staffmanual2004.pdf
TRANSCRIPT
-
8/10/2019 staffmanual2004.pdf
1/27
-
8/10/2019 staffmanual2004.pdf
2/27
National Center for Health Statistics
Edward J. Sondik, Ph.D., Director
Jennifer H. Madans, Ph.D., Acting Co-Deputy Director
Michael H. Sadagursky, Acting Co-Deputy Director
Jennifer H. Madans, Ph.D., Associate Director for Science
Jennifer H. Madans, Ph.D., Acting Associate Director for
Planning, Budget, and Legislation
Michael H. Sadagursky, Associate Director for
Management and Operations
Lawrence H. Cox, Ph.D., Associate Director for Research
and Methodology
Margot A. Palmer, Director for Information Technology
Margot A. Palmer, Acting Director for Information Services
Linda T. Bilheimer, Ph.D., Associate Director for Analysis,
Epidemiology, and Health Promotion
Charles J. Rothwell, M.S., Director for Vital Statistics
Jane E. Sisk, Ph.D., Director for Health Care Statistics
Jane F. Gentleman, Ph.D., Director for Health Interview
Statistics
Clifford L. Johnson, Director for Health and Nutrition
Examination Surveys
-
8/10/2019 staffmanual2004.pdf
3/27
Foreword
TheNCHSStaffManualonConfidentialitywasoriginallypublishedin July1978andreprintedinApril1980and
inAugust1997.Itwasreissuedinearlieryearsmainlytoinformstaffofchangesinlawsandregulations.Inviewof
themanychangesintechnologiesrelatedtodatahandlinganddisseminationthathavetakenplacein recentyears,new
proceduresandpolicieshavebeendevelopedrequiringanextensiverevisionoftheManual.
Theconfidentialityof recordsisamatterofprimaryconcerntotheNationalCenterforHealthStatistics(NCHS).
InordertoelicithealthinformationfromtheAmericanpeopleandfromthehealthcareprovidersthroughoursurveys,
wemustbeableto assurethemthatthisinformationwillbeprotectedfromtheeyesandearsofallunauthorized
persons.Thismeansthatwemusthavestronglawsenablingus toprotect theserecords,andthatwemustestablish
andfollowprocedurestogivethemsuchprotection.ThisManualstatestheCenterspoliciesthatimplementFederal
lawandensurethatallconfidentialinformationwillbe fullyprotected.Itshouldbeviewedinunisonwiththe
NCHSdatareleasepolicies addressingaccesstodataandNCHSResearchEthicsReviewBoardRequirements .The
NCHSDirectorretainstheauthority toallowexceptionstopoliciescontainedinthismanualwherethereareuniqueor
specialcircumstances.
TheCenterisproudofitsrecordinprotectingitsfilesfromimproperdisclosures,andit isveryimportantthatwe
continuetodoso.Thecontinuingsuccessofourworkdependson it.Therefore, I amcountingoneverymemberofthestaff oftheCenter, aswellasthosewhoworkwithNCHS,tokeepacopyofthisManualhandy, to bethoroughly
familiarwithitscontents,andtoabideby thepoliciesinthemanualcarefullyandconscientiously.
EdwardJ.Sondik,Ph.D.Director
http://www.cdc.gov/nchs/data/NCHS%20Micro-Data%20Release%20Policy%204-02A.pdfhttp://www.cdc.gov/nchs/data/NCHS%20Micro-Data%20Release%20Policy%204-02A.pdfhttp://www.cdc.gov/nchs/data/NCHS%20Micro-Data%20Release%20Policy%204-02A.pdfhttp://www.cdc.gov/od/ads/hsr2.htmhttp://www.cdc.gov/od/ads/hsr2.htmhttp://www.cdc.gov/od/ads/hsr2.htmhttp://www.cdc.gov/od/ads/hsr2.htmhttp://www.cdc.gov/nchs/data/NCHS%20Micro-Data%20Release%20Policy%204-02A.pdf -
8/10/2019 staffmanual2004.pdf
4/27
Contents
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2. Legislative and Regulatory Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2.1 Section 308(d) of the Public Health Service Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2.2 PrivacyActof1974 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.3 ConfidentialInformationProtectionandStatisticalEfficiencyAct. . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.4 Freedomof InformationAct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.5 Federal Law Governing Federal Employees Behavior. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. EmployeeResponsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44.1 Division and Office Directors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.2 ConfidentialityOfficer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.3 SupervisorsResponsibilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.4 Individual Federal Employees Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.5 Contractors and Agents Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.6 Collaborators Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.7 Administrative Officers Responsibilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
5. NCHS Policies on Consent and Assurances ofConfidentiality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
5.1 Consent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
5.2 Assurances of Confidentiality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
5.3 Responsibility for Formal Assurances of Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
5.4 DataCollected Directly FromIndividuals orEstablishments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
5.5 Data Collected From Another Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5.6 Data Collected Over the Telephone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5.7 Repository ofAssurances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
6. TreatmentofRequestsforInformationUnderFreedomofInformationAct. . . . . . . . . . . . . . . . . . . . . . . 9
7. The Protection of Confidential Records and Data Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
7.1 Physical Protection of Confidential Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
7.2 Automated Data Processing Systems Security General. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
8. Authorized Disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.1 Disclosure to the Parent Locator Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.2 DisclosuresPermittedbySection308(d)ofthePublicHealthServiceAct. . . . . . . . . . . . . . . . . . . 12
v
-
8/10/2019 staffmanual2004.pdf
5/27
8.3 Disclosures Within NCHS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
8.4 Disclosures Within the Department. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
8.5 Transfers ofData toOtherDepartments of theFederalGovernment. . . . . . . . . . . . . . . . . . . . . . . . . 12
8.6 Special Cooperative or Contractual Arrangements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
9. AvoidingInadvertentDisclosures ThroughRelease ofMicrodata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
9.1 Problem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
9.2 Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149.3 Restricted Access toMicrodata Files WithIdentifiable Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
10. Avoiding Inadvertent Disclosures in Published Tabular Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
10.1 Types of Disclosure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
10.2 Problem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
10.3 Special Guidelines for Avoiding Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
10.4 Evaluating a Disclosure Problem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
10.5 Measures to Avoid Disclosure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
11. AvoidingDisclosure in Other Types of Published Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Appendixes
AppendixA.RequirementsRelatingtoConfidentialityandPrivacyinDataCollectionandData Processing Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
I. Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
II. Background. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
III. Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
SafeguardsforIndividualsandEstablishmentsAgainstInvationsofPrivacy . . . . . . . . . . . . . . . . . . . . . 18
Appendix B. NCHSNondisclosure Affidavit for FederalEmployees. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Appendix C. NCHS Nondisclosure Affidavit for Contractors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Appendix D.Confidentiality, Security, and Related ContactPersons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
vi
-
8/10/2019 staffmanual2004.pdf
6/27
NationalCenterforHealthStatisticsStaffManualonConfidentiality
1.
Introduction
Confidentialityprotectionhasmanyaspects.Thismanualattemptstodealwithmostofthem.Informationandrules
arepresentedgoverning:
A. Legalrequirementsandpenalties,
B. Employees1 responsibilities,
C. Promiseofconfidentialitytorespondents,
D. Treatmentofrequestsforinformation,
E. Physicalprotectionofrecords,
F. Disclosuresthatmaybepermitted,
G. Avoidanceofunintentionaldisclosuresthroughpublisheddata,
H. Maintenanceofconfidentialityin thereleaseofmicrodata,and
I. Requirementsplacedoncontractors.
2. LegislativeandRegulatoryBackground
TheHealthServicesResearchandEvaluationandHealthStatisticsActof1974(P.L.93353)establishedNCHSin
law.Indoingso,itmandatedthatNCHSmakestheinformationitcollectsavailableonaswideabasisaspracticable.
However, it placed a veryimportantrestriction on themanner in which this was to beaccomplished byenjoining NCHS
tostrictlyobservetheassurancesofconfidentialityprovidedtoitsrespondents.Makingusefulhealthstatisticsavailableto
asmanypeopleaspossibleisveryimportant,butitisequallyimportanttodosoinamannerthatwillnotinanywayharm
theprovidersofthesestatistics.
Althoughitisamatterofprinciple,aswellasgoodstatisticalpractice,fortheCentertomaintaintheconfidentiality
ofrecords,asetoflawsandregulationsexiststhatrequiresandpermitstheCentertodoso.
2.1
Section
308(d)
of
the
Public
Health
Service
Act
(42
U.S.C.
242m(d))
ThissectionprovidesthebasiclegalrequirementforprotectingtheCentersrecords.Itreads:
No information, if an establishment or person supplying the information or described in it is identifiable,obtainedinthecourseofactivitiesundertakenorsupportedundersection242b,242k,or242lofthistitlemaybeusedforanypurposeotherthanthepurposeforwhichitwassuppliedunlesssuchestablishmentorpersonhasconsented(asdeterminedunderregulationsoftheSecretary)toitsuseforsuchotherpurpose;andinthecaseofinformationobtainedinthecourseofhealthstatisticalorepidemiologicalactivitiesundersection242bor242kofthistitle,suchinformationmaynotbepublishedorreleasedinotherformiftheparticularestablishmentorperson supplying the information or described in it is identifiable unless such establishment or person hasconsented(asdeterminedunderregulationsoftheSecretary)toitspublicationorreleaseinotherform.
Thissectionoftheactisinterpretedasfollows:WhenevertheCenterrequestsinformation,itapprisesthepersonor
agencysupplyingtheinformationastotheusestobemadeofit.ThefirstclauseofSection308(d)guaranteesthatthereaftertheCenterwillbelimitedtothoseusessospecifiedtothe
supplier.
1Wherever the word employees is used in this document, contractors, agents, fellows, and all other persons whohave signed a nondisclosure
agreement (AppendixAor B)arealsoincluded.
- 1 -
http://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.html -
8/10/2019 staffmanual2004.pdf
7/27
The second clause states that the Center may never release identifiable information (See Section 3. Definitions)
without the advance, explicit approvalof the person or establishment supplying the informationorby the person or
establishmentdescribedintheinformation.
Access to information in identifiable form maybe grantedonly tostaff ofNCHS, its qualified agents, and those
collaboratorsandotherparties(includingotherFederalagencies)explicitlydescribedinthesurveyconsentstatement,and
maybeemployedbythemonlyinactivitiesdirectlyaimedatachievingthespecificpurposesasconveyedtorespondents.
2.2 PrivacyActof1974(5U.S.C.552a)
ThisactalsoprovidesfortheconfidentialtreatmentofrecordsofindividualsthataremaintainedbyaFederalagency
that areretrieved byeither theindividualsname orsomeother identifier. Thislaw alsorequires that suchrecordsin
NCHSaretobeprotectedfromusesotherthanthosepurposesforwhichtheywerecollectedwithouttheconsentof the
individualunlessauthorizedbythePrivacyAct.Itfurtherrequiresagenciesto(1)collectonlythatinformationnecessary
toperformagencyfunctions;(2)publishdescriptionsofdatasystemscontainingnamesorotherdirectidentifiers(called
systems of records)so that thepubliccanlearnwhatidentifiable recordsare maintainedby theagency;(3) inform
individualsatthetimeofdatacollectionastothelegislativeauthorityunderwhichitisrequested,whethertherequestis
mandatoryorvoluntary,theconsequences,ifany,ofnonresponse,andthepurposesandusestobemadeofthedata;(4)
maintain no records on how an individual exercises his rights under the first amendment except with special legal
authorization; (5) with certainexceptions, permit individuals to examine recordsmaintained about themselves and to
challenge the accuracy of those records; (6) establish rules of conduct governing persons involved in collecting and
maintainingrecords; and(7) establishappropriateadministrative, technical, andphysical safeguards toprotectrecords.
Employeesofagenciesandtheircontractorssubjecttotheactwhowillfullydisclosepersonalinformationcontrarytothelaw,orwhofailtogivenoticeofasystemofrecords,maybefinedupto$5,000,andtheagencymaybesuedfordamages.
Finally,theactplacessevererestrictionsontheuseofanindividualsSocialSecuritynumber,suchthattheCenteris
precludedfromcollectingandusingthemwithouttheexplicitconsentofrespondents.
The Department of Health and Human Services (DHHS) has allowed NCHS to have a K4 exemptionfor its
statisticalsystems,aspermittedunderthePrivacyAct.ThismeansthatNCHSdoesnothavetoallowsubjectsofitsdata
filestohaveaccesstotherecordsaboutthemselvesinthosefiles.ThisexceptiontoPrivacyActrequirementsispermitted
becauseNCHSdoesnothaveinitsdatafilesanyrecordsthatareusedinanydirectwaytoaffecttherights,benefits,or
privilegesofpersonswhoserecordsexistinthesefiles;rather,thefilesareusedstrictlyforstatisticalandrelatedpurposes.
TheCenter,however,mustcomplywithallotherrequirementsofthePrivacyAct.
ItmustbestressedthatwhileunderthePrivacyActidentifiableinformationmaybereleasedtoanumberofparties
suchastheGeneralAccountingOffice,eitherhouseofCongress,andcourts,theprovisionsofSection308(d)ofthePublic
HealthServiceAct,whicharemuchmorestrict,wouldtakeprecedence.Withouttheconsentofrespondents,identifiable
information
will
not
be
shared
with
such
parties.Regulations (45CFRPart5b) havebeenpublishedbyDHHSprovidingforimplementationofthePrivacyActwithin
thisDepartment.Allemployeesareboundtocomplywiththeseregulations.
2.3 Confidential InformationProtectionandStatisticalEfficiencyAct
(NOU.S.CODELINKAVAILABLEATPRESENT.ConsultKathyMoss.)
Thislegislationestablishesstrongstandards fortheprotectionofconfidentialdataprovidedto Federalagencies for
statisticalpurposes.Thislawrequiresthatalldatacollectedforstatisticalpurposesundera pledgeof confidentialitybe
used only for statistical purposes. As such, it covers all data collections currently undertaken by the Center. It also
providesstrongcriminalpenaltiesforunauthorizeddisclosureofconfidentialstatisticalinformation.Concerningfinesand
penalties,theactstates:
Whoever, being anofficer, employee,or agent ofanagencyacquiringinformation forexclusivelystatisticalpurposes,...comesintopossessionofsuchinformationbyreasonofhisorherbeinganofficer,employee,oragentand,knowingthatthedisclosureofthespecificinformationisprohibitedundertheprovisionsofthistitle,willfullydisclosestheinformationinanymannertoapersonoragencynotentitledtoreceiveit,shallbeguiltyofaclassEfelonyandimprisonedfornotmorethan5years,orfinednotmorethan$250,000,orboth.
ThisActdoesnotdiminishanyconfidentialityprotectionsuchasNCHS308(d)authorityorthoseofthePrivacyAct.
- 2 -
http://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://www.usdoj.gov/foia/privstat.htm -
8/10/2019 staffmanual2004.pdf
8/27
TheAct alsoauthorizes thedesignationof agents toperformstatisticalactivities.These agents functionunder the
supervisionofNCHSemployeesandaresubjecttothesameprovisionsoflawwithregardtoconfidentialityasanNCHS
employee.
2.4
Freedom
of
Information
Act
(FOIA)
(5
U.S.C.
552)
Firstpassed in1967andamendedmost recentlyin 1996, this act requiresFederalagencies tomaketheir records
availabletopersonswhorequestthem.WhileFOIAseekstomakegovernmentinformationmorewidelyavailable,itdoes
notunderminetheprivacyprotectionrequiredunderthelawsjustcited.Severalkindsofrecordsarespecificallyexemptedfrom the disclosure requirements of the FOIA. Two exclusions provided in Section 552(b) of the act are of special
relevance:Subsection(6)exemptspersonalandmedicalfilesandsimilarfilesthedisclosureofwhichwouldconstitute
aclearlyunwarrantedinvasionofpersonalprivacyandSubsection(3)providesthatmattersspecificallyexemptedfrom
disclosurebystatutearealsoexcludedfromthedisclosurerequirement.InthecaseofNCHS,theaforementionedSection
308(d)ofthePublicHealthServiceActrepresentsstatutoryprotection.ThusnorecordsthatarecollectedunderthePublic
HealthServiceActandprotectedbySection308(d)ofthatactarerequiredbytheFOIAtobereleasedbyanyone.
RegulationshavebeenpublishedbyDHHSimplementingFOIA.
IntheeventthatNCHSstafforcontractorsreceiveadatarequestcitingtheFOIA,theyarenottoresponddirectly,but
mustrefer therequesttotheNCHSFreedomofInformationCoordinator immediately.
2.5 FederalLawGoverningFederalEmployeesBehavior(18U.S.C.1905)
Thislaw includesthe following provision, which is alsorelevant to themaintenanceof confidentiality forNCHSrecords:
DisclosureofConfidentialInformation
Whoever,beinganofficeroremployeeoftheUnitedStatesoranydepartmentoragencythereof,...
publishes,divulges,disclosesormakesknowninanymannerortoanyextentnotauthorizedbylaw
anyinformationcomingtohiminthecourseofhisemploymentorofficialdutiesorbyreasonofany
examinationorinvestigationmadeby,orreturn,reportorrecordmadetoorfiledwith,suchdepartment
or agency or officer or employee thereof, which information relates to trade secrets, processes,
operations,styleofwork,orapparatus,or totheidentity,confidentialstatisticaldataamountorsource
of any income, profits, losses, or expenditures of any person, firm, partnership, corporation or
association; or permits any income return or copy thereof or any book containing any abstract or
particularthereoftobeseenorexaminedbyanypersonexceptasprovidedbylaw,shallbefinedunder
this title, or imprisoned not more than one year, or both; and shall be removed from office or
employment.
3. Definitions
Throughoutthisdocument,certainkeytermsareusedthatwarrantclearunderstanding.Thereaderiscautionedthat
presentusagemaynotalwayscoincidewithusagebyotheragenciesorentities.
IdentifiableInformationreferstoinformationthatcanbeusedtoestablishindividualorestablishmentidentity,whether
directlyusing items such as name, address, or unique identifying numberor indirectlyby linking data about
respondentswithexternalinformationthatdirectlyidentifiesthem.
ConfidentialInformationisanyidentifiableinformationorinformationassociatedwithidentifiableinformationabout
apersonorestablishmentcollectedunderanassurancethatrestrictsthedegreetowhichtheinformationcanbeshared
withothers.Itisimportanttounderstandthatinformationthatbyitselfwouldnot leadtotheidentityofa respondent,butwhich
coulddosoifcombinedwithinformationalreadyreleased(e.g.,theidentitiesofareasinwhichasurveywasconducted),
mustalsobeconsideredconfidential.
