1. Purpose
The purpose of this policy is to publicly establish procedures, timelines, and contacts for the response of the Qualitative Data Repository (QDR) to data breaches. This policy is publicly available on QDR’s website and may be updated as necessary.
2. Scope
This policy applies to:
-
Personal data collected by QDR for registered users (“user data”). Such data currently comprises: Full name, affiliation, last login, logs of downloaded data and documentation files (stored permanently), as well as logs about site usage (stored for approximately 2 weeks).
-
Research data deposited in, and stored by QDR in its catalog (“research data”).
3. Definitions
Data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, user data or research data stored by QDR.
Depositors: Researchers who deposit data with QDR. For the purposes of this policy, the depositor of a given data project is the responsible researcher who signed the requisite deposit agreement for the publication of a data project or the owner of the account that deposited a data project for which no agreement has been signed yet.
Restricted-use research data: Any published research data stored by QDR that require authentication (and potentially meeting additional requirements) for access, as well as any unpublished research data.
Human subjects research data: Data about a living individual obtained by a researcher (1) through intervention or interaction with the individual, or (2) containing identifiable private information. (Following 45 CFR 46.102(f)(1),(2))
4. Notifications
4.1. In the case of a breach of user data, QDR will, without undue delay and if possible within 72 hours of discovery, notify all users of the breach. The notification will:
-
describe the nature of the breach of user data including where possible, the approximate number of data subjects and records concerned;
-
communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
-
describe the likely consequences of the data breach;
-
describe the measures taken or proposed to be taken by QDR to address the breach of user data, including, where appropriate, measures to mitigate its possible adverse effects.
4.2. In the case of breach of restricted-use research data, QDR will, without undue delay and if possible within 72 hours of discovery, notify
-
the original depositors of the data
-
where the breached data include human subjects data, including de-identified data, the responsible office for research integrity at the original depositors’ institution.
-
Note: QDR does not store contact information for any human subjects whose confidential information may be included in deposited restricted data. Accordingly, after they have been informed of the breach by QDR, it is the responsibility of the depositors and their institution to inform such individuals of a breach of such information.
The incidence response team (see 5.2) may decide to notify additional individuals or institutions as deemed necessary and appropriate.
5. Process
5.1. Mitigation: As soon as a data breach is identified, the process of removing all access to that resource will begin.
5.2. Incident Response Team: QDR’s Technical Director will chair an incident response team to handle the breach or exposure. This team will include
-
QDR’s Technical Director
-
QDR’s Director and Associate Director
-
QDR’s DevOps Engineer
-
QDR’s Lead Developer
-
(Where warranted) A representative from Syracuse University’s Information Technology Services
5.3. Communication: The incident response team will decide how to communicate the breach to: a) internal employees and stakeholders, b) the public, and c) affected users and/or depositors and their institutions as described in sections 4.1 and 4.2 within 72 hours of discovering the breach, in compliance with the notification section of this policy
-
Incident After-reporting: As soon as possible following the data breach, but no longer than 28 days after its detection, the incident response team will publish an after-incident report that provides a detailed description of the breach, its causes, and any changes and improvements QDR has made or will make to its security policies as a consequence.
-
Incident logging: Every data breach incident, regardless of scope, will be logged permanently. The log will be made available to QDR’s Technical Advisory Board and external auditors or authorities upon request.
6. Laws and Regulations
This policy is informed by and is intended to address the relevant requirements of several laws and regulations, including, but not limited to
-
Art. 34 (“Communication of a personal data breach to the data subject”) of European Union Regulation 2016/679 (General Data Protection Regulation, GDPR)
-
California Civil Code §§ 1798.81.5, 1798.82 (Obligations arising from particular transactions - Customer records)
-
New York General Business Law § 899-AA (Notification; person without valid authorization has acquired private information)