Section



[Code of Federal Regulations]
[Title 28, Volume 1]
[Revised as of July 1, 2004]
From the U.S. Government Printing Office via GPO Access
[CITE: 28CFR22.23]

[Page 425]
 
                    TITLE 28--JUDICIAL ADMINISTRATION
 
                    CHAPTER I--DEPARTMENT OF JUSTICE
 
PART 22_CONFIDENTIALITY OF IDENTIFIABLE RESEARCH AND STATISTICAL 
INFORMATION--Table of Contents
 
Sec.  22.23  Privacy certification.

    (a) Each applicant for BJA, OJJDP, BJS, NIJ, or OJP support either 
directly or under a State plan shall submit a Privacy Certificate as a 
condition of approval of a grant application or contract proposal which 
has a research or statistical project component under which information 
identifiable to a private person will be collected.
    (b) The Privacy Certificate shall briefly describe the project and 
shall contain assurance by the applicant that:
    (1) Data identifiable to a private person will not be used or 
revealed, except as authorized under Sec. Sec.  22.21, 22.22.
    (2) Access to data will be limited to those employees having a need 
therefore and that such persons shall be advised of and agree in writing 
to comply with these regulations.
    (3) All subcontracts which require access to identifiable data will 
contain conditions meeting the requirements of Sec.  22.24.
    (4) To the extent required by Sec.  22.27 any private persons from 
whom identifiable data are collected or obtained, either orally or by 
means of written questionnaire, shall be advised that the data will only 
be used or revealed for research or statistical purposes and that 
compliance with requests for information is not mandatory. Where the 
notification requirement is to be waived, pursuant to Sec.  22.27(c), a 
justification must be included in the Privacy Certificate.
    (5) Adequate precautions will be taken to insure administrative and 
physical security of identifiable data.
    (6) A log will be maintained indicating that identifiable data have 
been transmitted to persons other than BJA, OJJDP, BJS, NIJ, or OJP or 
grantee/contractor staff or subcontractors, that such data have been 
returned, or that alternative arrangements have been agreed upon for 
future maintenance of such data.
    (7) Project plans will be designed to preserve anonymity of private 
persons to whom information relates, including, where appropriate, name-
stripping, coding of data, or other similar procedures.
    (8) Project findings and reports prepared for dissemination will not 
contain information which can reasonably be expected to be identifiable 
to a private person except as authorized under Sec.  22.22.
    (c) The applicant shall attach to the Privacy Certification a 
description of physical and/or administrative procedures to be followed 
to insure the security of the data to meet the requirements of Sec.  
22.25.

[41 FR 5486, Dec. 15, 1976, as amended at 51 FR 6401, Feb. 24, 1986]