Data Privacy and Security
The Research Service Line is charged with ensuring the protection and security of VA research data. Our program strives to adhere to all applicaple requirements intended to ensure integrity of research data, accessibility to the public, and privacy for study participants.
Research Information Protection & Security working group (RIPS):
RIPS is an informal workgroup that meets monthly (or as needed) to find solutions for investigators facing technical problems with data security or IT issues. The RIPS group consists of the Deputy Associate Chief of Staff for Research (dACOS), Research Privacy Officer (PO), Research Compliance Officer (RCO), Human Research Protection Program (HRPP) Coordinator, Field Technology Transfer Specialist, and facility Information Systems Security Officers (ISSOs). The RIPS group has assisted investigators and their staff with solutions for issues such as arranging secure data transfer, resolving concerns over data ownership in collaborative studies, and navigating what software can or cannot be approved for specific purposes, among others. Researchers facing data security or IT approval problems are encouraged to meet with the RIPS workgroup. Meetings can be arranged by contacting the Deputy ACOS.
5 simple steps to secure and protect VA data:
The following tips are intended to be a brief guide to best practices for data security. For more details, please refer to the RDC "Research Data Requirements" SOP.
- Store VA data on the Research (R:\ drive).
All files and records related to a VA research study must be stored on the VA network. Any records created outside of the VA network must be regularly saved to the VA network.
Data for each individual study must be placed on the R:\ drive, NOT on your personal U:\ drive or the computer hard drive. - Ensure network folders are properly secured.
When a study is approved, a network folder for storage of research data or records will be created on the R:\ drive in the R:\Data directory. Study team leads will use the SFFX website (VA intranet only) to manage access to the records and data.
Access must be restricted to only approved personnel on that study. For guidance, refer to the instructions in "Adding or Removing Personnel in SFFX". - Ensure that VA sensitive data are stored only on VA systems.
Sensitive records (including PHI/PII) must always remain on the VA network, VA-issued computers, or VA-approved storage devices such as secure USB drives.
If you are unsure whether your data are “sensitive”, ask the Research Privacy Officer for assistance. Unless and until you are told otherwise, treat your data as sensitive. - Ask for approval before sharing VA data.
Remember that VA data belong to the VA, not to you. Sharing VA data with persons outside of the VA requires approval from the Privacy Officer.
In most cases, you will need to complete a Data Use Agreement to ensure VA interests in data are protected and enforced. - Securely archive all VA records once your study closes.
Federal records retention guidelines require all files from VA-approved studies to be kept for at least 6 fiscal years post closure.
While the Research Office will assist with the long-term archiving process, it is your responsibility to turn over the complete records, including hard copy and electronic records.
Identifiable human subjects data cannot remain in your hands after the study closes. Your permission to access these data ends when the study ends.
In most cases you are allowed to retain a copy of research records that do not contain any identifiable human subjects data. If in doubt, contact the Deputy ACOS or the Research Privacy Officer.
