Office of Research and Innovation

Home > Security & Ethics > Research Security > Data Compliance > Data Confidentiality Plan

Data Confidentiality Plan

A Data Confidentiality Plan (DCP) is a document that outlines how sensitive or proprietary project information, data, and materials will be protected against unauthorized access, use, or disclosure. A DCP helps Principal Investigators (PIs) and project personnel comply with contractual and regulatory obligations that impose security requirements beyond those covered by UT Dallas Information Security Policy BP 3096. These obligations may arise under the NIH Genomic Data Sharing Policy, the EU General Data Protection Regulation, the Department of Energy Protected Data requirements, or U.S. intellectual property law.
While DCPs and Technology Control Plans (TCPs) share structural similarities, they serve distinct purposes: a TCP is required only when a project involves export-controlled information or Controlled Unclassified Information (CUI). A DCP should also not be confused with a Data Management and Sharing Plan (DMSP). Whereas a DCP focuses on safeguarding confidential or proprietary information, a DMSP describes how research data will be preserved and shared publicly to support transparency and reproducibility.
In practice, the DCP documents the administrative, technical, and physical controls the research team will use to safeguard confidential information and ensure continued compliance with all applicable requirements.

When is a DCP required?

A DCP is required when a research project involves sensitive, proprietary, or otherwise restricted information that must be protected beyond the baseline safeguards established in UT Dallas Information Security Policy BP 3096. DCPs are most often needed when a project includes:

  • Sponsored research with contractual confidentiality or data security requirements.
  • Confidential, restricted, or regulated data, including but not limited to:
  • NIH Genomic Data Sharing (GDS) data
  • Department of Energy Protected Data
  • EU General Data Protection Regulation (GDPR) covered data
  • Proprietary or trade-secret information provided by a sponsor or collaborator.
  • Situations requiring controlled or limited access to project data.
  • Situations where access to project data and information is limited to approved personnel only.

Note: If a project involves export-controlled data and information or Controlled Unclassified Information, then a TCP is required. ORSE will advise PIs when a TCP is necessary.

Why is a DCP important?

A DCP is essential for ensuring that sensitive or proprietary information is handled in accordance with contractual, regulatory, and institutional requirements. By establishing a DCP, you are:

  • Documenting the safeguards used to protect confidential or proprietary information.
  • Ensuring that all project personnel understand their responsibilities and required data-handling practices.
  • Limiting access to sensitive data to only those individuals who are authorized and listed in the DCP.
  • Reducing the risk of unauthorized access, disclosure, or misuse of sensitive information.
  • Protecting yourself, your research team, and the university from legal, financial, and reputational consequences associated with noncompliance.
Is there a DCP template?

Yes, only the official DCP templates provided by ORSE can be used. There are two templates available, depending on the situation:

  • Data Confidentiality Plan: The standard template used when a research project involves sensitive, proprietary, or otherwise restricted information requiring protection.
  • Data Confidentiality Plan for Human Data: Used when a project specifically involves human data that must be safeguarded in accordance with applicable privacy, ethical, or regulatory requirements.
Who is responsible for the DCP?

The Principal Investigator is responsible for completing the DCP and maintaining compliance, including implementing the required security measures with support from UT Dallas IT staff, such as the PI’s departmental IT personnel or the Office of Information Technology (OIT). See below for a breakdown of Principal Investigator and Project Personnel responsibilities.

Principal Investigator DCP Responsibilities

  • Communicate with RSE to help identify all information, technology, software, and items used or developed in the project.
  • Write a DCP for the project and communicate the plan to all team members.
  • Complete training assigned by the Research Security Officer.
  • Control access to the project by following your DCP when performing and reporting the results of the project.
  • Request approval from the Research Security Officer before changing the personnel assigned to the project.
  • Report any significant changes in the project scope or agreement to the Research Security Officer.
  • Immediately report unauthorized access to the project data or results to the Research Security Officer.

Project Personnel DCP Responsibilities

  • Understand and comply with the DCP.
  • Complete training assigned by the Research Security Officer.
  • Support the PI in controlling access to the project by following your DCP when performing and reporting the results of the project.
  • Immediately report unauthorized access to the project data or results to the PI and the Research Security Officer.
How does the DCP process work?

Establishing and maintaining a Data Confidentiality Plan (DCP) is a collaborative effort involving the Principal Investigator (PI), project personnel, and ORSE. Additional support may be required from the Information Security Office (ISO), the PI’s departmental IT staff, or OIT. The DCP must be finalized and approved by ORSE before any project activities, collaborations, or exchanges begin. Because the security requirements and risk levels differ across projects or situations, each DCP type follows a distinct process tailored to its scope.

DCP Process Overview

  1. ORSE Identifies DCP Requirement
    • The PI receives an email from ORSE notifying the PI of the data security restrictions on the project, collaboration, or exchange, and requesting that the PI accept the restrictions.
    • PI responds with their acceptance of the restrictions to allow the project to begin, or the PI refuses the restrictions, and the project must be re-scoped or cancelled.
  2.  ORSE Requests DCP
    • The PI receives an email from ORSE requesting completion of a DCP for the project. The supporting departmental IT and ISO are copied. The Office of Human Subjects Protections (OHSP) is informed if human data is involved.
    • The email contains a Box link to a prepared DCP template with key project details already entered (e.g., project information, sponsor details, and the reason the DCP is required).
  3. PI Completes Draft of DCP
    • The PI must use the DCP provided to them via Box.
    • The PI completes the following sections of the DCP
      • Project Personnel
      • Asset Inventory List
      • Physical Security
      • Information Security
    • The PI may complete this on their own or request a collaborative working session with ORSE.
    • The PI may involve department IT for assistance with technical configurations.
  4. DCP Review
    • The PI notifies ORSE that the DCP is ready for review.
    • ORSE and ISO review the document for accuracy, completeness, and adequacy of safeguards. OHSP reviews the document for congruence with the related human subjects protocol.
  5. DCP Revisions
    • If ORSE or ISO provide feedback, the PI addresses the comments and updates DCP.
    • This review-revision cycle continues until the DCP sufficiently addresses all compliance requirements.
  6. Final Approval
    • ORSE and ISO conduct a final review.
    • ORSE approves the completed DCP and initiates the signature process.
  7. Training
    • ORSE schedules a training session with all authorized personnel listed on the DCP.
    • This training reviews the project-specific requirements and ensures all team members understand their responsibilities.
  8. Ongoing DCP Updates
    • The PI must update the DCP whenever there are changes to:
      • Project personnel
      • Physical security measures
      • Information security measures
      • Assets used in the project
      • Scope of work
    • Updates are logged in the DCP’s “Revision and Change Log” section.
    • Note: DCPs related to human data do not require an update when there is only a change to the project personnel or the project assets.
  9. DCP Reviews
    • ORSE conducts a formal review on an annual basis for DCPs with projects that are actively in progress.
      • This review includes a meeting with the PI and ISO to confirm that the DCP is current and effective. OHSP will be included in annual reviews for DCPs related to human data.
    • ORSE conducts an annual review of projects that have ended and whose contracts have been terminated but still carry confidentiality obligations that extend beyond the contract period.
      • This review is an email to the PI to confirm the confidentiality status. Further review may be required if any changes are identified.
  10. DCP Closeout
    • A DCP remains active even after a project ends if there is still a confidentiality obligation to safeguard controlled information, equipment, or data.
    • ORSE will formally close a DCP once all safeguarding requirements have expired, such as when the confidentiality period ends, export control restrictions no longer apply, or the sponsor releases the restrictions.