A disclosure occurs when identifiable information concerning an NCHS respondent (including the fact of his
participationinanNCHSsurvey)ismadeknowntoa thirdparty.Disclosuresmaybeauthorized(aswhenarespondent
hasconsented to theinformationbeing sodivulged),unauthorized (aswheninformationis intentionally revealedto a
partynotconsentedtobytherespondent),or inadvertent(aswhenatabulationorfileisunintentionallymadeavailableto
- 3 -
http://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5http://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5http://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5http://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.fcsm.gov/committees/cdac/IdentCDAC3.pdfhttp://www.fcsm.gov/committees/cdac/IdentCDAC3.pdfhttp://www.fcsm.gov/committees/cdac/IdentCDAC3.pdfhttp://www.fcsm.gov/committees/cdac/IdentCDAC3.pdfhttp://www.fcsm.gov/committees/cdac/IdentCDAC3.pdfhttp://www.fcsm.gov/committees/cdac/IdentCDAC3.pdfhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5http://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htm -
8/10/2019 staffmanual2004.pdf
9/27
the public that reveals or can beused to reveal personal informationprovidedbyanNCHS respondent). Authorized
disclosuresarediscussedinSection8,whilethepreventionof inadvertentdisclosureistreatedinSections9and10.
Anagentisapersondesignatedbyanagencytoperform,eitherinthecapacityofaFederalemployeeorotherwise,
activitiesauthorizedbylawandspecifiedinawrittendocumentunderthesupervisionorcontrolofanofficeroremployee
ofthatagency,andwhohasagreedinwritingtocomplywithallprovisionsoflawthataffecttheactivitiesconductedon
behalfoftheagency.
AcollaboratororcollaboratingpartyisonewithwhomNCHShasaformalworkingrelationshipattheinceptionof
asurveyorproject.Inmostcircumstances,aformalworkingarrangementisdefinedinsuchdocumentsasaMemorandum
of Understanding (MOU) or InteragencyAgreement (IA), but may also be defined in other appropriate instruments.Although the nature of the working relationship may vary from collaborator to collaborator, the description of that
relationshipmustbe veryspecificallystatedin whichever instrumentis chosen.Acollaboratormusthaveestablisheda
formalworkingarrangementwithNCHSattheinitialplanninganddesignstages.Thereafter,thecollaboratormusthave
tangibleandsignificantinvolvementintheplanning,design,funding,orexecutionofthesurveyorproject. A collaborator
canbe,butisnotlimitedto,otherFederalagencies,Stategovernments,universities,organizations,colleagues,andothers
workingoutsideNCHS.
Consent iswritten,oral,orinferredapprovalbyanNCHSrespondenttoprovidetherequestedinformation.Before
elicitinginformation,respondentsareclearlyinformedabouttheusestobemadeofdataheorsheisaskedtosupplyand
thepartieswhowouldreceiveitinidentifiableform.Thisinformationmustbeprovidedinsuchawayastorepresenta
full exposure of the facts the respondent needs to make an intelligentdecisionconcerning the provision ofpersonal
informationtoNCHS.
4.
Employee
Responsibilities
4.1 DivisionandOfficeDirectors
Eachdivisionandofficedirector intheCenterhasresponsibilityforassuringstaff compliancewithNCHSpolicies
pertainingtotheconfidentialityof recordsincaseswhereanassuranceofconfidentialityhasbeenoristobegiven.
4.2 ConfidentialityOfficer
TheConfidentialityOfficerwillbeavailabletoassisttheCenterDirectorandstaff inavarietyofways,including:
a. InterpretingDepartmentpoliciespertainingtoconfidentiality;
b. Assistingemployeesinobtaininginformationonandclarificationofconfidentialitylawandrelatedregulations;
c. DirectingtheNCHSDisclosureReviewBoard(seeSection9.2) inthereviewofelectronicdataproductsproposed
forpublicrelease;
d. Providingorientationfornewemployees,ongoingtrainingforcurrentemployees,andimplementingappropriate
exitprocedurestodepartingstaff;
e. Reviewingdatacollectioninstrumentsandprocedures;
f. Providing guidance in the development of appropriate inter and intraagency agreements, and contractual
languageforthesharingandcollectionofconfidentialinformation;
g. ConductingperiodicphysicalinspectionsofNCHSofficestoassurethatrequirementsforthephysicalsecurityof
confidentialrecordsareobserved(SeeSection7);and
h. Providing advice regarding appropriate disciplinaryaction thatmay be taken when laws, rules, or regulations
relatingtoconfidentialityareviolated.
4.3
Supervisors
Responsibilities
TheSupervisorsResponsibilitiesincludethefollowing:
a. Supervisors will inform all employees, and subsequently all new employees, of existing NCHS policies and
proceduresrelatingtothesubjectofconfidentialityandwilldiscusswithsuchemployeestheirresponsibilitiesin
thisarea.
b. Supervisorswillberesponsibleforassuringthatallemployeesundertheirjurisdictioncomplywithregulations
applyingtothedisclosureofofficialinformationthatpermitstheidentificationofindividualsorestablishments.
- 4 -
-
8/10/2019 staffmanual2004.pdf
10/27
c. Supervisorsshouldrecognizeuniquesituationsthatcallformorethanusualprecautionarymeasuresandshould
makerecommendationsforimprovement,ifnecessary.
4.4 IndividualFederalEmployeesResponsibilities
a. Individualemployeesareexpectedatalltimestofollowtheprinciplesandobeythelaws,rules,andregulations
thatarecitedorreferencedinthismanual.Whenindoubt,employeesshouldobtainadvicefromthesupervisoror
theConfidentialityOfficer.
b. Eachemployee ofNCHSis responsible formaintainingandprotecting atalltimes theconfidentialrecords,inwhateverformormedia,whichareintheemployeespresenceorundertheemployeescontrol.
c. Toassurethattheemployeeisfullyawareofhisresponsibilities,eachperson,onenteringemploymentinNCHS,
isgiventheNondisclosureAffidavitfoundinAppendixBtoreadandsign.Theyareaskedtoreasignthisform
annually.
4.5 ContractorsandAgentsResponsibilities
PersonsworkingundercontracttoorwhoareotherwiseconsideredagentsofNCHSaresubjecttothesamelawsand
regulationsas NCHSemployees.Inaccordancewith theconfidentialityprovisions incorporatedinallNCHScontracts,
contractors and agents, and contractor employees are expected to observe all Departmental and Centers for Disease
Control and Prevention (CDC) rules and regulations and NCHS policy relating to official information for which
confidentialityassuranceshavebeengiven.
Whenindoubtconcerninganyconfidentialitylaw,regulationorpractice,adviceshouldbeobtainedfromtheNCHSprojectofficerortheNCHSConfidentialityOfficer.
EachagentandcontractemployeeofNCHSisresponsibleformaintainingandprotectingatalltimestheconfidential
records,inwhateverformsormedia,thatareintheirpresenceorundertheircontrol.Inaddition,theymustatalltimes
followtheprinciplesandobeythelaws,rules,andregulationsthatarecitedor referencedin thismanual. Toassurethat
the agent or contractor employee is fully aware of his responsibilities, each person, on entering on duty, signs a
Nondisclosure Affidavit (Appendix C),whichspellsouttheparticularsofthelawscoveringtheirconductwhileunder
contracttoNCHS.
4.6CollaboratorsResponsibilities
Althoughconsent will have been obtained from respondents for access to confidential data by collaborators (See
definitionofcollaboratorinSection3above),itisnonethelessNCHSpolicythatsharingofconfidentialdataoutsidethe
Center requirespositiveassurances that they will beaccorded the same rigorouscare as they receive within NCHS.Accordingly,collaboratorsarenotpermittedtoreceiveconfidentialdataunlesstheyhaveprovidedsuchassurancesand,
indoingso,committedthemselvesto followingtheprinciplesandobeyingthelaws,rules,andregulationscitedin this
manual.Appropriatemodelagreementsareavailableforthispurpose.
4.7 AdministrativeOfficersResponsibilities
Eachnewemployeeorcontractorisrequiredtoviewaconfidentialityvideo,signaconfidentialitypledge,andreceive
documents and material dealing with their responsibilities with respect to confidential information while working at
NCHS.TheAdministrativeOfficerisresponsibleformakingsurethatpersonsenteringondutyattheCentercomplywith
allappropriaterequirementsestablishedby theConfidentialityOfficer. Similarly,upondeparture from NCHSemploy-
ment,staffarerequiredtoundergoawelldefinedexitprocess.TheAdministrativeOfficerisresponsibleforensuringthat
departingstaffcomplywithallrequirements.
5.NCHSPoliciesonConsentandAssurancesofConfidentiality
5.1 Consent
Obtainingconsentfromindividuals.Consentmaybeobtainedbymeansofasignatureorbyconstruction.Inthefirst
instance,therespondentmaybeprovidedawrittendescriptionoftheintendedtreatmentofinformationhe/sheisaskedto
- 5 -
-
8/10/2019 staffmanual2004.pdf
11/27
provideandaskedtosignhis/hername,therebyindicatingpermissiontousethatinformationasdescribed.Insomecases,
however,he/sheisgiven thisinformationeitherinwritingorverbally. Iftherespondentthensuppliestherequesteddata,
NCHSconstruesthattherespondentagreestothoseintendedusesandsharingofdatawithpartieshehasreadorbeen
toldabout.TheCentercanthenmakesuchusesofthedataashavebeendescribedtotherespondent,butnootheruses
ofthedatamaybemade.Inarrivingatthecontentofastatementofconsent,the ConfidentialityOfficerandtheChairof
theNCHSResearchEthicsReviewBoard(ERB) cooperateclosely.AllprotocolssubmittedtotheERBarereviewedfor
conformancewithNCHSconfidentialityrequirements,andthefinal,consentdocumentsmustbeplacedonfilewiththe
ConfidentialityOfficerpriortouseinthefield.(NOTE:Followingconfidentialityrequirementsdoesnotreleasestafffrom
therequirementsoftheERB.Obtainingconsentfromanestablishment. Inthecaseofestablishments,theapproachdependspartlyuponwhetherthe
requestforinformationismadeinapersonalintervieworbymail.
