Information Privacy and Security
Federal Certificate of Confidentiality
Principal Investigator (PI) CoC Responsibilities
- Treat ALL information about individuals involved in NIH funded research as if a CoC applies.
- Modify, if the study is modified.
- If the collection of data continues after the award, apply to extend CoC protection.
- Review & follow guidance for Sharing/Disclosing CoC Protected Information.
NIH Funded Research
A CoC automatically applies to all active NIH funded research projects.
Data collected while NIH funding is active is permanently protected under a CoC, even after your funding has ended and your study has been completed.
- Guidance for Sharing/Disclosing CoC Protected Information.
- CoC Decision Tree: Is my NIH research subject to a CoC?
Sharing/Disclosing CoC Protected Information
Is NOT ALLOWED:
- As part of a Federal, State, local civil, criminal, administrative, legislative or other proceeding
- To any other person not connected with the research
Is ALLOWED IF:
- Required by Federal, State, or local laws (e.g., as required by Federal Food, Drug, and Cosmetic Act, or state laws requiring reporting of communicable diseases to State and local health departments), excluding instances of disclosure in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding; or
- Necessary for medical treatment of an individual to whom information, document, or biospecimen pertains and made with their consent; or
- Made with consent of an individual to whom information, document, or biospecimen pertains; or
- Made for purposes of other scientific research that is in compliance with applicable Federal regulations governing protection of human subjects in research.
Precautions for Sharing with Others Connected with the Research
Non-UW Collaborator on project; not a subrecipient of funding:
You may disclose but anyone not funded by NIH must be informed the information is protected by a CoC.
Subrecipient of the Funding – Non-UW Collaborator on project:
Requirements will be included in outgoing subaward to the subrecipient.
UW study team carrying out the project:
You may disclose but you must make sure study team members are aware of protections & limitations imposed by the CoC. Keep a copy of the correspondence in your research file.
Sharing Information Protected under a CoC to an eligible recipient?
Use this language for each transfer of information or within Data Use agreements to eligible recipients:
This information is identifiable, sensitive information protected by a Certificate of Confidentiality from the National Institutes of Health. You may not disclose or use this information in any federal, state, or local civil, criminal, administrative, legislative, or other action, suit, or proceeding, unless the individual has consented.
Information protected by this Certificate cannot be disclosed to anyone else who is not connected with the research, except if there is a federal, state, or local law that requires disclosure (such as to report child abuse or communicable diseases), if it is used for other scientific research, as allowed by federal regulations protecting research subjects, or if the individual has consented.
Controlled Unclassified Information (CUI)
Under federal regulations, CUI must be protected. The level of protection and reason for protection varies. If CUI was not first part of the project, but is developed or shared with the research team, restrictions will be imposed by the providing agency or the sponsor. For example the Department of Defense contracts Cybersecurity Maturity Model Certification requirement. Review more information on CUI classified and sensitive research.
Forms, Tools, and Resources
- Department of Medicine Federal Information Security Management Act (FISMA)
- Federal Certificate of Confidentiality (CoC) Kiosk
- Certificate of Confidentiality: Apply, Extend, Modify
- Is your project considered research?
- Does your project involve Human Subjects?
- CoC Decision Tree: Is my research subject to CoC?
- Privacy Office: European Union – General Data Protection Regulation (EU…
- Office for Human Research Protection (OHRP): EU General Data Protection…
Policy, Regulation, and Guidance
- APS 2.4 Information Security and Privacy Roles, Responsibilities, and Definitions
- Office of the Chief Information Security Officer: Laws
- APS 2.6 Information Security Controls and Operational Practices
- Federal Information Security Management (and Modernization) Act (FISMA)
- Guidance: Certificate of Confidentiality (CoC)
- NIH: Certificate of Confidentiality