The ICPSR Restricted Contract System (RCS) portal is officially open for business. We launched the new portal late in August, making the National Survey of Parents and Youth available through the system.
The portal is the researcher-facing piece of the system, and we use it to guide the researcher through the contract process of applying for access to restricted-use data. The system is highly configurable which allows us to collect information through traditional web forms and document uploads (e.g., proof of IRB approval, where required).
One key innovation with the new system is an attempt to make the IT security portion of the process as painless as possible. Historically ICPSR and other data providers have required researchers to submit detailed IT security plans for protecting the data, a process which often required a great deal of labor, but which did not actually make any actual measurements about security. In the RCS we've replaces the IT security plan with three new components.
One, we pull questions from our "Question Bank" that are tailored to the specific IT environment of the researcher (e.g., Windows machine connected to the Internet) and to a specific person: the researcher or the researcher's IT person. For example, one question might ask the researcher to confirm that s/he will lock the office door when the data are unattended. And another question might ask the IT person to confirm that the data will be kept in a place where they will not be backed up to tape for disaster recovery purposes.
Two, we ask the researcher to install and run an audit utility which inspects the computer for common security problems. The software does NOT require administrative access for installation or to run, and we limit its checking to a small number of essential areas, such as checking to see if a screen saver with password has been enabled.
Three, we also partner with the University of Michigan to run a remote vulnerability scan of the computer(s), looking for common problems which can be exploited remotely by attackers.
If the questions are answered appropriately, and if the audit and scan do not reveal any problems, then the researcher has completed the IT security portion of the process, and no written IT security plan is required. (We do, however, give researchers the option of writing an IT security plan if they would rather not submit to the scan and audit.)
The goal of the new portal is to lower the barrier for accessing restricted-use data, but still collecting enough information to ensure that the data will be safe.
The complete RCS suite of software also includes internal utilities to automate the contract administration process, such as generating reminder emails about contract renewal.