Requirement 14 Every individual with access to surveillance data must attend security training annually. The date of training must be documented in the employee's personnel file. IT staff and contractors who require access to data must undergo the same training as surveillance staff and sign the same agreements. This requirement applies to any staff with access to servers, workstations, backup devices, etc. (GP-3)
Security training is required for all new staff and must be repeated annually thereafter, but the nature of this training may vary based on local circumstances. For example, in areas of low HIV prevalence where one surveillance person is on staff, if that person leaves before training a replacement, the policy should indicate that training for data security and confidentiality may be obtained in a neighboring state. In other areas, new staff may be trained by the surveillance coordinator one-on-one. In this instance, the policy should document what types of information must be covered in such a session, and provisions should be made to document that training was completed. In areas of high HIV prevalence with larger numbers of staff, periodic group training sessions may be more appropriate.
|