a secure room and not connected to a network
- No backup copies of the data to be made
- Data stored in strongly encrypted form
Original Source: http://www.icpsr.umich.edu/icpsrweb/ICPSR/access/restricted/plan.jsp