Sensitive Data Retention and Destruction Policy

Similar documents
Minor/technical revision ofexisting policy Major revision ofexisting policy Reaffirmation of existing policy

DePaul University Records Management Manual October 1, 2016

ediscovery at the University of Michigan

Scope Policy Statement Reason For Policy Procedure Definitions Sanctions Additional Contacts History. Scope. University Policies.

Approved by Board: 22/06/2016. Records Management Policy

HSCIC Audit of Data Sharing Activities:

Medical University of South Carolina University Records Center User Guide

Collaboration with Business Associates on Compliance

Information Technology Policy and Procedure Manual

Asset Tracking Solutions. Partial Controls and Features

Service Level Agreement - REDCap University of Alabama at Birmingham Department of Medicine

Section II: Schedule of Requirements

Information is important to the operation of a company. A system. Records Management. C h a p t e r Introduction to Records Management

University College Cork National University of Ireland, Cork Records Management Policy Version 1.0

IBM Tealeaf Customer Experience on Cloud

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?

KWANLIN DÜN FIRST NATION. Records Management Policy

GOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.

Records Management Plan

All equipment and instruments will be ordered by the Special Agent In Charge.

Global Supplier Code of Business Conduct & Ethics

Outside Employment. such non-cash economic benefit shall not have a present value significantly in excess of POLICY NUMBER: -'S=L=C=C--'-'H=R-=-5=-0=8

BUSINESS PRACTICE BULLETIN The School Board of Broward County, Florida

IBM Tealeaf Customer Experience on Cloud

Project Procedure 1.0 PURPOSE 2.0 SCOPE 3.0 REFERENCES. No.: P /21/2012 PAGE 1 OF 12 PROJECT RECORDS MANAGEMENT

Ideal Instrument Company, Inc.

Property Classification, Accountability, and Responsibility

DIOMED DEVELOPMENTS LIMITED DATA PRIVACY NOTICE FOR APPLICANTS

TECHNICAL RELEASE TECH 05/14BL. Data Protection Handling information provided by clients

Policies and Procedures Date: January 22, 2015

B. Consequences for Accessing E-Verify Without Authorization. C. Conditions for Use of E-Verify by Authorized Users

LOYOLA MARYMOUNT UNIVERSITY POLICIES AND PROCEDURES

Study Files and Filing

Purchase Card Program

Brasenose College Data Protection Policy Statement v1.2

REQUEST FOR PROPOSAL INFORMATION TECHNOLOGY SUPPORT SERVICES

Information Technology Services Procedures

X.XX Wireless Communication Devices (Cell Phones) I. POLICY STATEMENT II. RATIONALE III. SCOPE IV. WEBSITE ADDRESS FOR THIS POLICY

Conflicts of Interest and Conflicts of Commitment Policy and Approval Guidelines

IBM Tealeaf Customer Experience on Cloud

Institutional Biosafety Committee

PROCEDURE (Essex) / Linked SOP (Kent) Asbestos Management. Number: U 1005 Date Published: 22 July 2015

Business Practice for Personal Computer Inventory

Salt Lake Community College Policies and Procedures

Harbinger Escrow Services Backup and Archiving Policy. Document version: 2.8. Harbinger Group Pty Limited Delivered on: 18 March 2015

SOP SF SOP for Controlled Document Management

IBM Emptoris Contract Management on Cloud

Secure Document Storage and Management Services

Control Self Assessment Questionnaire

University of Louisiana System

PA TURNPIKE COMMISSION POLICY

NHS Digital Audit of Data Sharing Activities: Derby Teaching Hospitals NHS Foundation Trust - Renal Department

QUALITY MANUAL DISTRIBUTION. Your Logo Here. Page 1 1 of 57. Rev.: A

LOUISIANA COMMUNITY & TECHNICAL COLLEGE SYSTEM Policy No

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 04/29/2016

LOUISIANA COMMUNITY & TECHNICAL COLLEGE SYSTEM Policy No

Information Policy of the Minnesota Historical Society

Schedule UNIVERSITY OF NEBRASKA BOARD OF REGENTS

GOODWILL INDUSTRIES OF COLORADO SPRINGS

Oilfield Service Co.