A. Iftherequestforinformation ismade inpersonby astaffmember oragentofNCHS, the contactpersonfirst
inquires as to who is authorized to provide the requested data on behalf of the establishment. When such
authorizedpersonisinformedoftheusestobemadeofthedata,andhe/shethensuppliesthedata,NCHSstaff
construesthattheestablishmenthasgivenconsentto theusesofdataasspecified.
B. Whendataaresoughtfromanestablishmentbymail,therequestmaybeaddressedtotheestablishmentitself,to
the manager of the establishment, or to some other person who, as the Center has previously ascertained, is
authorizedtoproviderequesteddataonbehalfoftheestablishment.Thelettertransmittingtherequestexplainsthe
uses tobemade of the data.WhenNCHS staff then receives the requested data from the establishment, itis
construedthattheestablishmenthasconsentedtothoseusesofwhichithasbeeninformed.
5.2AssurancesofConfidentiality
Background. WheneverNCHSrequestsdataconcerningan individualoranestablishment, itisobligatedtoprovide
certain information and assurances to the supplier of information.Although this is considered a moral obligation by
NCHS,itisalsostatedorimpliedinboththePublicHealthServiceActandthePrivacyActof1974.ThePublicHealth
ServiceAct,inSection308(d)statesthatinformationmaynotbeusedforanypurposeotherthanthepurposeforwhich
it was supplied; therefore, such purposes must be explained to the supplier of information before obtaining the
informationfromhim/her.ThePrivacyActof1974statesinSection(e)(3)thattheagencyshall:
Informeachindividualwhomitaskstosupplyinformation,ontheformthatitusestocollecttheinformationorona
separateformthatcanberetainedby theindividual...
A. the authority (whether granted by statute, or by executive order of the President) which authorizes thesolicitationoftheinformationandwhetherdisclosureofsuchinformationismandatoryorvoluntary;
B. theprincipalpurposeorpurposesforwhichtheinformationisintendedtobeused;
C. intendeddisclosure(ifany)ofidentifiableinformationtootherparties;and
D. the effectsonhim/her, ifany, ofnotprovidingalloranypartoftherequestedinformation.
Suchinformationmustbeconsistentwiththeinformationinthedescriptionofthesystemofrecordspublishedinthe
Federal Register.If any release of any identifiable information is to bemade, then the law requires that consent be
obtainedinadvanceforthatspecificrelease.ThePublicHealthServiceAct,Section308(d)statesthatsuchinformation
maynot bepublished or releasedin other form if theparticularestablishment orperson supplyingthe informationor
describedinit isidentifiableunlesssuchestablishmentorpersonhasconsented(asdeterminedunderregulationsofthe
Secretary)toitspublicationorreleaseinotherform.ThePrivacyAct(in552A(b)statesthat,withcertainexceptions,an
individualsrecordmaynotbedisclosedexceptpursuanttoawrittenrequestby,orwiththepriorwrittenconsentofthe
individualtowhomtherecordpertains.
Statementofassurances.Thesetofinformationgiventoanyindividualorestablishmentaskedtoprovidedatatothe
Centermustincludeastatementofassurances.Thismustinclude:
(1)Thelegalauthorization(s)forsolicitingthedata(inthecaseofNCHS,thePublicHealthServiceAct);
(2)Thepurposesforwhichthedataarebeingcollectedandthepartieswithwhomidentifiableinformationwillbe
shared;
(3)Thevoluntarynatureoftheresponse;
(4)Theconsequences,if any,to therespondentforfailingtoprovideanypartoftherequesteddata;and
- 6 -
http://www.cdc.gov/od/ads/hsr2.htmhttp://www.cdc.gov/od/ads/hsr2.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www.usdoj.gov/foia/privstat.htmhttp://www.cdc.gov/od/ads/hsr2.htm -
8/10/2019 staffmanual2004.pdf
12/27
(5)AnassurancethattheCenterwillprotectthedataagainstotheruses.
5Thestatementofassurancesmay becontainedinaletterorbrochurehandedormailedtoa respondentsothat
he/she receivesit beforeprovidingthe information.Thestatementmay begivenorally toa respondent,but italso
mustbeprovidedinwrittenform, onpaper, to beretained bytherespondent;theonlyexceptionstothisrequirement
are: (a) ifa selfadministeredquestionnaire isused,thestatement may be madepart ofthequestionnaire, andno
separatecopy needbegiventotherespondent,and(b)inthecaseof atelephoneinterview, anoralreadingmay be
sufficient(see Section5.6).
Theassuranceofconfidentialityconstitutestheguaranteegiventothedatasupplier thatNCHSwilllimititsusesof
thedatatothosespecifiedtotherespondentandthatNCHSwillactivelyprotecttheinformationfromanyotherusesbyanyotherparty.
5.3 Responsibility forFormalAssurancesofConfidentiality
FormalassurancesofconfidentialitywillbegivenbytheDirectorofNCHSorhisdesignee.Suchauthorityisvested
intheDirectorof theCenterandtheDirectorofeachof itsdivisionsandoffices.However, incidentalreferencesto the
assurancesarepermittedincommunicationssignedbyotherstaffmemberssuchassurveymanagersdirectlyinvolved
with the development and negotiation of such assurances. In view of the complexities involved in confidentiality
assurancesresultingfromlegislativeandregulatoryrequirements,DivisionandOfficeDirectorsarerequiredtosubmitthe
confidentialityassurancesrelatingtoeachdatacollectionprogramtothe ConfidentialityOfficerforreviewandapproval.
ThisapprovalshouldbeobtainedbeforetheRequestforClearancegoestotheNCHSResearchEthicsReviewBoardor
OMBClearanceOfficer.
5.4
Data
Collected
Directly
From
Individuals
or
Establishments
Wheneverdataaretobecollectedwithapromiseofconfidentiality2 directlyfromindividualsorestablishmentsbyan
employee, agent, or contractor of NCHS, primarily toaccomplish an NCHS function, the following rules governing
assurancesandinformationaretobemet:
1. Includeonthedatacollectioninstrument(whetherelectronicorpaper) inaclearlyvisiblelocationandinclearly
visible letters the following notice (or words to this effect) of the confidential treatment to be accorded the
informationintheinstrumentbyanyonewhomayseeit:
ConfidentialInformation
Informationcontainedonthisformwhichwouldpermitidentificationof anyindividualorestablish-
menthasbeencollectedwithaguaranteethatitwillbeheldinstrictconfidence,willbeusedonlyforpurposesstatedinthisstudy,andwillnotbedisclosedorreleasedwithouttheconsentoftheindividual
or theestablishment inaccordance with Section308(d) of thePublic HealthServiceAct (42U.S.C.
242m)andtheConfidentialInformationProtectionandStatisticalEfficiencyAct.
2. Onaletterorotherformthatcanberetainedby theindividualortheestablishment,oronthequestionnaireform
itselfif itis aselfadministeredquestionnaire,informinclearand simpletermseachindividualorestablishment
askedtosupplyinformation:
a. ThatthecollectionoftheinformationisauthorizedbySection306ofthePublicHealthServiceAct(42U.S.C.
242k);
b. Ofthepurposeorpurposesforwhichtheinformationistobeused,clearlystatingthattherecordswillbeused
solelyforstatisticalresearchandreportingpurposes;
c. Ofintendeddisclosures(ifany)ofidentifiableinformationtootherparties;
d. Thatparticipationisvoluntaryandtherearenopenaltiesfordecliningtoparticipateinwholeorinpart;ande. Thatinformationwillnotbeusedforanypurposeotherthanstatisticalresearchandreporting,norwillitbe
sharedin identifiableformwithanyoneotherthannamedagenciesandcollaborators.
2Intherareinstanceinwhichdataarecollectedwithouta promiseofconfidentiality,permissionto collectthe datamustbegrantedbytheDirector,
NCHS.
- 7 -
-
8/10/2019 staffmanual2004.pdf
13/27
When social securitynumber orMedicareclaimnumber (which may incorporate the social securitynumber) are
collected, respondentsmust,atthepointofcollectionof that information,be informed,inclearandunderstandable
languageofitemsathroughd.
5.5DataCollectedFromAnotherOrganization
WhenevertheCenterarrangestopurchaseorotherwiseobtainfromanotherorganizationdatathatcontainidentifiers
ofindividualsorestablishments,itwillprovidetothesuppliertheinformationspecifiedinthepreviousitems5.42a,b,
c, and e. This information will be provided in written form, either in the contract, purchase order, or other writtenstatement.
5.6 DataCollectedOver theTelephone
Wheneverdataaretobecollected over the telephone byanemployee,agent,orcontractorofNCHS,primarilyto
accomplishanNCHSfunction,thefollowingrulesgoverningassurancesand informationaretobemet:
1. Beforeelicitingsurvey informationfroma respondentinany telephonesurvey, therespondentwillbegiventhe
followinginformation(thoughnotnecessarilywiththisexactwording)overthetelephone:
a. Thelawauthorizingcollectionoftheinformation.IfthesurveyisbeingconductedundertheCenterslegal
authority, the interviewer should say, Thesurvey is being conducted under authorityof thePublic Health
ServiceAct. Iftherespondentrequeststhespecificlegalcitation,the interviewerwillsaythatitis Volume42oftheU.S.Code,Section242k.
b. Thepurposeorpurposesfor which theinformationis tobeused, suchas for statisticalresearch onhealth
problems.
c. Thatparticipationinthesurveyispurelyvoluntary.
d. AnypossibledisclosuresofidentifiabledatatobemadeoutsideNCHS.
e. An assurance that (except for any such disclosures) the confidentiality of all information supplied will be
carefullyprotected,andnooneotherthanNCHSanditsagentsandanycollaboratorswillhaveaccesstoany
datathatidentifytherespondents.
