Types of Disclosure Risks
Unauthorized disclosure may occur during data collection and storage (through lost or stolen computers, USB drives, computer hacking) or through dissemination of public and/or restricted access data. There are several types of risks related to unauthorized disclosure of data that contains PII and/or sensitive data:- Low risk: Disclosed data may be linkable to other data and/or documentation that could serve to support re-identification of individuals, households, firms, etc.
- Medium risk: Disclosed data includes indirect identifiers that could support re-identification of individuals, households, firms, etc.
- High risk: Disclosed data includes direct identifiers that will identify individuals, households, firms, etc. In the event of a high-risk disclosure, the contractor should anticipate conducting a full risk assessment of the data disclosed.
Risk Mitigation and Management Process
In the event of an unauthorized disclosure of data, the following steps must be taken in addition to any reporting by the contractor required under its IRB protocol[[See https://www.hhs.gov/ohrp/compliance-and-reporting/guidance-on-reporting-incident/index.html.]]:- If it is the contractor who identifies the unauthorized disclosure, their representative must notify their respective MCC PM The MCC PM must notify the DRB of any disclosure incident immediately.
- If applicable, MCC will immediately remove the respective dataset(s) from the MCC Evaluation Catalog.
- The contractor, working with the MCC PM, will have one week starting from the notification to the DRB to complete the Disclosure Incident Form (Annex 10). Depending on the nature of the disclosure, this may include a full risk assessment of all data disclosed, as well as a revised Data Package.
- The DRB will convene to review the disclosure incident documentation. Standard procedure will be:
- DRB Chair will notify the Incident Response Team;
- DRB M&E members will request an independent risk assessment by relevant MCC DCO, M&E, and MCA staff – This will require country and sector specific knowledge.
- DRB M&E members will request an independent quality assurance of data package preparation consisting of a review of the de-identification process and assessment of remaining risk prior to re-submission to the DRB.
- For any data disclosures, the DRB will work with appropriate stakeholders to determine whom to notify, both internally within MCC and with respect to country partners.
- The DRB will convene to review the final, complete disclosure incident documentation package, including the independent risk assessment and independent quality assurance of data package preparation. Decisions on how to proceed will be made with the Incident Response Team and recorded in the DRB Minutes.