Sensitive Data Control Plan Certification

Memorandum [PDF]

Date: July 8, 2010

To: Deans

From: Juan M. Sanchez, Vice President for Research

RE: Data Use Agreements

The Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA) established uniform policy for confidentiality protection of statistical information collections sponsored or conducted by more than 70 Federal agencies.  Data sharing among specified agencies (Bureaus of Economic Analysis, Labor Statistics and Census) to include identifiable data for statistical purposes is authorized and encouraged.  Information that can be used to distinguish or track an individual’s identity such as name, Social Security Number, or biometric information as well as information that could be used in conjunction with other data elements to reasonably infer the identity of a respondent such as a combination of gender, race, date of birth, geographic indicators, or other descriptors is protected. Special procedures are required for use of laptop computers, PDAs, zip drives, floppy disks, CD-ROMs or any other IT devices.

As a result, data use agreements have become more stringent and usually require written plans documenting the procedures that will be utilized to protect covered information.  The Office of Sponsored Projecsts (OSP) has developed a template Sensitive Data Protection Plan (SDCP) form to assist recipients of these data to articulate the procedures that will be followed. However, many of these data are used by students or faculty for projects that are not funded by external sponsors.  In those instances, it is  the responsibility of the College to execute those agreements and to review the procedures for adequacy.  The Information Security Office can provide assistance in reviewing and auditing SDCPs when data are housed on university computers, and will provide guidance upon request for data housed on non-university owned computers.  Inquiries may be sent to security@austin.utexas.edu.

Attached find a copy of the template SDCP that should be used when the data use agreement does not fully articulate the procedures which will be utilized to protect the confidentiality of the data.  If you have questions, please contact Dr. Susan Wyatt Sedwick in OSP at sedwick@austin.utexas.edu.

Sensitive Data Control Plan Certification, Templates

Non-Funded by External Sponsors [Word]

Procedure outlined above by the Vice President for Research

  1. Colleges must execute agreements and review them for adequacy; then
  2. Submit completed agreement to the Information Security Office for review and audit.

Funded by External Sponsors [Word]

  1. Individual develops agreement with the Office of Sponsored Projects; then
  2. OSP submits completed agreement to the Information Security Office for review and audit.