Theexactwordingproposedforinformingrespondentsinanyparticularsurveymayvaryfromthatsuggestedabove,
butmustbesubmittedforapprovalbytheConfidentialityOfficerpriortotherequestforOMBapproval.
2. Thetelephoneinterviewermustsignastatementthattheinformationrequired(asindicatedabove)wasgivenorally
to each respondent. This information shall be given by reading the approved text and answering any of therespondents questions about it before proceeding with the interview. The statement to be signed by each
interviewermaybeontheformusedtocollectthesurveydata.
Incomputerassisted telephone interviewingwherethere isnohardcopyquestionnaire,the following procedure
maybeusedinlieuofhavingtheinterviewersignastatement:Followingthepromptingfortheinterviewertoread
theprescribedstatementstotherespondent,thecomputerthenaskstheinterviewerwhetherheorshecertifiesthat
he/shehasreadtotherespondentallthestatements,intheirentirety,containedinitems______through________.
Ifso,theinterviewerisaskedtotouchY(oranotherappropriatesymbol)foryes,andtoenterhis/herpersonal
identifiercodeandthedate.Thecomputerthencheckswhetherthesehavebeenenteredcorrectlyand,iftheyhave,
thecomputermakesthiscertificationapermanentpartoftheinterviewrecord.Iftheyarenotenteredcorrectly,the
computerwillnotproceedwiththeinterview.
5.7 RepositoryofAssurances
A. Acentral repository forthe filingofstatementsof assuranceshasbeenestablishedunder thesupervisionof the
ConfidentialityOfficer.
B. Each organizational unit ofNCHS,whichhas givenstatements ofassurances,will forward copies ofall such
statementstotherepository.Thiswillnormallyincludebut,notbelimitedto,assurancesgivenincontracts,special
letters,brochures,surveyquestionnaires,andforms.
C. TheassurancessubmittedtotheConfidentialityOfficerforapprovalwillbefiledintheRepositoryofAssurances
- 8 -
-
8/10/2019 staffmanual2004.pdf
14/27
asatentativeissuance.Whenallclearanceshavebeenreceivedandfinalprintedcopiesofthesurveyorstudy
materialshavebeenproduced,acopyofthesematerialsisforwardedtotheRepositorytoreplacethetentative
materials.
6. TreatmentofRequestsfor InformationUndertheFreedomofInformationAct
Whenever a request is received for a specified record3
concerning a named individual, that request is subject torequirementsoftheFreedomofInformationAct(FOIA). Withcertainexceptions,thislawrequiresthatFederalagencies
providecopiesofrequestedrecords.Thereare,however,twoimportantexceptionstotherequirementthatusuallyapply
totheCenter.Theyare(1)personalandmedicalfilesandsimilarfiles,thedisclosureofwhichwouldconstituteaclearly
unwarrantedinvasionofpersonalprivacyand(2)mattersspecificallyexemptedfromdisclosurebystatute.Inthecaseof
NCHS, Section 308(d) of the Public Health Service Act specifically exempts personal information from disclosure.
RequeststoNCHSforrecordsunderFOIA,wherethereisanamedindividual,arenotsubjecttoFOIAwhendataare
identifiable.
Policy. If anemployee receivesa request for a record or an item of information that cites the FOIA, he should
immediatelyreferthisrequesttotheNCHSFreedomofInformationActCoordinatorasresponsemustbemadewithin10
days.Anyrequestfor informationwherethere isany doubtas towhether it can beprovided shallbe referredto the
ConfidentialityOfficer.
7. TheProtectionofRecordsandDataSystems
Employees ofNCHSareresponsibleforprotectingallconfidential records from pryingeyes, unauthorizedaccess,
theft,andfromaccidentallossormisplacementduetocarelessness.
OnthissubjectthePrivacyAct,inSection552a(e)prescribesthateachagencyshall:
(9) Establishrulesofconductforpersonsinvolvedinthedesign,development,operation,ormaintenanceofany
systemofrecords,orinmaintaininganyrecord,andinstructeachsuchpersonwithrespecttosuchrulesandthe
requirementsofthissection,includinganyotherrulesandproceduresadoptedpursuanttothissectionandthe
penaltiesfornoncompliance;
(10) Establishappropriateadministrative,technical,andphysicalsafeguardstoinsurethesecurityandconfidentiality
ofrecordsandtoprotectagainstanyanticipatedthreatsorhazardstotheirsecurityorintegritywhichcould
resultinsubstantialharm,embarrassment,inconvenience,orunfairnesstoanyindividualonwhominformationismaintained. . . .
In the case of NCHS, the StaffManual on Confidentiality, taken as a whole, together with other administrative
practices, fully addresses these requirements. Particular attention is directed to two major aspects: the protection of
confidentialrecordsandthesecurityofautomateddatasystems.
7.1PhysicalProtectionofConfidentialRecords
Absoluteprotection of the recordswould be impossible;nevertheless,all reasonable precautionsmust be taken to
protectthem.
ItisthepolicyofNCHSthat:
A. Confidentialrecordsmustbekeptlockedupatalltimeswhentheyarenotbeingused.Thatis,theymustbekept
inlockedcabinetsor inlockedroomsafterbusinesshoursandwheneverthepersonsusingthemarenotpresent.Ifrecordsaremaintainedinelectronicform,themediumonwhichthefilesarestored(floppydisks,CDROMS,
andremovableharddrives)mustalsobekeptinlockedcontainersor, ifmaintainedonacomputer,accesssecured
byall availablemeans(includingkeyboardlocks,passwords,encryption,officelocks,etc.).Personalcomputers
3RecordisdefinedintheDepartmentsregulations (45CFRPart 5) asincludingbooks,brochures,punchcards,magneticfiles,papertapes,sound
recordings, maps, pamphlets,photographs, slides, motion pictures,or other documentary materials...In the caseofNCHS, other examplesof a
recordwouldbevideos,xrays,andtissueorbloodsamplesaswellaselectronicfilesinwhateverformCDROMS,diskettes,etc.
- 9 -
http://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://squid.law.cornell.edu/cgi-bin/get-cfr.cgi?TITLE=45&PART=5b&SECTION=1&TYPE=TEXThttp://squid.law.cornell.edu/cgi-bin/get-cfr.cgi?TITLE=45&PART=5b&SECTION=1&TYPE=TEXThttp://squid.law.cornell.edu/cgi-bin/get-cfr.cgi?TITLE=45&PART=5b&SECTION=1&TYPE=TEXThttp://squid.law.cornell.edu/cgi-bin/get-cfr.cgi?TITLE=45&PART=5b&SECTION=1&TYPE=TEXThttp://www.usdoj.gov/foia/privstat.htm -
8/10/2019 staffmanual2004.pdf
15/27
containingconfidentialrecordsshouldneverbemaintainedinanopen,unsecuredspace.Onlyalimitednumberof
staff,asauthorizedbytheDivisionorBranchChief,mayhavekeysorothermeansofaccesstosuchcabinetsor
rooms.
B. Whenconfidentialrecordsareinuse,whetherbythemselvesorviewedoncomputermonitors,theymustbekept
outofthesightofpersonsnotauthorizedtoworkwiththerecords.
C. Exceptasneededforoperationalpurposes,copiesofconfidentialrecords(paperdocuments,electronicfiles,video
recordings,orrecordsofotherkinds)arenottobemade.Anyduplicatecopiesmadeofconfidentialrecordsareto
be destroyed as soon as operational requirements permit. Records not otherwise covered by record retention
regulations(whenindoubt,consulttheNCHS RecordsManagementLiaison) thatarenolongerneededshouldalsobedestroyed.Approvedmeansofdestructionincludeshredding,burning,andmacerating.Shouldreuseof
electronic media (hard drives, rewriteable compact disks) containing confidential records be contemplated,
extremecareshouldbetakennottodisposeofinformationinsuchawaythatitcanberecoveredbyunauthorized
usersof the electronic mediuminvolved.For furtherguidance for the dispositionofpaperand other typesof
records,consulttheNCHSInformationSystemsSecurityOfficer.
D. Paper orelectronic recordscontaining personally identifying information such as respondent name, address,or
socialsecuritynumbershouldbeheldtotheminimumnumberdeemedessentialtoperformtheCentersfunctions,
kept in ahighlysecuremanner, and kept only so long asneeded tocarry outthosefunctions. A writtenjustification
formaintainingfileswiththeseitemsmustbesubmittedtoth eConfidentialityOfficer and,ifapproved,access
restricted to the smallest number of staff consistent with that justification. The justification must include a
statement specifying the timeperiod afterwhich these itemswill no longer beneeded and provision for their
subsequentdeletionordestruction.
