Privacy Certificate Guidance

The NIJ Privacy Certificate guidelines and format provide instructions and a useful tool for documenting that applicants understand their obligations and how they will fulfill their obligations under the confidentiality regulations found in 28 CFR Part 22. Use of the supplied format will assist you in addressing all the points addressed in 28 CFR Part 22. Most problems arise because the applicant assumes that the information addressing the concern is obvious, when in fact an independent reader would need to make a series of assumptions about the details of the study and procedures. Clear and explicit written descriptions in most instances resolve the problem or concern.

Common Problems

1. The grantee fails to provide assurances that the grantee understands the broad requirements of 28 CFR Part 22 as described in section 3 under the Privacy Certificate guidelines. The privacy certificate format provides a description of the confidentiality requirements and this information must be included. NIJ requires an affirmation that you are aware of and understand these requirements. Without this affirmation NIJ will assume the grantee is unaware of and does not understand these requirements.
2. In the Brief Description of Project please be explicit in describing the private information or data being collected or used (e.g., secondary data sources). Also, if the study is not collecting or using personally identifiable information, please state that explicitly using the following statement: "No data identifiable to a private person will be collected."
3. Use of the term N/A or Not Applicable. Please include a brief description of why the particular item is not applicable. For example, in responding to the item on describing restrictions on the transfer of identifiable data, consider a response as follows: "Not applicable since this study is not collecting any individually identifiable data." This is particularly valuable if this point has not been made clear in the brief project description (see 2 above).
4. Be certain to identify individuals and project staff who will have access to the data. If there are personnel yet to be hired (e.g., graduate students, contract staff) please identify such personnel as "two graduate students to be determined" or "four contract staff to be hired," etc. Also, remember that all future hires must be informed of their obligations under these regulations and agree to comply with the requirements.
5. Please be sure to include the signature of the principal investigator, co-investigator(s), and authorized institutional representative. Many times the signature of the authorized institutional representative is not included and this will lead to delays while this signature is obtained.
6. The privacy certificate is a stand-alone document. Each section should be completed. For example, the project description should be included in the privacy certificate rather than as an attachment. Failure to provide a stand-alone, fully completed privacy certificate will lead to delays while the grant applicant is required to incorporate any erroneously attached material into the body of the certificate.
7. The items to be attached to the privacy certificate are questionnaires, interview and/or survey instruments, and the informed consent form and informed consent procedures, if applicable.
8. If the data collection methodology and/or information provided in the privacy certificate changes as a result of Institutional Review Board (IRB) requirements, a revised privacy certificate must be provided prior to the commencement of research or statistical activities.