Audits must be conducted with due concern for employee safety and environmental protection.

Newspaper Association of America

protect data! Important facts about the new GDPR Guideline for the safe shredding of paper documents containing personalised data.

OP-H-7 University Cellular Communication Services Allowance Policy

Standard Operating Policy & Procedure

Getting to know Zendesk Business Associate Agreements

State of Florida Department of Health Request for Information RFI Integrated Florida Environmental Health Information System

IDEA Part B, IDEA Preschool, and ECEA Fiscal Responsibilities

BOWIE STATE UNIVERSITY ASSET MANAGEMENT POLICY & PROCEDURES MANUAL

University Internal Audit

LOUGHBOROUGH UNIVERSITY RESEARCH OFFICE STANDARD OPERATING PROCEDURE. Loughborough University (LU) Research Office

Risk Mitigation in a Core Banking Conversion

Quality Manual. Specification No.: Q Revision 07 Page 1 of 14

Standard Statement and Purpose

1.1 IDENTIFYING INFORMATION REQUIRING CAPTURE

TEXAS DEPARTMENT OF TRANSPORTATION GENERAL SERVICES DIVISION REMOVAL OF RECYCLABLE MATERIALS SCRAP PAPER, ALUMINUM CANS, AND PLASTIC BOTTLES

INFORMATION TECHNOLOGY Administrative Policies and Procedures Last Updated 2/7/2013

UNIVERSITY STANDARD. Title UNIVERSITY OF NORTH CAROLINA AT CHAPEL HILL STANDARD ON ENTERPRISE DATA GOVERNANCE. Introduction

BUSINESS POLICIES AND PROCEDURES MANUAL Revised 7-18 Property Inventory

End of Study Notification, Close-Out and Reporting Sponsored Research. Noclor/Spon/S11/01. SOP Reference ID:

Percival Aviation Limited 15 Barnes Wallis Road, Segensworth, Hampshire, PO15 5TT, UK Tel: + 44 (0)

University of New Mexico Health Sciences Center Office of Research Policy for the Oversight of Human Tissue in Research

1.) Does the $100,000 figure reflect the first year through June 2013 or the complete term of the contract through June 2014?

Girl Scouts of Central Texas Delegation of Authority Policy Reviewed and approved by GSCTX Finance Committee: March 21, 2017

Living Our Purpose and Core Values CODE. Code of Business Ethics and Conduct for Vendors

Institutional Biosafety Committee (IBC) Charter

SOFTWARE LICENSING POLICY

Request for Proposal. Request for Proposal for IT Services RFP Number: CRDF-IT0418 Date of Issue: May 8, 2018 Closing: May 25, 2018

Supplier Security Directives

MOBILE COMMUNICATIONS AND HOME COMPUTING POLICY

Records & Information Management More Than Just Retention

Oklahoma State University Policy and Procedures

GOVERNMENT OF ONTARIO COMMON RECORDS SERIES POLICY AND PLANNING FUNCTIONS. November 17, 2008

Brumund Foundry Inc.

Oracle Customer Service and Support Cloud Services Descriptions and Metrics October, 2017

Railroad Commission of Texas Mentor Protégé Program

Alameda Countywide. Care Council. Manual

Human Resources Policy Title: Form I-9 (Employment Eligibility) Policy Effective: June 1, 2017

Transcription:

Sensitive Data Retention and Destruction Policy Institutional Policy Title: Sensitive Data Retention and Destruction Policy Responsible Officer: Director, Research Informatics Effective Date: Revised Date: 3/6/2014 Supersedes: New Policy Approved By: Table of Contents 1 Purpose... 2 2 Scope... 2 3 Definitions... 2 4 Policy Statement... 2 5 Procedures... 2 5.1 Data Use Agreement Tracking... 2 5.1.1 Notification Process... 3 5.2 Project Closeout... 3 5.3 Storage Facilities... 3 5.3.1 Physical Content... 3 5.3.2 Electronic Content... 4 5.3.3 Long Term Storage Tracking... 4 5.4 Destruction Process... 4 5.5 Permanent Retention... 5 6 Related Policies... 5 7 Reference Materials... 5 8 Appendix... 5 9 Document Properties... 5 Sensitive Data Retention and Destruction Policy 1/6

