Data Products » Restricted Data » Application Overview » Part II
II. Developing a Data Protection Plan
1. Restricted Data Protection Plan Criteria
The Contract for Use of Restricted Data from the Health and Retirement Study requires that potential investigators submit a Restricted Data Protection Plan for approval by the HRS staff. This requirement is part of our effort to ensure that our promises of anonymity to our respondents are kept and that no persons other than those authorized by the Contract -- the Restricted Data Investigator, Co-Investigators, and Research Staff -- have access to the contents of the Restricted Data. In drafting your Restricted Data Protection Plan, keep in mind the following definitions:
Restricted Data: Any data from the Health and Retirement Study that might compromise the anonymity or privacy of respondents to that study, or which has been obtained from an agency that requires restrictions on the release of the data. This includes any data file that, for individuals, families, households, employers, or pension or other benefit providers, contains:
- geographic identification of areas smaller than Census Division, including, but not limited to, metro area, county, minor civil division, school district, city, place, zipcode, tract, block numbering area, enumeration district, block group, or block; or
- Social Security Covered Earnings data; or
- Wage and Self-Employment Income data; or
- Social Security Retirement, Survivors, and Disability Insurance (RSDI), Supplemental Security Income (SSI/SSDI), and Form 831 Disability data; or
- Occupation or Industry data at greater detail than the Census 2-digit level; or
- Pension Provider data; or
- CMS/Medicare data or any other detailed health care provider or transaction data; or
- Exact date (month, day, and year) of interview or of birth/death of respondents or family members; or
- Any variables or fields derived from the data mentioned in items a.-h. above, including data linked to an HRS dataset using the data mentioned in items a.-h. as linking or matching variables.
Authorized Persons: This category includes the Restricted Data Investigator, Co-Investigators, Research Staff, and network/system administration personnel who are signatories to the restricted data agreement. All other persons are unauthorized persons.
Removable Media: Any storage device that can be removed from a computer while the system is running. This includes compact disks (CDROM, DVD, and Blu-Ray), diskettes, USB/Firewire drives, memory cards, media player devices, smartphones, digital cameras, Bluetooth devices, magnetic tapes, punch cards, and/or any other electromagnetic, optical, or paper storage device.
2. Required Restricted Data Protection Plan Components
- Data Protection Plan Narrative (see below)
- A copy of the Restricted Data Order Form specifying requested data sets
- (CMS Applicants only) A copy of the Restricted CMS Data Products Order Form
- A copy of the Restricted Data Protection Plan Checklist
Data Protection Plan Narrative
Your narrative must address each of the following topics.
- Overview: Your data protection plan should provide a general description of the computing environment in which you will be managing and analyzing the data. This will give HRS reviewers the background necessary to determine how the components of your security plan will interact to produce a secure environment.
Shared File System: If you will not be using shared file system to store HRS restricted data, state this in your Plan and disregard the rest of this sub-section.
If you will be using a shared file system to store HRS restricted data, such as a Local Area Network (LAN) or a timesharing mainframe, describe the system architecture as a whole, including connectivity between servers and your desktop client, intrusion detection/prevention methodology, location of network storage devices, and methods used to protect network components from unauthorized access. Describe the procedures that will be used to prevent network access by unauthorized persons to files containing HRS restricted data. Include information on access rights, password assignment and management of file ownership. You should also specify how data in transit between client and server will be protected (e.g., VPN protocols, VLAN technology). Finally, describe how you will prevent routine network and system backups of storage device files containing Restricted Data, regardless of whether such backup copies are on magnetic tape, hard disk, diskettes, or otherwise
Workstation Storage: If you will not be using a local storage device for HRS restricted data, state this in your Plan and disregard the rest of this sub-section.
If you intend to use a local storage device (hard drive or other electronic or optical fixed device) to store HSR Restricted Data, provide a description of how you will protect the workstation from unauthorized physical and electronic access. Include a discussion of how your encryption software, anti-virus and anti-spyware software, password protection settings, firewall and physical protection methods will interact to produce a secure environment. Describe how the operating system will be configured to limit access to HRS restricted data local storage devices; e.g., read/write permission settings, authentication protocols, and folder or whole-disk encryption.
Use of Removable Media: Note: The Health and Retirement Study strongly recommends against the use of removable media for storage of Restricted Data, except as a means of shipping data to and from HRS.
If you will not be using removable media storage for HRS restricted data, state this in your Plan and disregard the rest of this sub-section.
If you will be using removable media storage for Restricted Data, your plan must state where the removable media to be used will be physically located and how physical access to them is to be restricted, including provisions for storage in locked cabinets when not in use. Your Plan should also speciry how access to the contents of removable storage device files containing HRS restricted data will be controlled, for example, through use of encryption and password protection.
Some computing systems employ centralized handling of removable media (such as magnetic tapes used for backups) requiring the use of keywords or labels (internal and/or external), known only to the owner of the removable medium, to mount the medium. Other systems allow the owner to specify which other users can have read/write access to a removable storage device. Your Plan should state how mechanisms of this sort will be used to ensure that only authorized persons will be able to mount and read removable media handled by a central system.
