The Juvenile Justice Professional's Guide to
Human Subjects Protection and the IRB Process
Home Before we begin Let's begin History of H.S. Protection Confidentiality of Secondary Youth Data Responsibility for Protecting Human Subjects Administration of the IRB
Research Juvenile Justice Site Map
Restricted Data Access Measures
Statistical Disclosure Limitation Techniques
Restricted Data Access Measures
Privacy Certificate
Information Transfer Agreement
Microdata and tabular data that have been restricted through statistical disclosure limitation techniques may be unsuitable for detailed statistical analyses. One way that agencies can satisfy researchers’ needs for data access is to release data files under highly controlled conditions or through restricted data access measures. Before releasing data in an identifiable format, agencies must establish written policies and procedures that address the regulatory requirements of 28 CFR 22. Researchers that intend to obtain access to the data must agree to uphold these requirements and justify their methods for doing so.

Typically, the policies and procedures regarding restricted data access provide information about:
  • The Federal, state, and local laws that govern access.
  • Criteria for accepting or rejecting data file requests.
  • Procedures for researchers requesting personally identifiable information.
  • Data security requirements.
Lending agencies must proceed with caution before releasing data files. Most require researchers to demonstrate the need for personally identifiable data and describe the goals of the research effort. Researchers must also submit a data security plan that, if accepted by the lending institution, becomes a legally binding agreement between the lending agency and the researcher. Data security plans vary in the manner in which files are protected and the procedures that best meet confidentiality protection needs. The examples of restricted data access measures that follow are typical procedures of successful data security plans.

Computer Security
  • Maintain password protection on all data files.
  • Implement log-on procedures with security access shut-down function.
  • Assign approved individuals to security access levels.
  • Prohibit external access to any modems connected to the system when processing confidential data.
  • Implement safeguards for data files in all networked environments.
  • Develop security measures for all lender-approved backup copies of the data; restrict the number of copies of data files.
  • Limit and monitor computers on which data are stored and analyzed.
  • A warning screen should appear on the computer before access to confidential data files is permitted. Users should be prompted to select whether to proceed.
Data Storage
  • Store data files in strongly encrypted format; the encryption and decryption algorithm must be secured.
  • Utilize removable storage devices (e.g. Diskettes, zip drive discs, CDs).
  • Deposit storage devices in a locked environment.
  • Store printouts from data analysis in a locked environment; minimal allowance of data printouts.
  • Prohibit data storage on networks (e.g. LANs); utilize dedicated computer in secured environment.
Data Transporting
  • Prohibit transmittal of data, analysis, or data output through e-mail, e-mail attachments, or FTP over the Internet, an intranet system or a LAN system.
  • Establish policies and procedures that authorize individuals to send and receive data files.
  • Utilize electronic authentication programs; electronically log the transfer of personally identifiable data in a security audit trail to monitor data releases by and to authorized individuals.

Researchers utilizing secondary data sets containing personally identifiable information do not have ownership of the data. The recipients of data files are essentially borrowing the information. Lending agencies have legal authority to impose on borrowers what and how data may be used and exchanged and the strategies for protecting the confidentiality of this information.

Requirements for Releasing and Using Personally Identifiable information

Agencies that release youth data files and researchers who utilize them are subject to all of the regulatory requirements of 28 CFR 22 that govern the use and release of research and statistical information. Both groups must make every reasonable effort to ensure the security and confidentiality of personally identifiable youth information. Agencies that release data files must have in place a set of policies, guidelines, and procedures that define the recipients’ responsibilities for data security both during and after the research activities and each request should be handled on a case-by-case basis.

Researchers must consent to utilizing these data for research and statistical purposes only. Appropriate use of these data by the research community is to analyze trends, groups, or categories of youth cases. Researchers are not permitted to utilize data files for investigations of specific youth.

Comprehensive guidelines and implementation procedures that protect the confidentiality of identifiable youth information are explained in 28 CFR Part 22 and are available on line at The major components mandated by the regulations are the submission of a Privacy Certificate and the implementation of an Information Transfer Agreement.

OJJDP Home | NCJJ Home | National Juvenile Court Data Archive | Site Map