1 Purpose The purpose of this policy is to protect the privacy of sensitive data collected from and about research participants. The aim is to be in compliance with good data practice and all applicable Federal and State laws on protecting data security. This policy provides deference to HSL corporate data retention policy, but establishes guidance for data handling with regards to data use and data sharing agreements, which may conflict with existing HSL policy. 2 Scope This policy applies to all faculty and staff of Hebrew SeniorLife Institute for Aging Research (HSL/IFAR) working on research projects involving sensitive data (SD) and/or projects with explicit data use or data sharing agreements. 3 Definitions Term: Sensitive Data Any data which contains Social Security Numbers or other personal identification numbers, confidential personal or financial information, protected health information, student educational records, proprietary customer data or information that is otherwise deemed to be protected by HSL corporate policy, state, federal, or international laws, statutes, or regulations or explicitly identified in a contract. 4 Policy Statement Sensitive data are to be destroyed by the date specified by corporate rules unless otherwise stipulated in the Data Use Agreement (DUA), Data Sharing Agreement (DSA), Contract or Grant Guidelines (federal and non-federal). 5 Procedures Data obtained via a DUA or DSA must be destroyed upon the date or point in time specified in those agreements. If not otherwise governed by a DUA/DSA or another type of contractual agreement, investigators and staff should follow the HSL IRB data retention policies and HSL IT policies for appropriate destruction dates and methods. The project principal investigator is responsible for directing and certifying data destruction and completing any required forms (e.g., CMS Certificate of Data Destruction). 5.1 Data Use Agreement Tracking IFAR administration, which includes the Informatics Core, will assist investigators in tracking destruction deadlines by maintaining a database of data use and sharing agreements. It is the Sensitive Data Retention and Destruction Policy 2/6

responsibility of the principal investigator to provide the Director of Research Informatics with relevant information (e.g. project title, IRB number, deadline date, etc.) to assist the Institution in tracking projects maintained in this database. 5.1.1 Notification Process The Director of Research Informatics will query the tracking database monthly for projects with expiring DUAs/DSAs or approaching the "destroy by" date for paper and electronic data files. The Director will inform investigators 90 days before destroy by dates to confirm and facilitate data destruction, or if an application to extend a DUA/DSA is required. 5.2 Project Closeout All investigators and project directors should develop and execute project closeout activities. This process should be executed at the end of primary data analysis and before IRB authorization expires. Closeout activities might include creating de-identified data sets and clear result set documentation as well as aggregating study communications, meeting minutes, casebooks and other related materials. These artifacts should be stored in preapproved locations on the HSL corporate network for electronic content or in designated long term storage facilities for paper-based materials. Content containing sensitive data or data related to a DUA, DSA, Grant or Contract should be clearly marked or organized in a way to facilitate permanent data destruction. 5.3 Storage Facilities 5.3.1 Physical Content IFAR maintains three physical locations for storing project content. The use of these locations must be preapproved by Vice President of Research Administration. Name 6 th Floor Roslindale Patio Roslindale (gated) B2 Roslindale (gated) Container Access Restrictions Type Cabinet Requires IFAR floor access, Keys controlled by project director or her designee Storage Box Requires preapproval from Director of Research Informatics Keys are maintained by HSL security Storage Box Requires preapproval from Director of Research Informatics Keys are maintained by HSL security Storage Type Active Projects Long Term Long Term Projects may also employ third party long term storage facilities (e.g. Iron Mountain) at their own expense. Approval from the VP of Research Administration and Director of Research Informatics must be obtained prior to engaging in a contract or transmitting content to this Sensitive Data Retention and Destruction Policy 3/6

third party. Certification of all materials stored must be obtained and retained by the Informatics group. Projects using long term storage must be registered with Informatics Core and incorporated into its database. See description below. All paper content must be stored in appropriate, sturdy containers preapproved by administration. Clear labels must be applied to assist staff in recovery and destruction. 5.3.2 Electronic Content IFAR maintains a dedicated project archive network file share for permanent storage of electronic content. Project teams are encouraged to organize and store sensitive data and accompanying materials in this location. Access to the IFAR project archives is strictly prohibited and requires preapproval with the Director of Research Informatics and assistance from the HSL IT Department. 5.3.3 Long Term Storage Tracking The Informatics Core maintains a database of all projects using long term on-site physical storage. The database contains a list of all projects, investigator and administrative contact information, destroy dates and grant information. Furthermore, each project asset (i.e. storage box) is tracked with a label and minor details. Access to this database is controlled by the Director of Research Informatics. 5.4 Destruction Process The investigator is responsible for organizing or directing his/her staff to destroy paper and electronic (source and derivative) data files on the deadline date where there is no pending amendment or exception to a DUA. The Director of Research Informatics will provide assistance or additional resources to execute relevant tasks. The following resources may be destroyed in this process. Electronic data files located on any active or archived network file share locations. These include Windows file shares, document management systems (e.g. SharePoint), or distributed file systems (e.g. Dropbox, Accellion, etc). Electronic data sets stored in database systems (e.g. Microsoft SQL Server, MySQL) or dedicated analytical systems (e.g. SAS server, Hadoop, etc.). Paper records stored on site in IFAR long term storage (e.g. Patio) or off site commercial storage (e.g. Iron Mountain). All electronic equipment (e.g. hard drives) must be turned over to IT for destruction (see below). The investigator is responsible for certifying, with assistance and documentation from third parties (e.g. IT, off-site storage, etc.), that all sensitive data have been destroyed properly. 5.4.1 Electronic Equipment The investigator or her designee is responsible for turning over all electronic equipment to IT for destruction. The IT department uses a certified data destruction company that adheres to HIPAA policies on data and equipment destruction. Sensitive Data Retention and Destruction Policy 4/6

Equipment no longer in use should relinquished to IT as soon as possible The investigator must schedule equipment pickup or drop off through the help desk system o Server equipment destruction is handled by IT Operations staff o Mobile (tablets, laptops, etc.) and desktop equipment is handled by Help Desk staff The IT department schedules equipment destruction biannually or on an as needed basis o Equipment queued for destruction is stored in a secured, locked room with card control access All equipment (servers, workstations, etc.) is bar-coded by IT staff prior to deployment o Barcodes are referenced at end-of-life and cross referenced before destruction All storage components (i.e. hard drives, integrated devices) are shredded on site by vendor o A master list of devices destroyed (receipt) is provided and cross-referenced 5.5 Permanent Retention Once a project is complete, investigators may not maintain project files that contain identifiable research data, including statistical package scripts, project documentation, grant applications, etc. Investigators may retain de-identified data sets with no mechanism or scheme that may re-identify research participants. 6 Related Policies The document author(s) have attempted to identify policies that may be applicable or related to this policy. This is not an exhaustive list. All HSL employees are expected to abide by all active policies of the organization at all times. As such, employees are encouraged to review any and all potentially applicable policies regardless of whether they are identified below. HSL reserves the right to modify, cancel, or enact new policies at anytime, without notice. HSL Policy: Record Management, Retention, Disposition and Destruction Guidelines HSL IRB Policies and Procedures (Section 3 Investigator and Research Personnel Requirements, and Section 14 Record Management) 7 Reference Materials NA 8 Appendix NA 9 Document Properties Title: Sensitive Data Retention and Destruction Policy Sensitive Data Retention and Destruction Policy 5/6

Author: Version: File Name: Jason Rightmyer Sensitive Data Retention Policy.docx Sensitive Data Retention and Destruction Policy 6/6

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback