Common use of Data Security and Unauthorized Data Release Clause in Contracts

Data Security and Unauthorized Data Release. The Requester and Approved Users acknowledge NIH’s expectation that they have reviewed and agree to manage the requested controlled-access data and any Data Derivatives according to NIH’s expectations set forth in the current NIH Security Best Practices for Users of Controlled-Access Data and the Requester’s IT security requirements and policies. The Requester and PI agree to notify the NIH Incident Response Team, NIH DAC(s) on the project request, and NIH Office of Extramural Research Data Sharing Policy Implementation (OER/DSPI) Team of any unauthorized data sharing, breaches of data security, or inadvertent data releases that may compromise data confidentiality within 24 hours of when the incident is identified. For the NIH Incident Response Team notifications can be made by phone (▇▇▇) ▇▇▇-▇▇▇▇ (4357); Toll Free Number: (866) 319-4357or TTY: (▇▇▇) ▇▇▇-▇▇▇▇ and can also be sent by email to ▇▇▇▇▇▇▇▇▇▇@▇▇▇.▇▇▇ or via the Report an Incident Link: ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇▇▇.▇▇▇.▇▇▇/. For OER/DSPI Team, notifications can be sent to ▇▇▇_▇▇▇@▇▇▇▇.▇▇▇.▇▇▇. As permitted by law, notifications should include any known information regarding the incident and a general description of the activities or process in place to define and remediate the situation fully. Within 3 business days of the DAC notification, the Requester agrees to submit to the DAC(s) and the OER/DSPI Team a detailed written report including the date and nature of the event, actions taken or to be taken to remediate the issue(s), and plans or processes developed to prevent further problems, including specific information on timelines anticipated for action. The Requester agrees to provide any additional documentation requested by the NIH DAC(s) or the OER/DSPI Team on the incident, including verifying that the remediation plans have been implemented. Repeated violations or unresponsiveness to NIH requests may result in further compliance measures affecting the Requester. NIH, or another entity designated by NIH may, as permitted by law, also investigate any data security incident. Approved Users and their associates agree to support such investigations and provide any information, within the limits of applicable local, state, Tribal, and federal laws and regulations. In addition, Requester and Approved Users agree to work with the NIH to assure that plans and procedures that are developed to address identified problems are mutually acceptable and consistent with applicable law.

Data Security and Unauthorized Data Release. The Requester and Approved Users acknowledge NIH’s expectation that they have reviewed and agree to manage the requested controlled-access data and any Data Derivatives according to NIH’s expectations set forth in the current NIH Security Best Practices for Users of Controlled-Access Data and the Requester’s IT security requirements and policies. The Requester and PI agree to notify the NIH Incident Response Team, NIH DAC(sNIDCR FaceBase DAC (URGENT email: ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇.▇▇▇) on the project request, and NIH Office of Extramural Research Data Sharing Policy Implementation (OER/DSPI) Team of any unauthorized data sharing, breaches of data security, or inadvertent data releases that may compromise data confidentiality within 24 hours of when the incident is identified. For the NIH Incident Response Team notifications can be made by phone (▇▇▇) ▇▇▇-▇▇▇▇ (4357); Toll Free Number: (866) 319-4357or TTY: (▇▇▇301) ▇▇▇-▇▇▇▇ 496- 8294 and can also be sent by email to ▇▇▇▇▇▇▇▇▇▇@▇▇▇.▇▇▇ or via the Report an Incident Link: ▇▇▇▇▇://▇▇▇▇▇▇▇▇▇.▇▇▇▇.▇▇▇.▇▇▇/. For OER/DSPI Team, notifications can be sent to ▇▇▇_▇▇▇@▇▇▇▇.▇▇▇.▇▇▇. As permitted by law, notifications should include any known information regarding the incident and a general description of the activities or process in place to define and remediate the situation fully. Within 3 business days of the DAC notification, the Requester agrees to submit to the DAC(sNIDCR FaceBase DAC (URGENT email: ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇.▇▇▇) and the OER/DSPI Team a detailed written report including the date and nature of the event, actions taken or to be taken to remediate the issue(s), and plans or processes developed to prevent further problems, including specific information on timelines anticipated for action. The Requester agrees to provide any additional documentation requested by the NIH DAC(s) NIDCR FaceBase DAC or the OER/DSPI Team on the incident, including verifying that the remediation plans have been implemented. Repeated violations or unresponsiveness to NIH requests may result in further compliance measures affecting the Requester. NIH, or another entity designated by NIH may, as permitted by law, also investigate any data security incident. Approved Users and their associates agree to support such investigations and provide any information, within the limits of applicable local, state, Tribal, and federal laws and regulations. In addition, Requester and Approved Users agree to work with the NIH to assure that plans and procedures that are developed to address identified problems are mutually acceptable and consistent with applicable law.