Backups: For archival purposes you may make one backup copy of each removable media item containing HRS restricted data. If you intend to create such archival backups, your Plan should state that you will make only one backup copy of each item received from HRS. Removable media items sent to you by HRS should be stored in the same secure fashion as archival backups. The Plan should describe the physical and/or software methods what will be used to protect distribution and backup media from unauthorized access.
Note: At the termination of your agreement, on or before the date on which your authorized access to the data expires, all distribution, work-space, and archival backup copies of HRS restricted data must either be returned to HRS or destroyed (written over or otherwise made unreadable). If you choose to destroy the data, you must provide a counter-signed statement confirming the destruction of the restricted files.
Paper Printouts: Describe how you will restrict access to paper printouts containing information derived from HRS restricted data. The HRS strongly recommends against the creation of any paper printouts containing restricted data, and will be very skeptical of any Restricted Data Protection Plan that proposes the use of such printouts.
If you will not be using such printouts, state this in your Plan and disregard the rest of this sub-section.
If you will be using paper printouts containing Restricted Data, your Plan must clearly state the uses that will be made of such printouts and the reason(s) why no other media can be used for the same purpose. Your Plan must also specify the means by which you will ensure that such printouts cannot be accessed by unauthorized persons (e.g., kept in locked storage that is accessible only to authorized persons when not in use); how they will be shielded from the vision and reach of unauthorized persons when they are in use; and how they will be destroyed (made unreadable, e.g., through shredding) prior to the termination of the restricted data agreement.
Treatment of data derived from restricted data: We require a clear statement that you will treat all data derived from restricted data in the same manner as the original restricted data, and that you understand that data derived from restricted data includes, but is not limited to:
- Subsets of cases or variables from the original restricted data;
- Numerical or other transformations of one or more variables from the original restricted data, including sums, means, logarithms, or products of formulas;
- Variables linked to another dataset using variables from an HRS restricted dataset as linkage variables.
(Aggregate statistical summaries of data and analyses, such as tables and regression coefficients, are not "derived variables" in the sense used in the Agreement, and are not subject to the requirements of the Restricted Data Protection Plan and the Agreement as long as cell size limits are observed.)
For additional guidance on reporting analysis results derived from HRS restricted data, please review Maintaining Respondent Privacy and Anonymity: Guidelines for HRS Restricted Data Users on this Web site.
Linkages to other datasets: State which other HRS and non-HRS datasets, if any, you intend to link to the HRS restricted data you are requesting, and a clear statement that you will not perform linkages to any other datasets. Your statement must include recognition of the following rules:
- No HRS restricted dataset may be linked to any other HRS restricted dataset without the explicit written permission of HRS;
- No dataset including geography at a level of detail finer than Census Division (including the HRS Wave I Interview Dataset) may be linked to any restricted data product derived from Social Security administrative records.
Restricted Data Order Form:Since your Data Protection Plan needs to match the HRS restricted data set(s) you are requesting, it should be included as part of your application package. Note: Specify the file format/encryption type for each product that you request.
Restricted Data Products Order Form (CMS Applicants Only):You may apply for three different levels of data:
- The standard release, which contains enrollment and utilization information but omits geographic identifiers and masks provider identifiers, which should meet the needs of most users
- A geographic release, which adds beneficiary state, county and zip code to the above
- A provider release, which includes complete provider identifiers and geographic information for respondents and providers
Note: If you are requesting data sets with detailed geography or provider variables, you should include a brief description of why you need them.
Restricted Data Protection Plan Checklist:The checklist provides HRS with an overview of the computing environment in which your research will be conducted. It will be used in conjunction with the documents described above to determine if your application can be approved by the Data Confidentiality Committee. This document must be signed by you and an IT department representative
If your computing environment does not match the checklist requirements, you must include a document that provides justification for each difference. Areas of special concern are:
- Workstation operating systems not on the checklist.
- Workstation access by multiple users.
- Missing anti-virus and anti-spyware software.
- Encryption software and how it is handled at the server and workstation.
- How physical access to computing equipment (client and server) is controlled.
- Encryption of network traffic between client and server (if applicable).
- Network server access procedures (if applicable).
- Implementation of firewall and intrusion detection systems (if applicable).
3. Additional Technical Advice
The suggestions listed in this document are designed to assist potential users of the HRS restricted data in preparing their data protection plans. We realize that individual circumstances will vary and that researchers will have questions requiring more specific guidance. For additional help in preparing your data protection plan, review:
- The Restricted Data Protection Plan Checklist
- The Restricted Data Environment: Issues Relating to Network-Connected Clients: Advice on how to use HRS restricted data in a public environment.
- HRS Memorandum on client security: If you intend to set use HRS restricted data in a client-server environment, the client workstation needs to be protected against external threats. This document deals with this issue.
- Procedures for Updating a Standalone or Private Network Workstation: Advice on how to update workstations that are not connected to the Internet.
- Windows 7: Security and Protection (leaving this site)
Contact the HRS Help Desk if you have any questions or concerns related to the use of HRS restricted data.