Explore More at wakehealth.edu

Data Security

Certain grants and contracts may have additional requirements for data security.  FAQs for the specialized data security requirements can be found on this page's drop-down listings for the following:

  • FISMA - The Federal Information Security Management Act
  • CUI - Controlled Unclassified Information
  • GDPR - General Data Protection Regulation

FISMA

What are the key acronyms I need to know?

  • FISMA:  Federal Information Security Management Act of 2002
  • NIST:  National Institute of Standards and Technology
  • CUI:  Controlled Unclassified Information

 

What is FISMA?

  • FISMA is a law which provides protection for federal information systems against natural, man-made, or system-generated threats
  • FISMA is different from standard data security controls in that XYZ.
  • Each federal agency, vendor, or contractor must develop, document, and implement an institution-wide program to provide information security for the information systems that support the operations and assets of the institution, contractors, or other sources.
  • NIST provides guidance for FISMA compliance via its Special Publications (SP) 800 series.

I am considering a project or contract which has FISMA requirements. Where do I start?

  • Notify the Office of Sponsored Programs and the FISMA Program Manager, Eric Asare.
  • Review the FISMA Compliance: Principal Investigator’s Requirements document.
  • Review the FISMA Information Sheet for commonly required information.  The FISMA Program Manager will work with the PI and the Study Team to clarify information needed and assist with completing the FISMA assessment process.

What are the benefits to WFBMC of being FISMA compliant?

  • Being FISMA compliant enables WFBMC to compete for certain research grants and contracts. 
  • FISMA compliance reduces the risk of research data breaches.
  • FISMA compliance can potentially save WFBMC from incurring substantial fines and financial loss due to privacy breaches and misuse of stolen sensitive information

What are the risks of non-compliance?

  • All projects with federal funding components MUST comply with all applicable federal regulations.  Failure to comply can affect current and future funding from federal agencies.
  • Non-compliance can affect the reputation of the Institution and its affiliate institutions or influence other institutions’ interest in collaborating with us on a grant or sub-contract.
  • The Institution, faculty, and staff may be subject to corrective actions, including fines and penalties, according to the required Federal and Institutional policies.

What are the key steps in the FISMA assessment process?

  • Categorize information and information systems according to risk level. Risk Levels are defined below.  
  • Maintain a system security plan
  • Utilize security controls appropriate for the risk level.  FISMA Security Controls are outlined below.
  • Conduct risk assessments throughout the life cycle of the system
  • Institute certification and accreditation of the systems, including staff, processes, and technology
  • Conduct continuous monitoring of the authorized system

 

How are FISMA requirements different from our general data security requirements?

  • FISMA builds upon existing institutional security requirements such as password policies, firewalls. Privacy/confidentiality, data integrity and business continuity.  
  • FISMA imposes additional security requirements consistent with the level of risk of the data.

Which funders and grant mechanisms are most likely to have FISMA requirements?

  • National Institutes of Health (NIH)
  • Centers for Disease Control (CDC)
  • Department of Defense (DoD)
  • Veterans Administration (VA)
  • National Aeronautics and Space Administration (NASA)
  • National Oceanic and Atmospheric Administration (NOAA)
  • Other governmental Agencies

How do I determine if FISMA is required of my project?

  • Review grant or contract applications to determine if there are FISMA requirements. Look for terminology related to FISMA deliverables such as:
  • System Security Plan (SSP)
  • Risk Assessment Report (RAR)
  • Authorization to Operate (ATO)

What are the FISMA risk levels?

  • The risk level categorization is based on the critical level of the information system/type according to each of the three security objectives: Confidentiality, Integrity and Availability (CIA). The higher the risk level, the more controls apply to the project.
  • Low – if data is already publicly available and the data will have limited impact to the government and national economy if the data were breached
  • Moderate – if the data will have a serious impact when breached or compromised; includes PHI
  • High – if the data would have a severe impact on government systems and operations and may even lead to financial ruin or economic crisis if breached or compromised;

What are FISMA controls?

  • There are over 800 security controls organized into 16 families.  Controls are either technical, operational, or management in nature. Depending on the level of risk, certain controls must be in place.  Some controls are already in existence with our general Information Technology Security Systems.   However, additional controls may be indicated.
  • Sixteen Security Control Families
  • Risk Assessment
  • Certification, Accreditation and Security Assessments
  • System Services and Acquisition
  • Security Planning
  • Configuration Management
  • System and Communications Protection
  • Personnel Security
  • Awareness and Training
  • Physical and Environmental Protection
  • Media Protection
  • Contingency Planning
  • System and Information Integrity
  • Incident Response
  • Identification and Authentication
  • Access Control
  • Accountability and Audit

What is involved in WFBMC’s FISMA compliance review process for an individual project/contract?

  • The institution must complete a Security Assessment and Authorization (SA&A) review for your project to determine compliance with requirements consistent with the security level.
  • The PI will complete the FISMA Information Sheet [ADD LINK] and send this to the FISMA Program Manager.
  • The PI and study team will collaborate with the FISMA Program Manager to:
  • Determine the scope of FISMA compliance;
  • Complete the Security Controls Assessment;
  • Implement any additional needed controls; and
  • Prepare required FISMA deliverables.
  • Most contracts dictate a timeline of when deliverables are due. The FISMA Program Manager will assist the PI and study team to prepare the required deliverables.  Below are examples of Department of Health and Human Services (DHHS) contract specifications:
  • IT Security Plan - due within 30 days after contract award (same as System Security Plan above)
  • IT Risk Assessment (IT-RA) - due within 30 days after contract award
  • FIPS 199 Standards for Security Categorization of Federal Information and Information Systems Assessment (FIPS 199 Assessment) - due within 30 days after contract award.
  • IT Security Assessment and Authorization (IT-SA&A) - due within 3 months after contract award
  • See “FISMA Deliverables” for more information and sample documents of selected deliverables.

How long will it take to assure that the security for my project is FISMA compliant?

  • On average it may take six months to complete the Security Assessment and Authorization (SA&A) process.
  • The time it takes for a system to be in compliance depends on several variable factors such as system size, skilled human resources available, the complexity of the computing environment, software and hardware availability etc.  
  • All security does not have to be in place at the time of grant/contract submission or award.  The Notice of Award and/or contract typically outline the required deliverable due dates. Deliverable dates are determined as part of the assessment, indicating at what point different security measures must be implemented.  The institution must assure that the risk level is reasonable until all measures are in place.
  • To meet FISMA deliverable deadlines, we strongly encourage you to contact the Office of Sponsored Programs and the FISMA program manager as soon as possible.
  • Upon assurance that FISMA Requirements have been met, an Authorization to Operate (ATO) will be issued by WFBMC designated executive(s).  ATOs are valid for three years.

 

 

What is required to maintain FISMA Compliance?

  • Compliance of all authorized systems with FISMA requirements must be monitored throughout the life of the project and until all data has been analyzed.
  • An Authorization to Operation (ATO) is valid for 3 years.
  • All FISMA assessments related to a project are subject to yearly renewal except Privacy Impact Assessments (PIA) which must be renewed every 3 years.
  • The FISMA Program Manager will assist PIs and study teams in monitoring and maintaining FISMA compliance.

We already have a grant project in progress, do I have a FISMA requirement?

  • Work with the Office of Sponsored Programs to determine if Notice of Award, contracts, etc. have FISMA requirements that must be addressed. If so, the Security Assessment & Authorization (SA&A) process must be completed or updated.

How will FISMA impact the use of my data?

  • How do I use my data in compliant areas?
  • There are no restrictions on the proper use of data from FISMA point of view (as long as it falls within the scope of your research)
  • If electronic data will need to be shared with other individuals or institution, it may be necessary to establish an Interconnected System Agreement and Memorandum of Understanding
  • As a PI, do I have to keep records? Submit reports outside?
  • Copies of deliverable will be given to the PI for record. OSP will liaise with Federal agencies on issues of FISMA Compliance

What are we doing at the institutional level to comply with FISMA requirements?

  • A FIMSA Compliance Committee has been established with representatives from IT, CTSI, and other research stakeholders to address institutional needs related to FISMA.  
  • Options are being investigated for storage of FISMA-related data in a separate, even more secure environment, consistent with FISMA requirements.
  • A FISMA Program Office has been created to facilitate the processes and procedures involved to support compliance.
  • The following Information Technology security policies related to FISMA; others are under development:
  • Risk Management Policy
  • System and Services Acquisition Policy
  • Configuration Management Policy
  • System and Communications Protection Policy
  • Personnel Security Policy
  • Awareness and Training Policy
  • Physical and Environmental Protection Policy
  • Media Protection Policy
  • Contingency Planning Policy
  • System and Information Integrity Polic
  • Incident Response Policy
  • Identification and Authentication Policy
  • Access Control Policy
  • Accountability and Audit Policy

 

 

  • General boilerplate language for Information Technology Services and the Federal Information Security Modernization Act can be found here.  This may be sufficient to include in a grant application.  The FISMA Program Manager can assist in providing more detailed information as needed.

 

What resources are available to assist me/my team with FISMA related questions?

    • Consultation and assistance are available for reviewing grant proposals, contracts, and notices of award for FISMA requirements: contact CTSI Office of Sponsored Programs, Robyn Gore/Ryan Favreau @ 716-2382.
    • Consultation and assistance are also available for conducting risk assessments, and training for PIs and study teams. Contact IT Security at 336-713-ITSO (3-4876) or ITsecurity_dl@wakehealth.edu or privacy@wakehealth.edu for assistance.

FISMA Forms and Templates

CUI

What is CUI?

  • Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
  • Executive Order 13556 establishes a program for managing CUI across the Executive branch and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee agency actions to ensure compliance. The Archivist of the United States delegated these responsibilities to the Information Security Oversight Office (ISOO).
  • The Order standardizes the way in which departments and agencies handle unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and Government-wide policies.
  • Successful implementation of this Order by agencies will enhance the efficient and effective management, control, and sharing of CUI and further the administration’s goals of openness and uniformity of government practices.

I am considering a project or contract which has CUI requirements. Where do I start?

  • You should make two groups aware of the requirements for your project: IT Security will need to complete an assessment of compliance requirements and the CTSI Office of Sponsored Programs will need to be aware of the CUI obligations related to your proposed project. 

What are the benefits to WFBMC of being CUI compliant?

  • It is important that investigators receiving awards requiring CUI work with the IT Security to develop and follow a plan to meet these requirements.  The mechanism IT Security has developed to meet CUI obligations allow Wake Forest School of Medicine investigators to obtain the increasing number of awards requiring the use of CUI.

What are the risks of non-compliance?

The following is a summary of the risks and implications associated with the failure to comply with cyber and IT requirements that may be applicable to your contract.

  • Breach of Contract: Just like any other contractual requirement, standard breach of contract theories and damages may result from failing to comply with cyber and IT requirements. If the subcontractor is the responsible party, the government will hold the prime contractor liable, and the prime contractor in turn will look to the subcontractor to make it whole. (Adapted from an article by Pepper Hamilton LLP Attorneys at Law)
  • Liquidated Damages: Government agencies may include liquidated damages provisions in their contracts, especially if there is sensitive personal information, such as personally identifiable information or protected health information.
  • Termination for Default: Cyberattacks, data breaches and losses of confidential data are inherently serious in nature, and arguably even more so when the government is a contracting party. Given the seriousness of noncompliance, a government agency may well be in its rights to terminate a contract for default for failure to comply with cyber and IT requirements. Some agencies may even include specific termination provisions relating to cyber and IT noncompliance
  • Termination for Convenience: Although a convenience termination is a preferable alternative to a default termination, the contractor will nonetheless lose contract revenue and will likely not be made whole through the termination process. If the prime contract is terminated for convenience, the subcontract will likely be terminated as well.
  • Poor Past Performance: Given the importance of past performance, contractors and subcontractors must take all appropriate steps to ensure that their past performance ratings are as high as possible. Breach of contract, the imposition of liquidated damages and default terminations will unfavorably impact past performance ratings for years.
  • False Claims Act: A contractor or subcontractor can be liable under the False Claims Act (FCA) for submitting false claims, i.e., invoices. “False certification” cases involve allegations that the contractor has made a false express or implied certification with respect to compliance with a statute, regulation or contract term. Express certification cases are more straightforward — they involve claims for payment that include a false certification regarding a material requirement, i.e., the contractor knows the requirement is material to the government’s payment decision.
  • Suspension / Debarment: Contractors and subcontractors struggling with cyber and IT requirements should be mindful of the government’s broad suspension and debarment powers.

How are CUI requirements different from our general data security requirements?

  • Agencies may place limits on disseminating CUI beyond for a lawful government purpose only through the use of the limited dissemination controls listed below, or through methods authorized by a CUI Specified authority.  In these cases, CUI appropriately shared with collaborators will need to be marked with the dissemination limitations as shown below.

 

Limited Dissemination Control

Description

Marking

Portion Marking

No foreign dissemination

Information may not be disseminated in any form to foreign governments, foreign nationals, foreign or international organizations, or non-US citizens.

NOFORN

NF

Federal Employees Only

Dissemination authorized only to (1) employees of United States Government Executive branch departments and agencies (as agency is defined in 5 U.S.C. 105), or (2) armed forces personnel of the United States or Active Guard and Reserve (as defined in 10 USC 101).

FED ONLY

FED ONLY

Federal Employees and Contractors Only

Dissemination authorized only to (1) employees of United States Government Executive branch departments and agencies (as agency is defined in 5 U.S.C. 105), (2) armed forces personnel of the United States or Active Guard and Reserve (as defined in 10 USC 101), or (3) individuals or employers who enter into a contract with the United States (any department or agency) to perform a specific job, supply labor and materials, or for the sale of products and services, so long as dissemination is in furtherance of that contractual purpose.

FEDCON

FEDCON

No dissemination to Contractors

No dissemination authorized to individuals or employers who enter into a contract with the United States (any department or agency) to perform a specific job, supply labor and materials, or for the sale of products and services. Note: This dissemination control is intended for use when dissemination is not permitted to federal contractors, but permits dissemination to State, local, or tribal employees.

NOCON


NOCON

 

Dissemination List Controlled

Dissemination authorized only to those individuals, organizations, or entities included on an accompanying dissemination list. Note: Use of this limited dissemination control supersedes other limited dissemination controls, but cannot supersede dissemination stipulated in federal law, regulation, or Government-wide policy.

 

DL ONLY


DL ONLY

 

Authorized for release to certain nationals only

Information has been predetermined by the designating agency to be releasable or has been released only to the foreign country(ies)/international organization(s) indicated, through established foreign disclosure procedures and channels. It is NOFORN to all foreign country(ies)/international organization(s) not indicated in the REL TO marking. Note: See list of approved country codes for use with REL TO here. USA must always appear first when using REL TO followed by additional permitted trigraph country codes in alphabetical order.

REL TO[USA, LIST] - see list


REL TO [USA, LIST] - see list

 

DISPLAY ONLY

Information is authorized for disclosure to a foreign recipient, but without providing the foreign recipient with a physical copy for retention, regardless of medium to the foreign country(ies)/international organization(s) indicated, through established foreign disclosure procedures and channels.

DISPLAY ONLY

DISPLAY ONLY

Which funders and grant mechanisms are most likely to have CUI requirements?

  • Department of Defense (DoD)
  • Defense Advanced Research Project Agency (DARPA)

How do I determine if CUI is required of my project?

  • The contract or award notification will specify that CUI is necessary for performance of the work.

What are CUI controls?

  • Federal agencies may not implement safeguarding or dissemination controls for any unclassified information other than those controls consistent with the CUI Program.
  • Authorized holders must take reasonable precautions to guard against unauthorized disclosure of CUI. They must include the following measures among the reasonable precautions:

(1) Establish controlled environments in which to protect CUI from unauthorized access;

(2) Reasonably ensure that unauthorized individuals cannot access or observe CUI, or overhear conversations discussing CUI;

(3) Keep CUI under the authorized holder’s direct control or protect it with at least one physical barrier; and

(4) Protect the confidentiality of CUI that agencies or authorized holders process, store, or transmit on Federal information systems in accordance with the applicable security requirements

  • When sending CUI, authorized holders:

(1) May use the United States Postal Service or any commercial delivery service when they need to transport or deliver CUI to another entity;

(2) Should use in-transit automated tracking and accountability tools when they send CUI;

(3) May use interoffice or interagency mail systems to transport CUI; and

(4) Must mark packages that contain CUI according to marking requirements

  • Reproducing CUI. Authorized holders:

(1) May reproduce (e.g., copy, scan, print, electronically duplicate) CUI in furtherance of a lawful Government purpose; and

(2) Must ensure, when reproducing CUI documents on equipment such as printers, copiers, scanners, or fax machines, that the equipment does not retain data or the agency must otherwise sanitize it

  • Destroying CUI.

(1) Authorized holders may destroy CUI when: (i) The agency no longer needs the information; and (ii) Records disposition schedules published or approved by NARA allow.

