Home   |  Introduction   |  Documentation   |  Data Products   |  Publications	DocuFinder   |  Site Map   |  Links   |  Changes   |  Statistics   |  Help
	Search this site:

On this page...

Plan Criteria
Required Components
Technical Guidelines

Data Products » Restricted Data » Application Overview » Part II

II. Developing a Data Protection Plan

1. Restricted Data Protection Plan Criteria

The Contract for Use of Restricted Data from the Health and Retirement Study requires that potential investigators submit a Restricted Data Protection Plan for approval by the HRS staff. This requirement is part of our effort to ensure that our promises of anonymity to our respondents are kept and that no persons other than those authorized by the Contract -- the Restricted Data Investigator, Co-Investigators, and Research Staff -- have access to the contents of the Restricted Data. In drafting your Restricted Data Protection Plan, keep in mind the following definitions:

Restricted Data: Any data from the Health and Retirement Study that might compromise the anonymity or privacy of respondents to that study, or which has been obtained from an agency that required restrictions on the release of the data. Specifically, it includes any data file that, for individuals, families, households, employers, or pension or other benefit providers, contains:

1. geographic identification of areas smaller than Census Division, including, but not limited to, metro area, county, minor civil division, school district, city, place, zipcode, tract, block numbering area, enumeration district, block group, or block; or
2. Social Security Covered Earnings data; or
3. Social Security Retirement, Survivors, and Disability Insurance (RSDI) and Supplemental Security Income (SSI) benefits data; or
4. Occupation or Industry data at greater detail than the Census 2-digit level; or
5. Wage and Self-Employment Income data; or
6. Pension Provider data; or
7. Detailed health care provider or transaction data; or
8. month and year of birth or death of respondents or family members; or
9. any variables or fields derived from the data mentioned in items a.-h. above, including data linked to an HRS dataset using the data mentioned in items a.-h. as linking or matching variables.

Authorized Persons: The Restricted Data Investigator, Co-Investigators, and Research Staff. With the partial exception of system administration personnel noted below, all other persons are unauthorized persons.

---

2. Required Restricted Data Protection Plan Components

1. A general description of the computing environment in which you will be managing and analyzing the data. This should include

   • a copy of the order form specifying requested data sets
   • your network operating system (if applicable)
   • your workstation operating system
   • network server access procedures (if applicable)
   • workstation access procedures
   • encryption software (server/workstation/network)
   • anti-virus and anti-spyware software to be employed
   • description of how physical access to computing equipment will be controlled
   • firewall hardware and intrusion detection system (if applicable)

   You should also describe the security model for protection of restricted data on the system(s) you plan to use. This should include a discussion of how your encryption software, anti-virus and anti-spyware software, password protection settings, firewall and physical protection methods will interact to produce a secure environment.

   HRS staff members have prepared several documents designed to assist you in creating a data protection plan: Technical Guidelines for Protection of HRS Restricted Data The Restricted Data Environment: Issues Relating to Network-Connected Clients Note: Windows XP users may wish to consult Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist - Special Publication 800-68.

   Finally, describe the routine procedures for making backup copies of data files on tape or disk. If you will be using a shared file system, such as a Local Area Network (LAN) or a timesharing mainframe, describe the system architecture as a whole including both servers and your desktop client. You should also provide information on access rights of system administrators including password assignment and management of file ownership.

2. Hard disk and other electronic or optical fixed storage device access: Provide a description of how you will restrict access to hard disk (or other electromagnetic, optical, or similar fixed storage device) files containing Restricted Data received from HRS. Indicate where the storage devices to be used are physically located and how physical access to them is to be restricted. Your Plan must also indicate how access to the contents of hard disk and similar storage device files containing Restricted Data will be established by encryption and passwords, and through explicit limits on which users have "read" and "write" permission to the relevant files.

   If you will not be using hard disk or similar storage devices for Restricted Data (see below), state this in your Plan.

   Your Plan must indicate how you will prevent routine system backups of hard disk and similar storage device files containing Restricted Data, regardless of whether such backup copies are on magnetic tape, hard disk, diskettes, or otherwise. You must state in your Plan that no more than one backup copy will be made of any hard disk or similar storage device file containing Restricted Data, and that all such copies (other than the magnetic tape copies covered by item 2, above) will be destroyed (written over or otherwise made unreadable) on or before the date on which your authorized access to the data expires.

   If you will be using a shared file system via a Local Area Network (LAN), describe how you will prevent access to files containing restricted data by unauthorized persons, including system administrators. You should also specify how data in transit between client and server will be protected (e.g., VPN protocols, VLAN technology).

3. Compact disk, diskette, magnetic tape, digital audio tape, and other removable media access: Provide a description of how you will restrict access to compact disks, diskettes, and other removable electromagnetic or optical storage media files containing Restricted Data received from the HRS.

   The Health and Retirement Study strongly recommends against the use of removable media for storage of Restricted Data, except as a means of shipping data to and from HRS.

   If you will not be using removable media storage for Restricted Data, state this in your Plan.

   If you will be using removable media storage for Restricted Data, your plan must indicate where the removable media to be used will be physically located and how physical access to them is to be restricted, including provisions for storage in locked cabinets when not in use. Your Plan must also indicate how access to the contents of removable storage device files containing Restricted Data will be established by encryption and password protection.

   Some computing systems with centralized handling of removable media (such as magnetic tapes) require the use of keywords or labels (internal and/or external), known only to the owner of the removable medium, to mount the medium. Some computing systems allow the owner to specify which other users can have "read" and "write" access to a medium. Your Restricted Data Protection Plan should indicate what mechanisms of this sort will be used to ensure that only authorized persons will be able to mount and read removable media handled by a central system.

   Your Plan should also state that you will make only one backup copy of any tangible removable medium received from the HRS, or any other removable media containing data derived from Restricted Data from the HRS; and how you will prevent routine backups of these media. If you will be using a shared file system, such as a timesharing mainframe or a Local Area Network (LAN), carefully describe how you will prevent routine system backup of files containing Restricted Data.

   You must state in your Plan that all such removable media containing Restricted data will either be returned to HRS or be destroyed (written over or otherwise made unreadable) on or before the date on which your authorized access to the data expires.

   Please be aware that the phrase "removable media" also refers to USB and Firewire devices.

4. Paper printout access: Describe how you will restrict access to paper printouts containing Restricted Data. The Health and Retirement Study very strongly recommends against the creation of any paper printouts containing Restricted Data, and will be very skeptical of any Restricted Data Protection Plan that proposes to use such printouts. If you will not be using such printouts, simply state this in your Plan.

   If you will be using paper printouts containing Restricted Data, your Plan must clearly state the uses that will be made of such printout and the reasons why no other media can be used for the same purpose. Your Plan must also specify the means by which you will ensure that such printouts are never handled by unauthorized persons; how they will be kept in locked storage, accessible only to authorized persons, when not in use; how they will be kept from the vision and reach of unauthorized persons when they are in use; and how they will be destroyed (made unreadable, such as through shredding) prior to the beginning of any analysis of data files derived from Restricted Data received from the HRS.

5. Treatment of data derived from restricted data: We require a clear statement that you will treat all data derived from restricted data in the same manner as the original restricted data, and that you understand that data derived from restricted data includes, but it not limited to:

   a. subsets of cases or variables from the original restricted data;

   b. numerical or other transformations of one or more variables from the original restricted data, including sums, means, logarithms, or products of formulas;

   c. variables linked to another dataset using variables from an HRS restricted dataset as linkage variables.

   (Aggregate statistical summaries of data and analyses, such as tables and regression coefficients, are not "derived variables" in the sense used in the Agreement, and are not subject to the requirements of the Restricted Data Protection Plan and the Agreement as long as cell size limits are observed.)

6. linkages to other datasets: Indicate which other HRS and non-HRS datasets, if any, you intend to link to the HRS restricted data you are requesting, and a clear statement that you will not perform linkages to any other datasets. Your statement must include recognition of the following rules:

   a. No HRS restricted dataset may be linked to any other HRS restricted dataset without the explicit written permission of HRS;

   b. No dataset including geography at a level of detail finer than Census Division (including the HRS Wave I Interview Dataset) may be linked to any restricted data product derived from Social Security administrative records.

---

3. Technical Guidelines for Protection of HRS Restricted Data

The suggestions listed in this .pdf document are designed to assist potential users of the HRS restricted data in preparing their data protection plans. We realize that individual circumstances will vary and that researchers will have questions requiring more specific guidance. Please contact the HRS Help Desk if you have questions or concerns about using restricted data. Otherwise please continue on to Technical Guidelines for Protection of HRS Restricted Data.

The University of Michigan     |   Institute for Social Research    |   Survey Research Center

Contact HRS