E. No record containing direct personal identifiers (name, address, social security or other identifying number,unretouchedvideo, oraudio recording)ofNCHSsurveyrespondentsmaybe electronically sent tooraccessed
fromanemployeesor contractorsalternateworksiteorremovedfromNCHSofficesexceptas requiredinthe
conductofdatacollectionactivities. WorkoutsidetheCenter(whetherathomeoratanalternativeworksite)with
inhousefiles(recordsstrippedofdirectidentifiersbutnotapprovedforpublicuse)mustreceiveapprovalin
advance. Such applications include all cases where confidential data would be accessed from outside NCHS
offices and arenot limited toflexiplace requests.The staff member will agreein writingnot todownload the
contents of confidential files accessed from home or from an alternate work site. Confidential files are not
approved to be used on laptop computers. Other security requirements as dictated by the NCHS Information
SystemsSecurityOfficer mustalsobemet.
F. WhenrecordsaretransferredtotheNationalArchivesandRecordsAdministrationoritsrecordcentersforstorage,
theircontainersmustbesealed.Thestoragecentermustbeadvisedthatnoonemayhaveaccesstothoserecords
exceptasauthorizedoverthesignatureofanappropriateofficialofNCHS.Wheredestructionofrecordsatafuture
date is cited in the NCHS Records Schedule, such destruction of records containing personally identifyinginformationmustbepersonallywitnessedbytheNCHSRecordsManagementLiaison orhis/herdesignee.
G. When records containing names or other direct identifiers are transmitted between NCHS offices or between
NCHS and its contractors, they must bepackaged securelyand sent by the most secure and trackable means
available(e.g.,FedEx,personalmessenger,ordirectlybyNCHSstaff).
H. ConfidentialrecordsmaynotbereleasedoutsideNCHS(toanotheragency,contractor,orotherparty)unlessthat
releaseisconsistentwiththeassuranceofconfidentialityunderwhichtheyweregatheredandpositiveevidence
(appropriate contract language,a memorandum of understanding,or interagency agreement) that the receiving
partywillprovidethesamelevelofconfidentialityprotectionasthatrequiredofNCHS.Agencystaffandany
contractorsmustbemadeliabletolegalsanctionsiftheconfidentialitypledgeshouldbeviolated,andrecordsmust
bemaintainedby theProgramor Divisionunderwhose direction theinformationwas collected listingallfiles
released(towhomandunderwhatagreement)containingconfidentialinformation.Suchrecordsshouldcoverfiles
madeavailabletootherdivisionswithinNCHSaswellasoutsidetheCenter.
7.2 AutomatedDataProcessingSystemsSecurityGeneral
InachievingthegoalsofthePrivacyActof1974,policyandguidancedocumentshavepointedtotheimportantarea
ofautomaticdataprocessing(ADP)inestablishingsafeguardstoensurethesecurityandintegrityofrecords.Identifiable
NCHSdata areconsidered highly sensitive.TheDHHSAutomated Information SystemsSecurity ProgramManual is
a Departmental directive which provides practices and procedures intended to carry out OMB Circular A130,
regulatesthesecurityofFederalautomatedinformationresources.Appendix 3 oftheCirculardefinesadequatesecurity
- 10 -
http://www.whitehouse.gov/omb/circulars/a130/a130.htmlhttp://www.whitehouse.gov/omb/circulars/a130/a130.htmlhttp://www.whitehouse.gov/omb/circulars/a130/a130.htmlhttp://www.whitehouse.gov/omb/circulars/a130/a130.html -
8/10/2019 staffmanual2004.pdf
16/27
as security commensuratewiththe risk andmagnitude of theharm resultingfrom the loss, misuse,or unauthorized
accesstoormodification ofinformation.All technical,personnel, administrative,environmental, andtelecommunica-
tions safeguards necessary toprotect the confidentiality, integrity, andavailabilityof NCHSdatamust be inplace.
OMBCircularNo.A123,ManagementAccountabilityandControlandtheFederalManagersFinancialIntegrityAct
(FMFIA), also are applicable. The FMFIAcarries both fine and imprisonment penalties for misuse of Government
resources. These laws are applicable todata collected byNCHS under308(d). NCHS staff, prior todevelopmentof
contractsorprojects,mustconsultwiththe InformationSystemsSecurityOfficer toensurecompliancewithapplicable
lawsandregulations.
AlthoughtheSystemManageristheFederalofficialwhoislegallyresponsibleforthesystemofrecordssubjecttothePrivacyAct,allotherswhocontrol,handle,orusethedataalsoshareresponsibilityforthesecurityandintegrityofthe
records.TheseincludetheNCHS TopSecretCoordinatorandprogram TopSecretAdministrators,ADPSystemsSecurity
Officer,systemsanalysts,programmers,datapreparationpersonnel,andADPsystemsusers.Contractorswhodealwith
data that come underthe provisions ofthe Public Health ServiceAct and/or the PrivacyAct are subject tothe same
regulationsasareDHHSemployees.
DocumentControl. While not inuse,alldocumentationcontaining or relatingto identifiableinformationmust be
storedinsuchamannerastopreventdisclosure.Thisincludes:
A. Documentationoffunctionalandprogramspecifications;
B. Documentationillustratingrecordlayoutsoffilescontainingpersonaldata;
C. Documentationcontainingdescriptionsofinternalcontrolsandaudittechniquesemployedwithinthesystem;
D. Anyotherhardcopyassociatedwithconfidentialinformation;
E. Computerprogramlistingsandsourcedecks;
F. Documentationproductionrunprocedures;and
G. Documentationrelatedtostatisticaldisclosurelimitationproceduresanddisclosurereview.
AllADPsystemsusersshouldfamiliarizethemselveswiththecontentsoftheDHHSAutomatedInformationSystems
SecurityManual.Centerpersonnelarerequiredtocomplywiththeregulationsinthismanual.
8. AuthorizedDisclosures
GoverningPrinciples.NCHSactionisgovernedorconstrainedbyfourprinciples:
A. Theactionleadingtodisclosuremustbeclearlywithintherelevantlawsandregulations,andifthereisanydoubt,
theadviceoflegalcounselshouldbesought.B. TheCentermustalwaysbecandidwithrespondents,makingitclearwhowillhaveaccesstoindividualresponses
andforwhat(general)purposethedataarebeingcollected.
C. Anessentialrequirementforreleaseofdatais theconsentoftherespondent.
D. ThereleaseofconfidentialdatamustbecarriedoutunderagreementasdescribedinSection8.3.
8.1 Disclosureto theParentLocatorService
With but one exception, no informationabouta person orestablishment may bedisclosed toanyone without the
informedconsentofthepersonorestablishmentsupplyingtheinformationordescribedinit.
Thatsingleexceptioniscontainedinthe1974AmendmentstotheSocialSecurityActrelatingtotheParentLocator
Service(42U.S.C.653)whichreadsinpart:
(b)Uponrequest,filedinaccordancewithSubsection(d),ofanyauthorizedperson(asdefinedinSubsection(c))forthemostrecentaddressandplaceofemploymentofanyabsentparent,theSecretaryshall,notwithstandingany
otherprovision of law, provide through the Parent Locator Service such information to such person, if such
information(l)is containedinanyfilesorrecordsmaintainedby theSecretaryorbytheDepartmentof Health,
Education,and Welfare. . . .
ItseemsunlikelythatanyinformationinthefilesofNCHSwouldeverbeusefultotheParentLocatorServicein
locating absent parents. However, if any such request were ever received, it should be referred immediately to the
ConfidentialityOfficer,whowilldecidetheactiontobetaken.
- 11 -
http://www.whitehouse.gov/omb/circulars/a123/a123.htmlhttp://www.whitehouse.gov/omb/circulars/a123/a123.htmlhttp://www.dod.mil/comptroller/fmfia.htmlhttp://www.dod.mil/comptroller/fmfia.htmlhttp://www.dod.mil/comptroller/fmfia.htmlhttp://irm.cit.nih.gov/policy/aissp.htmlhttp://irm.cit.nih.gov/policy/aissp.htmlhttp://irm.cit.nih.gov/policy/aissp.htmlhttp://irm.cit.nih.gov/policy/aissp.htmlhttp://www4.law.cornell.edu/uscode/42/653.htmlhttp://www4.law.cornell.edu/uscode/42/653.htmlhttp://www4.law.cornell.edu/uscode/42/653.htmlhttp://www4.law.cornell.edu/uscode/42/653.htmlhttp://irm.cit.nih.gov/policy/aissp.htmlhttp://www.dod.mil/comptroller/fmfia.htmlhttp://irm.cit.nih.gov/policy/aissp.htmlhttp://www.dod.mil/comptroller/fmfia.htmlhttp://www.whitehouse.gov/omb/circulars/a123/a123.html -
8/10/2019 staffmanual2004.pdf
17/27
-
8/10/2019 staffmanual2004.pdf
18/27
interdepartmental transfer of data may be done only with the express approval of the Director of NCHS under an
agreementasdescribedinSection8.4.Inaddition,NCHSwouldnottransferanyconfidentialdatatoanotherdepartment
withoutpositiveassurance that thedatawillbeusedonlyfor theauthorizedpurposeand that theconfidentialityof the
datawillbeprotectedquiteaseffectivelyintheotherorganizationasitwouldbebyNCHS.NCHSreservestherightnot
totransferconfidentialdata toanyoneif it isnotconvinced thatthosedatawillbehandledappropriately.
8.6
Special
Cooperative
or
Contractual
Arrangements
NCHS may be a party to any of several types of arrangements in which the Center is but one of two or moreorganizations that are collecting, processing, or using data under a joint or cooperative agreement. These types of
situationsarenotdiscussedindetailinthismanual,butthreeprominentclassesofcasesareidentified:
A. Aspecialsituationprevailsin the VitalStatisticsCooperativeProgram,wheretheStateisthecollectorunderits
own law. The Center uses the data under a contractual arrangement with the State, which fills the role of
respondentinthiscontext.TheCenterabidesbythetermsofthecontracts,althoughitcanexercisenocontrolover
how the Statemanages other confidentiality aspects of its documents. Under the terms of the Statecontracts,
NCHSwillnotpermitaccesstoindividualdocumentsthatmaybeinitspossessionforcodingpurposes;norwill
NCHSgivethekey(certificatenumber)toindividualcertificatestoanyonewithouttheexpresswrittenconsent
oftheState(registrationarea).Underspecialarrangements,NCHSmakesavailabletothepublicmicrodatafiles
containingpersonrecordinformation.
B. Contractualarrangementsexistinwhichanotherpersonororganizationeither(1)providesaservicesuchasfield
collectiontoNCHS,or(2)undertakesanalysisofdataprovidedbyNCHSand,ineithercase,hasaccessanddefactocontrolofmicrodata.(SeeAppendix Aforconfidentialityrequirementsinsuchcontracts.)
C. Other instruments that legally obligate other parties to NCHS nondisclosure rules and obligations include
professional service contracts, task orders, intergovernmental personnel act (IPA) appointments, unfunded
memoranda ofagreement, interagency, andintraagency confidentiality agreements.If notalreadyincluded, the
languagecontainedinAppendixAmustbemadepartofallsuchdocuments.
Certification(NCHS Confidentiality Pledge)must be includedwithin these documentsindicating that theparty or
partiesreceivingidentifiableNCHSdataunderstandtheirobligationtoabidebyallNCHSru lesandregulations.Specific
wordingforeachdocumentofthistypeshouldbedevelopedinconsultationwiththeNCHS ConfidentialityOfficerwho
must,alongwiththeNCHSDirector,approvethefinalwording.
9.
Avoiding
Inadvertent
Disclosures
Through
Release
of
Microdata
ItisCenterpolicytomakeitsfilesonindividualelementarydataunitswidelyavailabletothescientificcommunity
sothatadditionalanalysescanbemadeofthesedataforthecountrysbenefit.Thescientificcommunityhasshowngreat
interest insuchfiles,andmanyrequestsfortheCenterselectronicfilesarereceivedeachyear.
9.1
Problem
A microdatafileconsistsofindividualrecordseachcontainingvaluesofvariablesforasinglepersonorestablishment.
Evenwhenallpersonalidentifiersareremoved,alargeamountofinformationremains,andthisinformationmayidentify
NCHSrespondentsto apersonwhohasaccessto that informationfromanothersource.Forexample,if filedescriptors
indicatethattherespondentisaPh.D.inthe3034yearsagegroupwhoreportshis/herraceaswhiteandlivesinthe
Northeastsectionofthecountry,therespondentisnotidentifiable.If,however,thefileindicatesthathisageis31,thathe
ismarriedtoa42yearoldwomanwhoreportsherraceasAsian,hasthreechildren,andlivesinLitchfieldCounty,Conn.,therespondentmaynowbeidentifieduniquely,andallinformationinthefileabouthimandhisfamilywouldbedisclosed
toanyonewithaccesstothefile(whocouldthenidentifythepersonfromthegivensetofcharacteristicsorbymatching
thisinformationtothatcontainedinanotherfilecontainingtherespondentsname).Theplaceofresidence,especially
whenitisnotaheavilypopulatedarea,isparticularlyusefulintheidentificationprocess.Moreover, if it isknownthata
particular person or establishment has been selected in the sample, chances are much better that the person or
establishmentcan beidentified. Insuchcases, informationmaybeknown toa potential intruderwho can beusedto
establishidentity.
- 13 -
-
8/10/2019 staffmanual2004.pdf
19/27
Itshouldberecognizedthattheinformationgainedbyanintruderneednotbe exact torepresentadisclosureifit
pertainstoanidentifiedindividual. Tables(seeSection10),generatedusingmicrodatafiles,shouldtakeintoaccount
thatitmaybepossibletoassociaterangesofvaluesofcertainvariables(e.g.,income,age)withotherinformation.This
is particularly applicable to files containing establishment data. In addition, it may be possible to use certain other
informationcontainedinthemicrodatafiletoidentifyanindividualorestablishment.Amoredetaileddiscussionofthese
pointsisfoundinSection10.1.
ThelowratiosamplethattheCenterusesinitssurveyswouldusuallyfrustrateapersonwhoistryingtolocatea
known individual in the Centerssurvey files. From time to time,however, an individual orestablishment may have
characteristicsrarelyencounteredin thepopulationfromwhicha sampleisdrawn.Theonlyabsolutelysurewaytoavoiddisclosurethroughmicrodatafilesis torefraincompletelyfromreleasingany
microdata files,but this would deprive theNationofagreat deal ofveryimportanthealth research.It is theCenters
policy to release microdata files for purposesofstatistical researchonly when the risk ofdisclosure is judged tobe
extremelylow.Inordertomakesuchjudgments,theCenterhasestablisheda DisclosureReviewBoard(DRB)which
meets regularly to consider proposals for public release of microdata files and makes recommendations to the
ConfidentialityOfficer.
Allmicrodatafilesintendedforpublicreleasemustbe submittedforreviewby theNCHSDRB.
9.2Rules
Thefollowing rules apply toall files releasedby NCHSthat containany informationabout individual personsor
establishments,exceptwherethesupplierofinformationwastold,priortohisgivingtheinformation,thattheinformationwouldbemadepublic:
A. Beforeanynewor revisedmicrodata files arepublished, they, togetherwiththeir full documentation, must be
approvedforpublicationbyth eConfidentialityOfficerwhowillrelyuponassistancefromtheNCHSDisclosure
ReviewBoardinreachingdecisions.
B. Thefilemustnotcontainanydetailedinformationaboutthesubjectthatcouldfacilitateidentificationand
that is not essential for research purposes (e.g., exact date of the subjects birth, excessive detail for
occupation,extremevaluesofincomeandage,detailedraceorethnicityforsmallandhighlyvisiblegroups,
and other characteristics that would make an individual or establishment easier to identify). It is
recommendedthatthefollowingbeconsultedconcerningpossibletechniquesthatwouldpermitthemaximum
amountofinformationtobereleasedconsistentwithsoundprinciplesofstatisticaldisclosurelimitation:The
ConfidentialityandDataAccessCommitteesChecklistonDisclosurePotentialofDataandStatisticalPolicy
Working
Paper
22,
Report
on
Statistical
Disclosure
Limitation
Methodology.
Office of Information andRegulatoryAffairs,OfficeofManagementandBudget.
C. Geographicplacesthathavefewerthan100,000peoplearenottobeidentifiedonthefile.Dependinguponthe
statisticalstructureof afileandothercircumstances,ahigherfiguremaybeemployed.Itistheresponsibilityof
theprogramproposingthedatareleasetodeterminethedisclosureriskassociatedwiththeproposedminimumsize
ofgeographicareastobeidentified.
D. Characteristicsofanareaarenottoappearonthefileiftheywoulduniquelyidentifyanareaoflessthan100,000
people(e.g.,avariabledescribingthesizeofametropolitanareainwhicharespondentwasinterviewedproviding
foracategoryoflessthan100,000inafilewherearegionisalsoprovided).
E. Informationonthedrawingofthesamplethatmightassistinidentifyingarespondentmustnotbereleasedoutside
theCenter.Thus,theidentitiesofprimarysamplingunits(PSUs)arenottobemadeavailableoutsidetheCenter
exceptinlimitedcircumstancesandasapprovedbythe ConfidentialityOfficer.Whensuchcircumstancesrequire
thedisclosureoftheidentityofareasinwhichdatacollectionactivitiestakeplace,thesurveymanagermustensure
thatallinformationforthissurveyproposedforreleasetakeintoaccountthegreaterriskofidentificationbecauseofthisexception.ThedecisionastowhetherPSUidentitiesaretobemadepublicshouldbemadebeforedataare
collectedandplansfordatareleasefinalized.
Thissection hasdescribedprocedures fordisclosure review andprotection of microdata files.Any tabulations or
statisticalmeasuresbaseduponfilessopreparedandapprovedforpublicreleasebytheNCHSConfidentialityOfficer
wouldmeetNCHSrequirementsfordisclosureprotectionand,alongwiththemicrodata,canbereleasedtothepublic.In
othercases,wheretabulationsarebasedupondatainaformnotapprovedforpublicuse,proceduresinthefollowing
sectionmustbefollowed.
- 14 -
http://www.cdc.gov/nchs/data/NCHS%20Micro-Data%20Release%20Policy%204-02A.pdfhttp://www.cdc.gov/nchs/data/NCHS%20Micro-Data%20Release%20Policy%204-02A.pdfhttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.cdc.gov/nchs/data/NCHS%20Micro-Data%20Release%20Policy%204-02A.pdf -
8/10/2019 staffmanual2004.pdf
20/27
9.3 RestrictedAccess toMicrodataFilesWith IdentifiableData
Undercertaincircumstances,accesstomicrodatafilescontaininghighlevelsofdetailsuchasdescribedin9.2B,C,
orD,maybegrantedtoresearchersintheNCHSResearchDataCenter(RDC)orbymeansoftheNCHSRemoteData
Access System. In the RDC, analytical manipulation of elements of confidential files not released to the public is
permitted.Filescontainnonames,addresses,orotherdirectidentifiers.Becausetheremaininginformationwouldrequire
complex manipulation with other informationnot permitted inoraccessible from the RDC inorder to reidentifyan
NCHSrespondent, theresearcherhas,ineffect,noaccesstoidentifiableinformation.Nevertheless,no statisticaloutput
can be removed from the RDC withoutbeingsubjected tostatisticaldisclosure analysisbyRDC staff, and access to
informationwithintheRDCishighlyrestricted.Requests for tabulations may also be submitted electronically. No direct access to confidential files is permitted,
however,andonlythosetabulationsthathavebeensubjecttostatisticaldisclosureanalysisaretransmittedbacktothe
requestor.
10. AvoidingInadvertentDisclosuresinPublishedTabularData
Theprevious sectionconsidered detailedprocedures fordisclosure review andprotection of microdata files made
availableforpublicuse.AnytabulationsorcalculationsbasedupondatasopreparedandapprovedwouldmeetNCHS
requirementsfordisclosureprotectionand,alongwiththemicrodata,canbereleasedtothepublic.Whereatabulationis
basedupondatain aformnotapprovedforpublicuse,the followingproceduresmustbefollowed.
10.1
Types
of
Disclosure
Centerpolicyrecognizesandattemptstodealwithseveralclassesofinformationdisclosure:
A. Exactversusapproximatedisclosures.Exactdisclosureis thedisclosureofaspecificcharacteristic,suchasrace,
sex, or a particular pathological condition. Approximate disclosure is the disclosure that a subject has a
characteristicthatfallswithinacertainrangeofpossibilities,suchasbeingbetween45and55yearsofageor
having an income between $15,000 and $25,000. An approximate disclosure may in a given situation be
consideredharmlessbecauseofitsindefinitenature.
B. Probability-basedversuscertaintydisclosures.Datainatablemayindicatethatmembersofagivenpopulation
segmenthavean80percentchanceofhavingacertaincharacteristic;thiswouldbeaprobabilitybaseddisclosure
as opposed to a certainty disclosure of information on given individuals. In a sense, every published table
containingdataorestimatesofdescriptorsofaspecificpopulationgroupprovidesprobabilitybaseddisclosureson
membersofthatgroup,andonlyinunusualcircumstancescouldanysuchdisclosurebeconsideredunacceptable.
Itispossiblethatasituationcouldariseinwhichdataintendedforpublicationwouldrevealthatahighlyspecific
group had an extremely high probability of having a given sensitive characteristic; in such a case the
probabilitybaseddisclosureperhapsshouldnotbepublished.
C. Internalversusexternaldisclosures.Internaldisclosuresarethosethatresultcompletelyfromdatapublishedfrom
oneparticularstudy.Externaldisclosuresoccurwhenoutsideinformationisbroughttobearuponthestudydatato
createdisclosures.Thispossibilitymustberecognizedinanydisclosureanalysis.
10.2Problem
In an effort to make available to the public a full set of information on a given subject, statisticians mayand
sometimes dopresent so much detail in published tabulations that they accidentally reveal confidential information
aboutparticularstudysubjects.When completecountdataarebeingtabulated*thismayhappeninthefollowingways:
1. All casesin lineyi ofa statisticaltable fall inthecell incolumnxi.We thenknow that any individual inthepopulationwithcharacteristicyi alsohascharacteristicxi.
2. Cellxiyigivesthetotalincomeofallindividualswithcharacteristicsxiandyi. Ifthereareonlytwoindividuals,a
andb, inthepopulationwiththatcombinationofcharacteristics,thena,knowinghis/herownincome,willbeable
todeterminebsincomebysimplesubtraction,and bwillalsobeabletodetermineasincome.
*Aswhenallcases in a givenstratumhavebeenincluded in asample or allvitaleventsaretabulated.
- 15 -
http://www.cdc.gov/nchs/r&d/rdc.htmhttp://www.cdc.gov/nchs/r&d/rdc.htmhttp://www.cdc.gov/nchs/r&d/rdc.htmhttp://www.cdc.gov/nchs/r&d/rdc.htmhttp://www.cdc.gov/nchs/r&d/rdc.htmhttp://www.cdc.gov/nchs/r&d/rdc.htmhttp://www.cdc.gov/nchs/r&d/rdc.htmhttp://www.cdc.gov/nchs/r&d/rdc.htmhttp://www.cdc.gov/nchs/r&d/rdc.htm -
8/10/2019 staffmanual2004.pdf
21/27
Inaddition,whenestablishmentdataareinvolved:
1. Atablegivesthetotalannualreceiptsforallfivenursinghomesincountym.However,nursinghome aismuch
largerthanalltherestcombined;itaccounts,infact,forthreefourthsofallnursinghomereceiptsinthecounty.
Knowingthecountytotal,themanagerofnursinghomeaisabletocalculatetheincomesoftheotherfourhomes,
atleastwithinsomefairlynarrowlimits.
2. Ametropolitanstatisticalarea(MSA)containstwocounties,aandb.Fourhospitalsarelocatedincountyaand
onlyoneincounty b.Astatisticalreportispublished,givingconfidentialhospitaldatatotaledforeachSMSA.
Anotherreportispublishedwithconfidentialdataonhospitalsbycounty,butonlyforcountieswiththreeormore
hospitals. Using the two reports, one can subtract the data for county a
from the SMSA data, deriving theconfidentialdataforthelonehospitalincountyb.
Theseexamplesimplytheexistenceofseveralgeneraltypesofsituationsinwhichstatisticaldisclosuremayoccur. An
additional possibilitymay be found ina groupof threeormore tables ofsubsets of a givenpopulation from which
disclosuresarepossiblethroughthesolutionofsimultaneousequations.CenterguidelinesassetforthinSection10.3take
intoaccounttheseveralpossibledisclosuresituations.
10.3 SpecialGuidelines forAvoidingDisclosure
Exceptwhereotherwiseindicated,thefollowingguidelinesapplytoallCenterpublicationsofstatistics:
A. Innotableshouldallcasesofanylineorcolumnbefoundina singlecell.
B. Innocaseshouldthetotalfigurefora lineor columnofacrosstabulationbelessthanfiveunweightedcases.C. Innocaseshoulda quantityfigurebebaseduponfewerthanfiveunweightedcases.
D. Innocaseshouldaquantityfigurebepublishedifonecasecontributesadisproportionateamounttothetotal.A
minimumpercentagefigureshouldbeadoptedforthispurposeandthisfigureshouldnotbepubliclyreleased.
E. Inno case should dataonan identifiable case,norany ofthekindsof data listed inpreceding itemsAD,be
derivablethroughsubtractionorothercalculationfromthecombinationoftablespublishedonagivenstudy.
F. DatapublishedbyNCHSshouldneverpermitdisclosurewhenusedincombinationwithotherknowndata.
Reportwritersaretofollowtheseguidelines.Itistheresponsibilityofallbranchchiefstoseethattheseguidelinesare
followed.Inapplyingthem,branchchiefsarenotrequiredtoconsultwiththeNCHSConfidentialityOfficer.However, if
aguidelineappearsunreasonableinagivensituation,approvalforaspecialexceptionshouldberequestedfromtheNCHS
ConfidentialityOfficer.
Aspecificexceptionnotrequiringspecialapprovalappliesinthefieldofvitalstatistics.Ithasbeenalongstanding
traditioninthefieldofvitalstatisticsnottosuppresssmallfrequencycellsinthetabulationandpresentationofdata.For
example,ithasbeenconsideredimportanttoknowthatthereweretwodeathsfromrabiesinRioArribaCounty,NewMexico,inagivenyear,orthattherewereonlyoneinfantdeathandtwofetaldeathsinAitkinCounty,NewMexico.
Public release of such tabular data is consented to by data providers and is in the interest ofpublic health. Special
proceduresforthereleaseofmicrodatawithlowlevelsofgeographyand/orexactdateofavitaleventareinplaceandare
describedathttp://www.cdc.gov/nchs/nvss.htm.
10.4
Evaluating
a
Disclosure
Problem
Theremaybemitigatingcircumstancesinagivensituationthatmaymakeitacceptabletopublishdatathat,strictly
speaking,couldresultindisclosures.Suchcircumstancescouldprovidegroundsforrequestingthespecialexception
tothepreviouslynotedrules:
A. Whendatainastudyarebaseduponasmallfractionsample,forexample,lessthan10percentoftheuniverse,it
mightgenerallybeassumedthatdisclosurewillnotoccurthroughpublishedtabulations.However,therecouldbeexceptions.Somuchdetailmaybepresentedthatanindividualuniqueinthepopulationisidentifiedthroughthe
tables ora member of the sample may find himself/herself and others in the data.The usualrules precluding
publicationofsampleestimatesthatdonothaveareasonablysmallrelativesamplingerrorshouldpreventany
disclosuresfromoccurringintabulationsfromsampledata.Thisdoesnotabsolvethereportwriterfromreviewing
tabulationsusingtheprinciplespresentedinthissection.
B. The existence oferrors orimputations in the data brings some small reduction in the likelihood ofdisclosure
throughtablepublication.
- 16 -
http://www.cdc.gov/nchs/nvss.htmhttp://www.cdc.gov/nchs/nvss.htmhttp://www.cdc.gov/nchs/nvss.htmhttp://www.cdc.gov/nchs/nvss.htm -
8/10/2019 staffmanual2004.pdf
22/27
C. Incompletenessofreporting,whichoftenoccursevenwherestudiesaresupposedtoinclude100percentofagiven
groupin thepopulation,alsoreducesthecertaintyofanydisclosuretakingplacethroughpublicationofdata.
D. In some instances the danger of disclosure might be mitigated by the fact that the data in question have no
sensitivity. They may already have appeared in a published directory, or th