Secure Research Data Strategy

SRDS Training Guide for Research with High Protection Level Data

Ratified May 29, 2024

Introduction

The University adopted the Research Data Protection Policy in order to promote good research practices and mitigate the risks associated with use of restricted data in research. This plan addresses requirements for training in order to promote such good practices.

As part of the Plan for Training for Research with Restricted Data, the Secure Research Data Strategy (SRDS) will implement the training in accordance with the guidance set forth in the plan. Training has been broken up into two sections 1) Security Training, and 2) Privacy Training.

Plan Scope

All University faculty, other academic appointees, employees, sta, postdoctoral fellows, students, and any other persons, including consultants, involved in the conduct of research with restricted data or personally identiable information performed at, under the auspices of, or using the resources of the University.

For avoidance of doubt, this does not apply to the University of Chicago Medical Center (UCMC), to any data produced by UCMC, or to any training required by UCMC. The UCMC HIPAA Privacy Program is also excluded from this guidance, and anyone partaking in the HIPAA Privacy Program Training is not expected to complete the privacy and security training detailed in this guide.

Research Data Training Responsibilities

Principal Investigators

  1. Principal Investigators will be notied when and which required SRDS training is expected to be completed.
  2. Principal Investigators are responsible for ensuring completion of security and/or privacy training required for restricted data or sensitive human subjects data they use in connection with their research, and assuring that the training obligation is met for all project staff accessing the restricted data.
  3. Faculty and researchers not working with restricted data will not be required to take the training.

Persons Who Access Restricted Data or Sensitive Human Subjects Data

  1. Such persons are responsible for completing required training in order to access the restricted data

University Research Administration

  1. University Research Administration (URA) is responsible for identifying appropriate training for DUAs in the reporting tool.

Institutional Review Boards

  1. Each IRB is responsible for identifying appropriate training required per protocol in the equivalent reporting tool.

SRDS Training Guidelines

The DUA data classication in the Sensitive Research Data Usage Guide (SRD-UG) used by URA will determine what requirements must be met to mandate training. The IRB will determine what requirements must be met to mandate training based on protocol review of the data.

Training Occurrence

Security and Privacy training must be completed annually as long as the faculty member has an active project with a high protection level as designated by URA or IRB.

Compliance

Completion Deadline

  1. After DUA execution and IRB protocol approval, the researcher should complete their assigned privacy and security training within three months.

Reporting

  1. A tiered approach similar to EHSA’s model where issues of non-compliance will move progressively to the Dean of each division.
  2. EachDeanwillberesponsibleforenforcingthetrainingrequirementsafterthethree-month period of the researcher being notied of required training by the central repository system.

Records

  1. A Learning Management System (LMS) or equivalent central repository of training completion and compliance stores all records of training.

Other Useful Training