RAND > L.A.FANS > Data > Restricted Data > Version 3 > Data Protection Plan

• About L.A.FANS
  • Contact Us
  • Staff
  • What's New
  • Register for Updates
• Publications
• Study Design
• Data
  • Public Use Data
  • Restricted Data
  • Contextual Data
• Documentation
  • General Documentation
  • Documentation Reports
  • L.A.FANS-1 Questionnaires
  • L.A.FANS-2 Questionnaires
  • Data Support & FAQs
  • Project Team Only

Restricted Data

Data Protection Plan Requirements and Guidelines for Restricted Data Version 3

This page describes the required contents of the Data Protection Plan for L.A.FANS Restricted Data Version 3. It describes the basic information that all Data Protection Plans should include, the type of protection that is expedited, and the disclosure rules for presenting and publishing results based on these data.

Secure Data Enclave

Researchers requesting Version 3 of the L.A.FANS Restricted Data must use a Secure Data Enclave. The Secure Data Enclave must implement a complete set of physical and computer security measures. Data users interested in using Version 3 of the Restricted Data should consult with L.A.FANS staff before submitting a preliminary application.

Researchers should propose to set up a physical enclave, with a dedicated computer (and printer, if needed) that is not connected to any type of network (LAN or otherwise) and that is kept in a locked room with limited access.

The Version 3 Data Protection Plan must describe the following elements of the work and computing environments:

1. List and describe all locations where the original and any copies of the data will be kept (and provide building name, street address, and room numbers);
2. Describe the computing environment in which the data will be used, including:
   • Computing platform (e.g., personal computer, workstation, mainframe) and operating system;
   • Number of computers on which data will be stored or analyzed;
   • Whether PCs used in the research project will be on a network or will be stand-alone.
   • Physical environment in which computer is kept (e.g., in room with public access, in room locked when not in use by research staff);
   • A list and description of all devices on which data will be stored (e.g., network server, mainframe computer storage device, PC hard drive, removable storage device such as CD, floppy drive, or zip drive);
   • Methods of storage of computer output both in electronic form and in hard copy (on paper or other media); and
   • Instruction in data protection policies that will be provided to each staff member and student before they receive access to the data as well as recurrent instruction that will be conducted at least annually.

Types of Protection Expected

A successful Data Protection Plan for L.A.FANS Restricted Data Version 3 is expected to vary across research projects and to depend on the host institution. It must be based on providing exceptional security for the data. The plan must be developed in consultation with L.A.FANS staff.

The Data Protection Plan should also specify the following items:

• Prepare and maintain a log of all data files acquired. Record dates that data and paperwork are received and returned or destroyed;
• Pledge to destroy all files containing Restricted Data at the end of the project;
• Report all violations of the Data Safeguarding Plan to RAND, the Restricted Data Investigator, and the home-institution IRB;

The Restricted Data Investigator must regularly monitor procedures for use of the data by all staff and collaborators. Clear rules about Restricted Data use should be posted in a location that is readily visible to staff. At the conclusion of the research project, all the original L.A.FANS Restricted Data media must be returned to RAND and all data files and unpublished printouts must be destroyed.

Disclosure Rules

The Data Protection Plan must carefully describe how researchers and staff members will avoid inadvertent disclosure of respondents' geographic locations or identity in all working papers, publications, and presentations.

At minimum, researchers must agree to exclude from any type of publication or presentation, the following information:

• Listing of individual cases;
• Description of individual cases;
• Listing, description, or identification of a tract or tracts by number, by name, or by descriptive information;
• Maps with any features (such as landmarks, road networks, original tract shape or physical features) that allow tracts to be identified; and
• Summary statistics or tabulations by geographic level below SPA (Service Planning Area).