The Privacy Certificate is a written certification of the policies
and procedures that the researcher or research organization utilizes
to protect the confidentiality of identifiable youth information
in research and statistical activities. Specific criteria apply
to the collection, storage, use, transfer, reporting, and publication
of these youth data. All research funded by Federal funds must submit
a Privacy Certificate as a condition of approval of a grant application
or contract proposal when information identifiable to a private
person will be utilized for a research or statistical project.
In order to demonstrate compliance with the regulations, the Privacy
Certificate must include a description of the project and the following
assurances from the researcher or research agency.
- Information
identifiable to a private person will be used only for research
and statistical purposes.
- Data identifiable
to a private person will not be used or revealed except as authorized
in the regulations.
- Access to
the data is limited to only employees having a need for the data
and that such employees shall be advised and agree in writing
to comply with the regulations.
- All contractors,
subcontractors, and consultants requiring access to identifiable
data will agree, through conditions in their contracts, to comply
with the regulations.
- Adequate
precautions will be taken to insure administrative and physical
security of identifiable data and to preserve the confidentiality
of personally identifiable information.
- A log will
be maintained indicating to whom identifiable data have been transmitted
and that such data have been returned or alternative arrangements
have been agreed upon for future maintenance of the data.
- Project
plans will be designed to preserve anonymity of private persons
to whom the information relates, including, when appropriate,
statistical disclosure methods.
- Project
finding and reports prepared for dissemination will not contain
information which can reasonably be expected to be identifiable
to a private person except as authorized under the regulations.
- All project
personnel will be advised about and agree in writing to comply
with all of the regulatory procedures to protect privacy and confidentiality
of personally identifiable information.
- The Privacy
Certification shall include a description of the physical or administrative
procedures to insure the security of the data which must include:
- A description
of the project, the project objectives, and the research and statistical
component of the project.
- Procedures
to notify research subjects from whom identifiable data are collected
or obtained and, when notification is to be waived, the justification
for the waiver in accordance with criteria outlined in the regulations.
- Procedures
designed to preserve confidentiality of personally identifiable
information.
- Justification
and rationale for collection of data in identifiable form, when
applicable.
- Procedures for data storage.
- Procedures
to insure the physical and administrative security of data including
the removal of identifiers from the data set and the separate
maintenance of a name-code index in a secure location.
- Procedures
for the final disposition of data upon completion of the research
project including physical destruction and removal of identifiers.
- List of
names of all employees with access to the data including the principle
investigator, the project staff, and contractors/subcontractors/consultants.
- Name and
title of individual with the authority to transfer data to a researcher
or agency.
- Written
policies on the transfer of data in identifiable and non-identifiable
format.
|
