Data Security

Purpose

To ensure protection of sensitive data, especially personally identifiable information, with encryption.

Procedure

According to the Federal Information Security Management Act (FISMA; page 48), all information systems, electronic or hard copy, that contain federal data need protection from unauthorized access.

This also applies to all information associated with NIH grants and contracts.

Contractors and Grantees

• FISMA applies to your data only when you collect, store, process, transmit, or use information on behalf of any HHS organization.
  • FISMA applies only when the government owns the data.
  • FISMA does not apply to most grantees except for cooperative agreements where data is transferred directly to the government.
• Even if FISMA does not apply, you are responsible for protecting sensitive and confidential data and preventing disclosure, release, or loss of sensitive personal information.
• If you provide collected sensitive information to NIAID as a condition of your award, responsibility for the protection of the copy transfers to NIAID.

For questions about whether your data falls under FISMA, contact Sally Rockey, Office of Extramural Research, at rockeysa@od.nih.gov or 301-496-1096.

Peer Reviewers

• You'll need to use a password to access compact disc data, such as grant application information, previous summary statements, appendices, and additional materials from the grant folder. See Accessing a Password-Protected CD: Instructions for Reviewers and Accessing a Password-Protected CD: Instructions for Reviewers (with screenshots).
• Notify your scientific review officer ASAP if you lose a CD or any other application information.

Scientific Review Officers

• Emphasize to peer reviewers the importance of immediately reporting the loss of CDs or other application information.
• If you learn of any loss of data, immediately contact Sally Amero, OER's Review Policy Officer, at ameros@nih.gov or 301-435-1418. Provide the following details:
  • Study section designation, name, and meeting dates.
  • Your contact information. OER will work primarily with you to resolve the situation.
  • Format of material (CD or paper; password protected or not).
  • Circumstances by which the data was lost.

NIAID Staff

• Laptop computers must be encrypted with an approved encryption software package.
• Portable media such as flash drives must be encrypted if they contain sensitive government data, including personally identifiable information. For acceptable USB drives, see FIPS Certified USB Drives.
• All BlackBerry wireless handheld devices must be configured with an access password and other security features provided by the NIH BlackBerry Enterprise Server.
• Macintosh laptop computers cannot store sensitive information, including personally identifiable information, due to the lack of National Institute of Standards and Technology-approved encryption software. You can use Mac laptops for sensitive data analysis if you use an encrypted removable device.
• Peer review staff must password protect compact discs with review materials.

Note: If you lose an NIH-issued laptop or Blackberry, or you suspect loss of personally identifiable information, inform the NIH Helpdesk within one hour.

Contacts

NIH Helpdesk, helpdesk@nih.gov, 301-496-4357

Sally Rockey, rockeysa@od.nih.gov, 301-496-1096

Sally Amero, ameros@od.nih.gov, 301-435-1418

If you have knowledge to share or want more information on this topic, email deaweb@niaid.nih.gov with this link and your message. Thanks for helping us clarify and expand our knowledge base.

Links

A Statement from the NIH Director, Elias A. Zerhouni, M.D., on Encryption and Data Security

Applicability of the Federal Information Security Management Act to NIH Grantees

Guide for Identifying Sensitive Information

NIH Renews Focus on Protecting Sensitive Data and Information Used in Research

Responding to Loss of Sensitive Data and Other Information in NIH Grant Applications