Privacy Certificate Guidance
About the Privacy Certificate
The NIJ Privacy Certificate guidelines and format provide instructions and a useful tool for documenting that applicants understand
their obligations and how they will fulfill their obligations under the confidentiality regulations found in 28 CFR Part 22.
Use of the supplied format will assist you in addressing all the points addressed in 28 CFR Part 22.
Most problems arise because the applicant assumes that the information addressing the concern is obvious, when in fact an
independent reader would need to make a series of assumptions about the details of the study and procedures. Clear and explicit
written descriptions in most instances resolve the problem or concern. See below for:
Privacy Certificate Guidelines
The following summarizes the requirements of 28 CFR §22.23 and should be used as a guide to completing the Privacy Certificate.
- The Privacy Certificate must fully describe the following:
- Procedures to ensure data confidentiality.
- Procedures to ensure the physical and administrative security of data.
- Procedures for subject notification or justification for waiver.
- Procedures for final disposition of data.
The Privacy Certificate must also include the name and title of the person:
- With primary responsibility for ensuring compliance with the regulations.
- Authorized to approve transfers of data.
- Authorized to determine final disposition procedures for the data collected and developed by the project.
The Privacy Certificate must contain assurances by the applicant that:
- Data identified to a specific individual will not be used or revealed unless it is research or statistical information that
is being used for research and statistical purposes.
- Identified data will be used or revealed only on a need-to-know basis to:
- Officers, employees, and subcontractors of the recipient of assistance;
- Persons and organizations receiving transfers of information for research and statistical purposes only if an information
transfer agreement is entered into in which the recipient is bound to use the information only for research and statistical
purposes and to take adequate administrative and physical precautions to ensure the confidentiality of the information.
- Employees with access to data on a need-to-know basis will be advised in writing of the confidentiality requirements and must
agree in writing to abide by these requirements.
- Subcontractors requiring access to identifiable data will only do so according to an information transfer agreement which
states that the confidentiality of the data must be maintained and that the information may only be used for research or statistical
- Private persons from whom identifiable data are obtained or collected will be advised either orally or in writing that the
data will only be used for research and statistical purposes and that compliance with requests for information is not mandatory.
That is, participation in the research is voluntary and may be withdrawn at any time. If the notification requirement is to be waived, an explanation must be contained within the Privacy Certificate.
- Adequate precautions will be taken to ensure the administrative and physical security of the identifiable data.
- A log indicating that identifiable data have been transferred to persons other than those in NIJ or other OJP bureaus, created
under the Omnibus Crime Control Act or its amendments, or to grantee, contractor, or subcontractor staff will be maintained
and will indicate whether the data has been returned or if there is an alternative agreement for the future maintenance of
- Project plans will be designed to preserve the anonymity of persons to whom the information relates, including where appropriate,
name-stripping, coding of data, or other similar procedures.
- Project findings and reports prepared for dissemination will not contain information which can reasonably be expected to be
identifiable to a private person.
- Upon completion of the project, the security of research or statistical information will be protected by either:
- the complete physical destruction of all copies of the materials or the identified portions of the materials after a three
year required recipient retention period or as soon as authorized by law; or
- the removal of identifiers from the data and separate maintenance of a name-code index in a secure location.
If you choose to keep a name-code index, you must maintain procedures to secure such an index.
- The grantee fails to provide assurances that the grantee understands the broad requirements of 28 CFR Part 22 as described
in section 3 under the Privacy Certificate guidelines. The privacy certificate format provides a description of the confidentiality
requirements and this information must be included. NIJ requires an affirmation that you are aware of and understand these
requirements. Without this affirmation NIJ will assume the grantee is unaware of and does not understand these requirements.
- In the Brief Description of Project please be explicit in describing the project and the private information or data being collected or used (e.g., secondary
data sources). Also, if the study is not collecting or using personally identifiable information, please state that explicitly
using the following statement: "No data identifiable to a private person will be collected."
- Use of the term N/A or Not Applicable. Please include a brief description of why the particular item is not applicable. For example, in responding to the item on describing restrictions on the transfer
of identifiable data, consider a response as follows: "Not applicable since this study is not collecting any individually
identifiable data." This is particularly valuable if this point has not been made clear in the brief project description (see
- Be certain to identify individuals and project staff who will have access to the data. If there are personnel yet to be hired
(e.g., graduate students, contract staff) please identify such personnel as "two graduate students to be determined" or "four
contract staff to be hired," etc. Also, remember that all future hires must be informed of their obligations under these regulations
and agree to comply with the requirements.
- Please be sure to include the signature of the principal investigator, co-investigator(s), and authorized institutional representative.
Many times the signature of the authorized institutional representative is not included and this will lead to delays while
this signature is obtained.
- The privacy certificate is a stand-alone document. Each section should be completed. For example, the project description
should be included in the privacy certificate rather than as an attachment. Failure to provide a stand-alone, fully completed
privacy certificate will lead to delays while the grant applicant is required to incorporate any erroneously attached material
into the body of the certificate.
- The items to be attached to the privacy certificate are questionnaires, interview and/or survey instruments, and the informed
consent form and informed consent procedures, if applicable.
- If the data collection methodology and/or information provided in the privacy certificate changes as a result of Institutional
Review Board (IRB) requirements, a revised privacy certificate must be provided prior to the commencement of research or statistical
Date Created: November 20, 2007