Fill - Free fillable PRIVACY CERTIFICATE AND CONFIDENTIALITY REQUIREMENTS OF NIJ FUNDING (U.S. Department of Justice, Office of Justice Prograns) PDF form

U.S. Department of Justice

Office of Justice Programs

National Institute of Justice

Washington, D.C. 20531

PRIVACY CERTIFICATE AND CONFIDENTIALITY REQUIREMENTS OF NIJ FUNDING

Dear Applicant:

As you know, much of the research conducted by the National Institute of Justice (NIJ) involves

collecting data on individuals through direct observation, interview or survey, case records, crime

reports, and other administrative records. These activities raise a number of ethical and legal

concerns about harm or embarrassment to individuals that must be addressed before the research

may be conducted. NIJ and recipients of NIJ funding are subject to the statutory and regulatory

confidentiality requirements of 34 USC §10231a and 28 CFR Part 22. Both 34 USC §10231a

and 28 CFR Part 22 provide that research and statistical information identifiable to a private

person is immune from legal process and may only used or revealed for research purposes.

The regulations at 28 CFR Part 22 require all applicants for NIJ support to submit a Privacy

Certificate as a condition of approval of a grant application or contract proposal that contains a

research or statistical component under which personally identifiable information will be

collected. The Privacy Certificate is the applicant’s assurance that he/she understands his/her

responsibilities to protect the confidentiality of research and statistical information and has

developed specific procedures to ensure that this information is only used or revealed in

accordance with the requirements of 34 USC §10231a and 28 CFR Part 22.

NIJ, as a matter of policy, requires that Privacy Certificates be submitted as part of all

applications regardless of whether the project involves the collection of identified data. In cases

where no personally identifiable information will be collected, the Privacy Certificate should

contain a statement to this effect.

In order to assist you in preparing your Privacy Certificate, we have enclosed a sample format.

You may use this or any other format that includes all the points addressed by 28 CFR Part 22.

Privacy Certificate Guidelines

The regulations at 28 CFR §22.23 require that a Privacy Certificate be submitted to NIJ as part of

any application for a project in which information identifiable to a private person will be collected

for research or statistical purposes. However, NIJ, as a matter of policy, requires that Privacy

Certificates be submitted as part of ALL grant applications regardless of whether the project

involves the collection of identified data. In cases where no personally identifiable information

will be collected, the Privacy Certificate should contain a statement to this effect.

The following summarizes the requirements of 28 CFR §22.23 and should be used as a guide to

completing the Privacy Certificate.

1. The Privacy Certificate must fully describe the following:

■ Procedures to ensure data confidentiality;

■ Procedures to ensure the physical and administrative security of data;

■ Procedures for subject notification or justification for waiver; and

■ Procedures for final disposition of data.

2. The Privacy Certificate must also include the name and title of:

■ the person with primary responsibility for ensuring compliance with the regulations;

■ the person authorized to approve transfers of data; and

■ the person authorized to determine final disposition procedures for the data

collected and developed bythe project.

3. The Privacy Certificate must contain assurances by the applicant that:

A) Data identified to a specific individual will not be used or revealed unless it is

research or statistical information that is being used for research and statistical purposes.

B) Identified data will be used or revealed only on a need-to-know basis to:

i. Officers, employees and subcontractors of the recipient of assistance;

ii. Persons and organizations receiving transfers of information for research and statistical

purposes only if an information transfer agreement is entered into in which the recipient

is bound to use the information only for research and statisticalpurposes and to take

adequate administrative and physical precautions to ensure the confidentiality of the

information.

C) Employees with access to data on a need-to-know basis will be advised in writing of

the confidentiality requirements and must agree in writing to abide by these requirements.

D) Subcontractors requiring access to identified data will only do so according to an

information transfer agreement which states that the confidentiality of the data must be

maintained and that the information may only be used for research or statistical purposes;

E) Private persons from whom identified data are obtained or collected will be advised

either orally or in writing that the data will only be used for research and statistical

purposes and that compliance with requests for information is not mandatory. That is,

participation in the research is voluntary and may be withdrawn at any time. If the

notification requirement is to be waived, an explanation must be contained within or

attached to the Privacy Certificate;

F) Adequate precautions will be taken to ensure the administrative and physical security of

the identified data.

G) A log indicating that identified data have been transferred to persons other than those in

NIJ or other OJP bureaus, created under the Omnibus Crime Control Act or its amendments,

or to grantee, contractor, or subcontractor staff will be maintained and will indicate whether

the data has been returned or if there is an alternative agreement for the future maintenance of

such data.

H) Project plans will be designed to preserve the anonymity of persons to whom the informa-

tion relates, including where appropriate, name-stripping, coding of data, or other similar

procedures.

I) Project findings and reports prepared for dissemination will not contain information which

can reasonably be expected to be identifiable to a private person.

J) Upon completion of the project, the security of research or statistical information will be

protected by either:

i. the complete physical destruction of all copies of the materials or the identified portions

of the materials after a three year required recipient retention period or as soon as

authorized by law; or

ii. the removal of identifiers from the data and separate maintenance of a name-code

index in a secure location.

If you choose to keep a name-code index, you must maintain procedures to secure such an

index.

Privacy Certificate

Grantee1, _____________________________________________, certifies that data identifiable

to a private person2 will not be used or revealed, except as authorized in 28 CFR Part 22,

Sections 22.21 & 22.22.

Brief Description of Project (required by 28 CFR §22.23(b):

Grantee certifies that any private person from whom identifiable information is collected or

obtained shall be notified, in accordance with 28 CFR §22.27, that such data will only be used or

revealed for research or statistical purposes and that compliance with the request for information

is not mandatory and participation in the project maybe terminated at any time. In addition,

grantee certifies that where findings in a project cannot, by virtue of sample size or uniqueness

of subject, be expected to totally conceal the identity of an individual, such individual shall be so

advised.

Procedures to notify subjects that such data will only be used or revealed for research or

statistical purposes and that compliance with the request for information is not mandatory

and participation in the project maybe terminated at any time as required by 28 CFR

§22.23(b)(4):

If notification of subjects is to be waived, pursuant to 28 CFR §22.27(c), please provide a

justification:

Delete this text and enter your response here. If you have more text than will fit in this field,

please enter it on the blank pages at the end of this form or attach a separate sheet.

NOTE: If no data identifiable to a private person will be collected, this form is considered complete

following insertion of the project description and the phrase "No data identifiable to a private person will be

collected here." All other blanks should have inserted “Not applicable since this study is not collecting

identifiable data”. The form must then be signed and dated.

Delete this text and enter your response here. If you have more text than will fit in this

field, please enter it on the blank pages at the end of this form or attach a separate sheet.

NOTE: Informed consent procedures and forms as approved by the IRB should be

attached.

Grantee certifies that project plans will be designed to preserve the confidentiality of private

persons to whom information relates, including where appropriate, name-stripping, coding of

data, or other similar procedures.

Procedures developed to preserve the confidentiality of personally identifiable information,

as required by 28 CFR §22.23(b)(7):

Grantee certifies that, if applicable, a log will be maintained indicating that (1) identifiable data

have been transferred to persons other than employees of NIJ, BJA, BJS, OJJDP, OVC, OJP, or

grantee/contractor/subcontractor staff; and (2) such data have been returned or that alternative

arrangements have been agreed upon for future maintenance of such data, in accordance with 28

CFR §22.23(b)(6).

Justification for the collection and/or maintenance of any data in identifiable form, if

applicable:

Procedures for data storage, as required by 28 CFR §22.23(b)(5):