Certificates of Confidentiality
Section 2012 of the 21st Century Cures Act, enacted on December 13, 2016, enacted new provisions to protect the privacy of individuals who are the subjects of research, if the research is funded wholly or in part by the Federal Government.
The guidance on this page applies to ongoing or new research funded in whole or in part by the NIH, FDA, CDC, HRSA, or BARDA.
What is a Certificate of Confidentiality (CoC)?
A CoC protects the privacy of research participants by prohibiting disclosure of names or any other identifiable, sensitive information in response to legal demands for access to the data, such as a subpoena.
What is identifiable, sensitive information?
NIH defines "identifiable, sensitive information" as the following:
- Information or biospecimens gathered or used for research purposes, through which an individual is identified; or
- For which there is at least a very small risk that some combination of the biospecimen/information, a request for the biospecimen/information, and other available data sources could be used to deduce the identity of an individual.
While the definition includes the qualifier "sensitive," NIH has clarified that it intends for CoC to protect data, regardless of its nature (i.e., even for data considered to be benign).
What are my responsibilities for protecting identifiable, sensitive information?
ONLY disclose identifiable, sensitive information in the following circumstances:
- If required by other Federal, State, or local laws, such as for reporting of communicable diseases;
- if the subject consents; or
- as approved by the IRB in a research protocol.
NOTE:
-
- If you receive a legal or governmental request to access identifiable, sensitive information connected to your research, do not release that information without contacting the NDSU IRB office.
- If you want to -- or are required to - share de-identified research data with other investigators, a CoC will not prevent you from doing so, as long as you ensure that the data you share do not contain any potentially identifying information.
Ensure that anyone who is conducting research as a subrecipient or who receives a copy of identifiable, sensitive information understands that they are subject to the disclosure restrictions, even if they are not directly funded by NIH.
Consent documents must describe the privacy protections offered by the Certificate of Confidentiality. Example language can be found in NDSU consent templates for non-exempt research.
References: