U.S. flag

An official website of the United States government, Department of Justice.

Human Subjects Protection, Confidentiality, and Data Management Plan Requirements

Description

Overview

All Bureau of Justice Statistics (BJS) award recipients are required to comply with applicable federal requirements concerning the protection of human subjects and the confidentiality of information identifiable to a private person, consistent with the regulations at 28 CFR Part 46 and 28 CFR Part 22. Applicants are strongly encouraged to carefully review the information in this section before applying for funding.

Applicants for projects that involve the collection, use, or maintenance of identifiable private information about a living individual (i.e., information that is not publicly available and for which a living person has a reasonable expectation that it will not be made public) are required to submit a Human Subjects Protection Certification of Compliance form. Funded projects may require review by an Institutional Review Board (IRB). Data collection for BJS awards involving human subjects may not begin until the appropriate documentation has been provided to and approved by BJS.

Award recipients that collect, acquire, use, or maintain information identifiable to a private person (i.e., information that is labeled by name or another personal identifier or can, by sample size or other factors, be reasonably interpreted as referring to a particular person or public agency) must submit a Privacy Certificate.

Award recipients that work under BJS’s authority to collect, acquire, use, or maintain information to complete statistical activities are required to maintain a BJS-approved Data Management Plan (DMP). The DMP provides general project information and describes how the recipient will handle, process, maintain, and dispose of the information collected in conjunction with the BJS-funded activities.

BJS award recipients must comply with all applicable terms of funding and requirements throughout the award period.

Human Subjects Protection Requirements

To ensure that human subjects are adequately protected from unreasonable risks and properly informed of the potential harms and benefits from their participation in BJS-funded research, BJS award recipients are required to comply with Department of Justice (DOJ) regulations at 28 CFR Part 46 (Protection of Human Subjects).

Applicants and award recipients should review 28 CFR Part 46 to determine their individual project requirements.

Guidance to determine whether the project constitutes research involving human subjects

Applicants are encouraged to use the Office of Justice Programs (OJP) Decision Tree to determine whether the planned research activities involve human subjects and/or require Institutional Review Board (IRB) review.

Applicants are strongly encouraged to submit a Human Subjects Protection Certification of Compliance form to BJS for review as part of their funding application. If an applicant is proposing multiple projects, a separate form must be submitted for each project. All required documentation must be provided to and approved by BJS prior to initiating BJS-funded data collection activities.

Guidance regarding required Human Subjects Protection documentation

As a condition of funding, BJS award recipients are required to submit the appropriate documentation to BJS prior to initiating BJS-funded data collection activities. The required documentation depends on whether the project meets the requirements for DOJ human subjects protections:

Lack of human subjects

  • If the project does not involve human subjects, the award recipient must submit to BJS appropriate documentation (e.g., Human Subjects Protection Certification of Compliance form with Part III completed to report the project does not involve human subjects or a determination letter from an IRB stating that human subjects are not involved). BJS must approve documentation to support lack of human subjects involvement before data collection activities are initiated.

IRB approval

  • If IRB approval is required for a project, the BJS award recipient must submit a copy of the IRB approval as well as supporting documentation to BJS prior to the initiation of any research activities that are not exempt from the requirements of 28 CFR Part 46.
  • BJS-funded activities involving human subjects may not begin until BJS receives and approves the appropriate IRB documentation.
  • IRB review and submission of exemption or approval may occur after an award is received, but activities involving human subjects may not begin until the appropriate IRB documentation is submitted to and approved by BJS.
  • BJS award recipients must comply with all terms of IRB approval throughout the project period, including annual continuing review requirements.

IRB exemption

The regulations at 28 CFR Part 46 define certain categories of research that are exempt from IRB review, either because of the nature of the research itself or the manner in which the research is carried out. [See 28 CFR § 46.101(b)]

  • If an IRB determines that the research is exempt from the regulations, applicants must submit supporting documentation to BJS stating the IRB's approval of the exemption and the specific exemption that was granted. BJS must approve the determination before data can be collected.
     

Guidance regarding Human Subjects Protection documentation for BJS/OJP-funded awards submitted after January 21, 2019

Provisions of the “Revised Common Rule” (45 CFR 46 of the July 19, 2018 edition of the e-Code of Federal Regulations) took effect for a number of executive branch agencies on January 21, 2019. However, DOJ is not a signatory of the Revised Common Rule. Therefore, the DOJ regulations at 28 CFR Part 46 remain in effect for BJS awards and the provisions of the Revised Common Rule do not apply.

  • IRB documentation from BJS award recipients must reflect 28 CFR Part 46 citations.
  • BJS will not accept IRB documentation from after January 21, 2019, that cites 45 CFR Part 46 references.
  • Award recipients are reminded to notify their IRBs of the need to use 28 CFR Part 46 when reviewing all BJS-funded research awards.

Privacy Certification Requirements

BJS award recipients must comply with OJP’s confidentiality requirements (28 CFR Part 22), including the privacy certification requirements at (28 CFR §22.23). Award recipients must submit a Privacy Certificate that describes the technical, physical, and administrative controls and procedures they will use to protect the confidentiality of identifiable information collected or used in conjunction with the BJS-funded activities.

About the Privacy Certificate

BJS award recipients must comply with OJP's Privacy Certification requirements (28 CFR §22.23). The Privacy Certificate is an award recipient’s certification of compliance with federal regulations requiring confidentiality of information identifiable to a private person, which is collected, analyzed, or otherwise used in connection with BJS-funded research or statistical activities.

See BJS Model Privacy Certificate (PDF 490K).

Privacy Certificate Guidelines

The Privacy Certificate must:

  • Describe an award recipient’s policies and procedures to protect information identifiable to a private person
  • Describe the specific controls used to safeguard identifiable information against unauthorized disclosure
  • Describe notification procedures to individuals from whom identifiable information will be collected
  • Describe planned data disposition processes and procedures, consistent with BJS special award conditions and other requirements
  • Be signed by all project staff, including information technology personnel, contractors, subcontractors, and/or consultants, who have access to identifiable data collected in conjunction with the BJS-funded activities.

Award recipients must:

  • Ensure compliance with the privacy certification requirements throughout the award period
  • Maintain a list of individuals who have access to or handle the identifiable information collected or maintained in conjunction with the BJS-funded activities
  • Submit an updated list to BJS of all individuals who have access to or handle the identifiable information
  • Ensure that all new staff who gain access to such information during the project period sign a Privacy Certificate
  • Report on changes to policies and procedures related to data security and confidentiality protection before the changes are implemented to confirm they comply with BJS’s privacy certification and other requirements.

Data Management Plan Requirements

As a condition of funding, BJS award recipients that work under BJS’s authority to collect, acquire, use, or store information must maintain a BJS-approved Data Management Plan (DMP). The DMP provides general project information and describes the specific technical, administrative, and physical systems, controls, and procedures the award recipient will operate to collect, store, protect, transfer, disseminate, and dispose of the information collected in conjunction with the BJS-funded project.

BJS award recipients are encouraged to use the model BJS DMP template (PDF 490K) to report the information.

The DMP provides information about, as applicable:

  • Names, roles, and contact information of project team members
  • Type of data that will be collected
  • How and in what format(s) the data will be collected and transferred to and from data providers and BJS
  • Where the data will be stored and maintained
  • Technical, physical, and administrative systems, controls, and procedures that will be operated to protect data security and confidentiality of information identifiable to a private person
  • Security incident response procedures
  • Required staff trainings (e.g., data security, confidentiality, and privacy trainings)
  • Audit procedures to ensure OJP's privacy certification requirements are followed
  • Data disposition procedures to comply with BJS’s requirement to return and/or destroy all personally identifiable information or other non-public information at the end of the award period
  • Additional information, as requested or required by BJS.

Award recipients should review the approved award terms and conditions and consult with their BJS Program Manager to determine whether additional information is needed.

Award recipients must:

  • Submit a DMP to BJS within the specified timeframe after the award is made; data collection activities may not begin until BJS approves the DMP
  • Notify BJS and receive approval before any significant changes are made to approved data security systems, controls, or procedures that involve identifiable information collected in conjunction with BJS-funded activities
  • Seek and obtain BJS approval before making changes to the approved DMP
  • Maintain the DMP throughout the award period and update the plan to reflect significant changes to data security systems, controls, or procedures (after receiving BJS approval to make the changes).
Questions: