Creating Your HRS Data Protection Plan | Health and Retirement Study

Overview

Your Data Protection Plan (DPP) should provide a general description of the computing environment in which you will manage and analyze the data. This overview provides guidance on how to ensure data security. Please be sure to address each recommended action in your DPP.

If you are requesting HRS-CMS linked data, you will access the data through the MedRIC Health & Aging Data (HaAD) Enclave, and do not need a Data Protection Plan.

Computing Environment

First, begin by describing the environment as either Standalone Workstations or Networked Workstations.

Standalone Workstations

Standalone workstations must be air gapped, meaning that there are no wired or wireless network connections of any kind, and stored in a secured workspace. Login access must be restricted to HRS approved users.

If you will use standalone workstations with HRS restricted data, state this in your Data Protection Plan. Include a Traditional License Restricted Data Security Plan Checklist for each workstation. This option is preferred by HRS.

If software updates to the workstations are to be performed, please describe how in your Data Protection Plan. Not updating a standalone workstation is acceptable.

Networked Workstations

If you will be using networked workstations and servers with HRS restricted data, the computing environment must meet or exceed NIST 800-171 standards. Include a clear statement attesting this in your Data Protection Plan.

Also be sure to address the following:

Brief description of the system architecture as a whole, including:
- Name and purpose of the computing system
- How client machines are connecting to servers
- How the system fits into the rest of the IT infrastructure
Description of procedures that will be used to prevent access by unauthorized persons to files containing HRS restricted data, including:
- How permissions are assigned and managed
- Description of password policy/practices
Specify how client connects securely to server (i.e., VPN, secure RDP portal, VLANs).
Description of procedures for exclusion of HRS restricted data from backups.
Include a completed HRS-RDA User Tracking Spreadsheet.

Data Security

Next, describe each of the following aspects of data security:

Workstation Storage

Provide a description of how you will protect your workstations from unauthorized physical and electronic access. Include how your encryption software, anti-virus and anti-spyware software, password protection settings, firewall and physical protection methods will help produce a secure data environment. Describe how the operating system will be configured to limit access to HRS restricted data local storage e.g., read/write permission settings, authentication protocols, and folder or whole-disk encryption.

Storage of Removable Media Items sent by HRS

The removable media sent to you by HRS containing restricted data must be kept in locked storage that is accessible only to authorized persons when not in use. Indicate this in your DPP. HRS strongly recommends against the use of removable media for storage of restricted rata, with the exception of one copy for back-up (see below).

Backups

For archiving, you may make one removable backup copy of HRS restricted data. If you intend to create such archival backups, your DPP should state that you will make only one backup copy of each item received from HRS. Backup archival copies should be stored in the same secure fashion as originals sent to you by HRS. No cloud-based back-up is allowed.

Treatment of data derived from restricted data

We require a clear statement that you will treat all data derived from restricted data in the same manner as the original restricted data, and that you understand that data derived from restricted data includes, but is not limited to:

Subsets of cases or variables from the original restricted data;
Numerical or other transformations of one or more variables from the original restricted data, including sums, means, logarithms, or products of formulas;
Variables linked to another dataset using variables from an HRS restricted dataset as linkage variables.

Aggregate statistical summaries of data and analyses, such as tables and regression coefficients, are not considered derived variables and are not subject to the requirements of the DPP and the Agreement as long as cell size limits (n>=5) are observed.

For additional guidance on reporting analysis results of HRS restricted data, please review Maintaining Respondent Privacy and Anonymity: Guidelines for HRS Restricted Data Users on this Web site.

Paper Printouts

If you will not use paper printouts, state this in your DPP and disregard the rest of this sub-section.

If you will use paper printouts containing restricted data, your DPP must clearly state the uses that will be made of such printouts and the reason(s) why no other media can be used for the same purpose. Your DPP must also specify the means by which you will ensure that such printouts cannot be accessed by unauthorized persons (e.g., kept in locked storage that is accessible only to authorized persons when not in use); how they will be shielded from the vision and reach of unauthorized persons when they are in use; and how they will be destroyed (made unreadable, e.g., through shredding) prior to the termination of the restricted data agreement.

Linkages to other datasets

State which other HRS and non-HRS datasets, if any, you intend to link to the HRS restricted data you are requesting, and a clear statement that you will not perform linkages to any other datasets. Your statement must include recognition of the following rules:

No HRS restricted dataset may be linked to any other HRS restricted dataset without the explicit written permission of HRS;

No dataset including geography at a level of detail finer than Census Division (including the HRS Wave I Interview Dataset) may be linked to any restricted data product derived from Social Security administrative records. These linkages may ONLY be conducted in the MiCDA VDI environment following explicit written permission from the HRS Director.

Return or Destroy at Termination

At the termination of your agreement, on or before the date on which your authorized access to the data expires, all distribution, work-space, and archival backup copies of HRS restricted data must either be returned to HRS or destroyed. If you choose to destroy the data, you must provide a signed and witnessed statement confirming the destruction of the restricted files and the methods of destruction.