# Data Management Plan Template > Describes how your study will collect, store, access, retain, share, and destroy participant data. Required by most IRBs and all federally funded research. ## 1. Data Collection - **Types of data collected:** [FILL IN: survey responses, audio recordings, biospecimens, medical record abstractions, etc.] - **Collection method:** [FILL IN: paper forms, REDCap, Qualtrics, Zoom, in-person interview] - **Identifiers collected:** [FILL IN: name, email, date of birth, etc. — or "none, fully anonymous"] - **Sensitive data flag:** [FILL IN: HIPAA-protected, mental health, illegal activity, immigration status, etc.] ## 2. Storage - **Primary storage location:** [FILL IN: institutional OneDrive, Box, REDCap server, locked filing cabinet in room #] - **Encryption:** [FILL IN: at rest and in transit] - **Backup procedure:** [FILL IN: automatic cloud backup, weekly local backup] - **Separation of identifiers:** [FILL IN: identifier key stored separately from de-identified dataset] ## 3. Access Control - **Authorized personnel:** [FILL IN: list all names and roles] - **Access method:** [FILL IN: institutional login, two-factor authentication] - **Audit log:** [FILL IN: describe how access is logged] - **Revocation procedure:** [FILL IN: how access is removed when personnel leave] ## 4. Retention - **Retention period:** [FILL IN: typically 3–7 years post-study completion; check sponsor and institutional requirements] - **Rationale:** [FILL IN: federal, sponsor, publication, or institutional policy] - **Custodian during retention:** [FILL IN: PI, department, institutional archive] ## 5. Sharing - **Within research team:** [FILL IN: how data moves among team members] - **External collaborators:** [FILL IN: data use agreement in place? de-identified only?] - **Public sharing / repository:** [FILL IN: ICPSR, OSF, Dryad, journal supplement — or "not shared publicly"] - **What will be shared:** [FILL IN: de-identified dataset, codebook, analysis code] - **What will NOT be shared:** [FILL IN: audio recordings, identifiers, raw text with identifying details] ## 6. Destruction - **Destruction trigger:** [FILL IN: end of retention period, participant withdrawal] - **Method — electronic:** [FILL IN: secure deletion with institutional tool, overwriting per NIST 800-88] - **Method — paper:** [FILL IN: cross-cut shredding] - **Method — biospecimens:** [FILL IN: per institutional biosafety protocol] - **Certification:** [FILL IN: who documents destruction and where the record is kept] ## 7. Breach Response If a data breach or unauthorized access is suspected: 1. Secure the affected system immediately. 2. Notify the PI within 24 hours. 3. Notify the IRB within 10 business days (or per institutional policy). 4. Notify affected participants as required by HIPAA / state law. 5. Document the incident, response, and corrective actions. --- (C) 2026 Angel Reyes / Subthesis — Licensed CC BY-NC 4.0. Not affiliated with OHRP or any IRB.