(2) When destroying CUI, including in electronic form, agencies must do so in a manner that makes it unreadable, indecipherable, and irrecoverable. Agencies must use any destruction method specifically required by law, regulation, or Government-wide policy for that CUI.

What is involved in WFBMC’s CUI compliance review process for an individual project/contract?

  • The PI and study team will collaborate with the IT Security to:
  • Determine the scope of CUI requirements;
  • Complete the Security Controls Assessment; and 
  • Implement any additional needed controls;

What is required to maintain CUI Compliance?

  • Compliance with the IT Security-approved controls and approved data sharing processes.

We already have a grant project in progress, do I have a CUI requirement?

  • Work with the Office of Sponsored Programs to determine if Notice of Award, contracts, etc. have CUI requirements that must be addressed.

How will CUI impact the use of my data?

  • How do I use my data in compliant areas?
  • The data will need to be used and shared as specified in the award or contract.
  • If data will need to be shared with other individuals or institution, it may be necessary to establish an Interconnected System Agreement and Memorandum of Understanding and it will need to be marked with the dissemination limitations as shown above.

What are we doing at the institutional level to comply with CUI requirements?

  • A Compliance Committee has been established with representatives from IT, CTSI, and other research stakeholders to address institutional needs related to CUI. 
  • Options are being investigated for storage of CUI data in a separate, even more secure environment, consistent with CUI requirements.
  • The following Information Technology security policies related to CUI; others are under development:
  • Risk Management Policy
  • System and Services Acquisition Policy
  • Configuration Management Policy
  • System and Communications Protection Policy
  • Personnel Security Policy
  • Awareness and Training Policy
  • Physical and Environmental Protection Policy
  • Media Protection Policy
  • Contingency Planning Policy
  • System and Information Integrity Policy
  • Incident Response Policy
  • Identification and Authentication Policy
  • Access Control Policy
  • Accountability and Audit Policy

 

  • General boilerplate language for Information Technology Services can be found here.  This may be sufficient to include in a grant application.  IT Security can assist in providing more detailed information as needed.

 

What resources are available to assist me/my team with CUI related questions?

  • Consultation and assistance are available for reviewing grant proposals, contracts, and notices of award for CUI requirements: contact CTSI Office of Sponsored Programs, Robyn Gore/Ryan Favreau @ 716-2382.
  • Consultation and assistance are also available for conducting risk assessments, and training for PIs and study teams. Contact IT Security at 336-713-ITSO (3-4876) or ITsecurity_dl@wakehealth.edu or privacy@wakehealth.edu for assistance.

CUI Forms and Templates

GDPR

What is GDPR?

The General Data Protection Regulation (GDPR) is a new regulation affecting the European Economic Area (EEA), which includes all European Union (EU) countries and non-EU countries Iceland, Liechtenstein and Norway.  Effective May 25, 2018, the GDPR is designed to harmonize data privacy laws across Europe and imposes stringent data protection requirements on entities, including those based outside of the EU, that process “personal data” of individuals in the EEA.  It doesn’t apply to the processing of personal data of deceased persons or of legal entities.

 

  • GDPR defines “personal data’’ broadly to include:
    • [A]ny information relating to an identified or identifiable natural person (“data subject”).”
  • “An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental,economic, cultural, or social identity of that person.’’

What does GDPR Require?

GDPR grants a number of rights to people whose personal data is collected, stored, or “processed” by people or organizations, including:

  • Right to be informed
  • Right of access|
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • ]Rights regarding automated decision making

 

  • Personal data is any information that relates to an identified or identifiable living individual.  NOTE: data that has been “de-identified” under HIPAA may still qualify as “personal data” and be protected under the GDPR.
  • There are additional requirements for use of “Sensitive Personal Data” which is data that includes information related to: an individual’s racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric information; health data; or sexual life or orientation.
  • The term “processing” covers a wide range of operations performed on personal data. It includes the collection, recording, organizing, structuring, storage, adaptation or alteration, retrieval, use, disclosure, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

 In order to ensure those rights are upheld, users of personal data that is protected by the GDPRmay be required to do the following.

  • Obtain consent of subjects for data processing.  NOTE: Consent requirements under the GDPR are more specific than informed consent requirements under U.S. law.
  • Anonymize collected data to protect privacy.
  • Provision of data breach notifications.
  • Safely handle the transfer of data across borders.
  • Certain organizations must appoint a data protection officer to oversee GDPR compliance.

Compliance with GDPR is overseen by Data Protection Authorities (DPA) in the EU member states.  DPAs have investigative and corrective powers related to the application of the data protection law.

Does GDPR apply to Wake Forest University Health Sciences (WFUHS) research?

It depends on the project. 

  • The GDPR applies to organizations located outside of the EU if they are offering goods/services (paid or for free) to EU citizens or monitoring the behavior of individuals in the EU.  If a research project will be conducted in the EU or recruitment of participants will be directed to people in the EU, then GDPR would apply for the data collected and stored in the EU.
  • There must also be a basis to legitimize the transfer of data from the EU to a US organization, and the GDPR may require that EU participants be notified that their data will be sent to a location where it will not be protected by GDPR.
  • Note that some sponsors or collaborators may include general statements in contractual agreements that would obligate WFUHS researchers to follow GDPR standards for the project even though the data will be located in the US.  The CTSI Office of Sponsored Programs must be notified when a research receives such contractual agreements and the Office will help in reviewing and negotiating those terms.

Notify IT Security, the Privacy Office, and the CTSI Office of Sponsored Programs as early as possible so that we can evaluate the specific needs for your study and work with any collaborators or sponsors on the most appropriate agreements.  Contact information is below.

I am considering a project or contract which requires compliance with the GDPR. Where do I start?

  • Notify IT Security, the Privacy Office, and the CTSI Office of Sponsored Programs.   They will help with establishing a compliance plan. 

What are the benefits of being GDPR compliant?

  • It is important that we handle all data appropriately and respect the rights of research participants as required by the consent form, the Institutional Review Board requirements, contractual obligations, legal requirements, and WFBMC policies.  By doing this our investigators should continue to enjoy opportunities to conduct research and collaborate with colleagues in the EEA. 

What are the risks of non-compliance?

  • It is currently unclear what the specific consequences for failure to comply with GDPR will be.  The penalties will be set by individual states and must be “effective, proportionate, and dissuasive” according to the regulation.  It is safe to assume that the results of noncompliance will be very unpleasant and may include civil and/or other penalties.  In addition, failure to comply with the GDPR could expose the institution to reputational damage and loss of future research awards.

How are GDPR requirements different from our general data security requirements?

  • Unclassified Information (see FAQs on CUI).  In addition, all Medical Center policies regarding data privacy and security should be followed.  IT Security can help develop the data storage and sharing plan for individual projects.

How do I determine if the GDPR applies to my project?

  • You will need to evaluate whether your project involves the use of personal data regarding individuals residing in the EU, the geographic location of the study data collection, storage, processing or transfer, and/or specification in the contract or award notification.
  • The CTSI Office of Sponsored Programs can help in evaluating whether the GDPR applies to your project.

What are GDPR controls?

The regulation requires implementation of appropriate technical and organizational measures which are designed to protect data from unauthorized access or disclosure; and that only the minimum quantity of personal data are processed for each authorized purpose.

How will GDPR impact the use of my data?

  • It will depend on a multitude of factors, including the nature of the data being used, the nature of the research study (for example, is this prospective or secondary research), where the data resides, whether a study subject has exercised any rights he/she has under the GDPR, and other considerations.  If you have personal data regarding individuals who reside in the EU, please contact the CTSI Office of Sponsored Programs to request an evaluation of how the GDPR may impact the use of your data.  

What are we doing at the institutional level to comply with GDPR requirements?

  • A committee has been established with representatives from IT, CTSI, and other research stakeholders to address institutional needs related to GDPR. 
  • The Legal Department and senior leaders are working with IT Security, Privacy and CTSI Office of Sponsored Programs on all agreements involving GDPR.

 

What resources are available to assist me/my team with GDPR related questions?

  • Consultation and assistance are available for reviewing grant proposals, contracts, and notices of award for GDPR requirements: contact CTSI Office of Sponsored Programs, Robyn Gore/Ryan Favreau @ 716-2382.
  • Consultation and assistance are also available for conducting risk assessments, and training for PIs and study teams. Contact IT Security at 336-713-ITSO (3-4876) or ITsecurity_dl@wakehealth.edu or privacy@wakehealth.edu for assistance.

Important Links