FDA | Biologics Effectiveness and Safety (BEST)

Privacy & Security

Privacy and Security

Data privacy and security of individuals are of paramount concern to the FDA and to all BEST Collaborating Institutions. BEST’s privacy and data security policies are described in greater detail in the BEST statement of Principles and Policies (coming soon).


The BEST Initiative operations and activities adhere to all applicable privacy-related laws and regulations governing public health practice. As a public health and patient-centered agency, FDA ranks the security of all data to which it has access, particularly data related to individuals and patients, as a high priority. BEST operates as a distributed network in which data providers retain control over their data which remain behind data partners’ local firewalls; study results are returned to FDA via a web portal in an aggregated format with all identifiers removed. When individual level information is required, all individual identifiers such as names, addresses, phone numbers, and other identifying data elements are removed before information is shared with the FDA. BEST participants and activities adhere to federal and state privacy-related laws and regulations.


The BEST Initiative is subject to the security requirements of the Federal Information Security Management Act of 2002 (FISMA) and has implemented policies and procedures to ensure the utmost data security, including an annual assessment process to ensure compliance. FISMA compliance requires a comprehensive set of security policies and procedures, including, among other requirements, (a) physical access controls and 24×7 monitoring of data center access points; (b) clear separation of operational responsibilities; (c) active intrusion detection, secure firewalls, and regular scanning for points of potential vulnerability; (d) encryption of all data held within the data center as well as encryption of data when transmitted to a browser or other computer system; (e) stringent password standards and forced password expiration dates; and (f) logging of all network and database activity, with regular reviews of the logs. FDA and the BEST Initiative are continually working to identify emerging issues and improve the rigorous security controls already in place.