hq expectations of doe site irbs
Download
Skip this Video
Download Presentation
HQ Expectations of DOE Site IRBs

Loading in 2 Seconds...

play fullscreen
1 / 8

HQ Expectations of DOE Site IRBs - PowerPoint PPT Presentation


  • 121 Views
  • Uploaded on

Office of Science. HQ Expectations of DOE Site IRBs . Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White May 7, 2009. Office of Science. HQ Expectations of DOE Site IRBs Unanticipated Problems.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'HQ Expectations of DOE Site IRBs' - inge


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
hq expectations of doe site irbs
Office of Science

HQ Expectations of DOE Site IRBs

Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information

Libby White

May 7, 2009

hq expectations of doe site irbs unanticipated problems
Office of ScienceHQ Expectations of DOE Site IRBsUnanticipated Problems
  • 45 CFR 46 calls for prompt reporting to the IRB(s), appropriate institutional and agency officials, and OHRP.

OHRP guidance recommends that the PI report an unanticipated problem to the IRB(s) within 2 weeks and that the PI/the PI’s organization report the unanticipated problem to OHRP within 6 weeks (or within 1 month of notifying the IRB(s). 

  • DOE Order 443.1A also requires prompt reporting to the DOE HSR Program Manager, SC-23 (and the DOE HSR Program Manager, NA-1 for NA sites), and coordination with and approval from the HSR Program Manager(s) in determining plans to correct the unanticipated problem.  

While DOE Order 443.1A does not define “prompt,” we request that you notify the HSR Program Manager(s)

within 48 hours of learning of any

unanticipated problem that does not involve PII.

hq expectations of doe site irbs unanticipated problems continued
Office of ScienceHQ Expectations of DOE Site IRBsUnanticipated Problems (continued)
  • If potential loss or compromise of PII is involved, report the incident immediately (as soon as you learn of the incident):
    • Through your Departmental Element;
    • To the DOE-Cyber Incident Response Capability (DOE-CIRC) at [email protected] or 866-941-2472; and
    • To the DOE HSR Program Manager(s).  
pii related expectations of doe site irbs
Office of SciencePII – Related Expectations of DOE Site IRBs
  • Operating Policies and Procedures:
    • Examine and expand as necessary to address unanticipated problems. 
    • Ensure that they include a requirement for immediate notification of appropriate parties when there is potential loss or compromise of PII.  
    • Outline the range of the IRB’s possible actions in response to reports of unanticipated problems.
  • IRB-approved Protocols:
    • Examine and verify that protocol(s) have clear and detailed plan(s) for protecting PII in accordance with Federal/DOE requirements, including safe storage of PII (file cabinets, computers), encryption of data to be transferred, and immediate notification of incident(s) involving potential compromise or loss of PII data.
  • Notify me (and, for NNSA sites, also John Ordaz) when the above actions have been completed.  This should be a high priority for the IRBs, and should be completed as soon as possible and no later than June 30, 2009.
  • New protocols:
    • Verify that there are clear and detailed plan(s)

for protecting PII in accordance with

Federal and DOE requirements

slide5
Office of ScienceChecklist for IRBs to Use in Verifying that HS Research Protocols are In Compliance with DOE Requirements
  • In accordance with the Privacy Act, the DOE has established requirements for the protection of Personally Identifiable Information (PII) with the:
    • DOE Privacy Program (DOE Order 206.1);
    • DOE Manual (M) for Identifying and Protecting Official Use Only Information (DOE M 471.3-1); and
    • DOE Cyber Security Incident Management Manual (DOE M 205.1-8).
  • Research Protocols Must Include Description of Processes for:
    • Keeping PII confidential;
    • Releasing PII only under a procedure approved by the responsible IRB(s) and DOE, where required;
    • Using PII only for purposes of the DOE-approved

research and/or EEOICPA;

slide6
Office of ScienceChecklist for IRBs to Use in Verifying that HS Research Protocols are In Compliance with DOE Requirements (continued)
  • Handling and marking documents containing PII as “containing PII” or “containing PHI”;
  • Establishing reasonable administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of PII;
  • Making no further use or disclosure of the PII except when approved by the responsible IRB(s) and DOE, where applicable, and then only:
    • In an emergency affecting the health or safety of any individual;
    • For use in another research project under these same conditions and with DOE written authorization;
    • For disclosure to a person authorized by the DOE program office for the purpose of an audit related to the project; or
    • When required by law.
slide7
Office of ScienceChecklist for IRBs to Use in Verifying that HS Research Protocols are In Compliance with DOE Requirements (continued)
  • Protecting PII data stored on removable media (CD, DVD, USB Flash Drives, etc.) using encryption products that are Federal Information Processing Standards (FIPS) 140-2 certified;
  • Using FIPS 140-2 certified encryption that meet the current DOE password requirements cited in DOE Guide 205.3-1;
  • Shipping removable media containing PII, as required, by express overnight service with signature and tracking capability, and shipping hard copy documents double wrapped via express overnight service;
  • Encrypting data files containing PII that are being sent by e-mail with FIPS 140-2 certified encryption products;
  • Sending passwords that are used to encrypt data files containing PII separately from the encrypted data file, i.e. separate e-mail, telephone call, separate letter;
slide8
Office of ScienceChecklist for IRBs to Use in Verifying that HS Research Protocols are In Compliance with DOE Requirements (continued)
  • Using FIPS 140-2 certified encryption methods

for websites established for the submission of

information that includes PII;

  • Using two-factor authentication for logon access control for remote access to systems and databases that contain PII. (Two-factor authentication is contained in the National Institute of Standards and Technology (NIST) Special Publication 800-63 Version 1.0.2 found at: http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf);
  • In addition to other reporting requirements, reporting the loss or suspected loss of PII immediately upon

discovery to: 1) the DOE Project Officer; and

2) the applicable IRBs.

ad