staffmanual2004.pdf

8/10/2019 staffmanual2004.pdf

1/27


2/27

National Center for Health Statistics

Edward J. Sondik, Ph.D., Director

Jennifer H. Madans, Ph.D., Acting Co-Deputy Director

Michael H. Sadagursky, Acting Co-Deputy Director

Jennifer H. Madans, Ph.D., Associate Director for Science

Jennifer H. Madans, Ph.D., Acting Associate Director for

Planning, Budget, and Legislation

Michael H. Sadagursky, Associate Director for

Management and Operations

Lawrence H. Cox, Ph.D., Associate Director for Research

and Methodology

Margot A. Palmer, Director for Information Technology

Margot A. Palmer, Acting Director for Information Services

Linda T. Bilheimer, Ph.D., Associate Director for Analysis,

Epidemiology, and Health Promotion

Charles J. Rothwell, M.S., Director for Vital Statistics

Jane E. Sisk, Ph.D., Director for Health Care Statistics

Jane F. Gentleman, Ph.D., Director for Health Interview

Statistics

Clifford L. Johnson, Director for Health and Nutrition

Examination Surveys


3/27

Foreword

TheNCHSStaffManualonConfidentialitywasoriginallypublishedin July1978andreprintedinApril1980and

inAugust1997.Itwasreissuedinearlieryearsmainlytoinformstaffofchangesinlawsandregulations.Inviewof

themanychangesintechnologiesrelatedtodatahandlinganddisseminationthathavetakenplacein recentyears,new

proceduresandpolicieshavebeendevelopedrequiringanextensiverevisionoftheManual.

Theconfidentialityof recordsisamatterofprimaryconcerntotheNationalCenterforHealthStatistics(NCHS).

InordertoelicithealthinformationfromtheAmericanpeopleandfromthehealthcareprovidersthroughoursurveys,

wemustbeableto assurethemthatthisinformationwillbeprotectedfromtheeyesandearsofallunauthorized

persons.Thismeansthatwemusthavestronglawsenablingus toprotect theserecords,andthatwemustestablish

andfollowprocedurestogivethemsuchprotection.ThisManualstatestheCenterspoliciesthatimplementFederal

lawandensurethatallconfidentialinformationwillbe fullyprotected.Itshouldbeviewedinunisonwiththe

NCHSdatareleasepolicies addressingaccesstodataandNCHSResearchEthicsReviewBoardRequirements .The

NCHSDirectorretainstheauthority toallowexceptionstopoliciescontainedinthismanualwherethereareuniqueor

specialcircumstances.

TheCenterisproudofitsrecordinprotectingitsfilesfromimproperdisclosures,andit isveryimportantthatwe

continuetodoso.Thecontinuingsuccessofourworkdependson it.Therefore, I amcountingoneverymemberofthestaff oftheCenter, aswellasthosewhoworkwithNCHS,tokeepacopyofthisManualhandy, to bethoroughly

familiarwithitscontents,andtoabideby thepoliciesinthemanualcarefullyandconscientiously.

EdwardJ.Sondik,Ph.D.Director
http://www.cdc.gov/nchs/data/NCHS%20Micro-Data%20Release%20Policy%204-02A.pdfhttp://www.cdc.gov/nchs/data/NCHS%20Micro-Data%20Release%20Policy%204-02A.pdfhttp://www.cdc.gov/nchs/data/NCHS%20Micro-Data%20Release%20Policy%204-02A.pdfhttp://www.cdc.gov/od/ads/hsr2.htmhttp://www.cdc.gov/od/ads/hsr2.htmhttp://www.cdc.gov/od/ads/hsr2.htmhttp://www.cdc.gov/od/ads/hsr2.htmhttp://www.cdc.gov/nchs/data/NCHS%20Micro-Data%20Release%20Policy%204-02A.pdf


4/27

Contents

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2. Legislative and Regulatory Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2.1 Section 308(d) of the Public Health Service Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2.2 PrivacyActof1974 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2.3 ConfidentialInformationProtectionandStatisticalEfficiencyAct. . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2.4 Freedomof InformationAct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2.5 Federal Law Governing Federal Employees Behavior. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

3. Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

4. EmployeeResponsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44.1 Division and Office Directors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

4.2 ConfidentialityOfficer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

4.3 SupervisorsResponsibilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

4.4 Individual Federal Employees Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

4.5 Contractors and Agents Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

4.6 Collaborators Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

4.7 Administrative Officers Responsibilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

5. NCHS Policies on Consent and Assurances ofConfidentiality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

5.1 Consent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

5.2 Assurances of Confidentiality. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

5.3 Responsibility for Formal Assurances of Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

5.4 DataCollected Directly FromIndividuals orEstablishments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

5.5 Data Collected From Another Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

5.6 Data Collected Over the Telephone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

5.7 Repository ofAssurances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

6. TreatmentofRequestsforInformationUnderFreedomofInformationAct. . . . . . . . . . . . . . . . . . . . . . . 9

7. The Protection of Confidential Records and Data Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

7.1 Physical Protection of Confidential Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

7.2 Automated Data Processing Systems Security General. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

8. Authorized Disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

8.1 Disclosure to the Parent Locator Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

8.2 DisclosuresPermittedbySection308(d)ofthePublicHealthServiceAct. . . . . . . . . . . . . . . . . . . 12

v


5/27

8.3 Disclosures Within NCHS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

8.4 Disclosures Within the Department. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

8.5 Transfers ofData toOtherDepartments of theFederalGovernment. . . . . . . . . . . . . . . . . . . . . . . . . 12

8.6 Special Cooperative or Contractual Arrangements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

9. AvoidingInadvertentDisclosures ThroughRelease ofMicrodata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

9.1 Problem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

9.2 Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149.3 Restricted Access toMicrodata Files WithIdentifiable Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

10. Avoiding Inadvertent Disclosures in Published Tabular Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

10.1 Types of Disclosure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

10.2 Problem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

10.3 Special Guidelines for Avoiding Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

10.4 Evaluating a Disclosure Problem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

10.5 Measures to Avoid Disclosure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

11. AvoidingDisclosure in Other Types of Published Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Appendixes

AppendixA.RequirementsRelatingtoConfidentialityandPrivacyinDataCollectionandData Processing Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

I. Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

II. Background. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

III. Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

SafeguardsforIndividualsandEstablishmentsAgainstInvationsofPrivacy . . . . . . . . . . . . . . . . . . . . . 18

Appendix B. NCHSNondisclosure Affidavit for FederalEmployees. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Appendix C. NCHS Nondisclosure Affidavit for Contractors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Appendix D.Confidentiality, Security, and Related ContactPersons. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

vi


6/27

NationalCenterforHealthStatisticsStaffManualonConfidentiality

1.

Introduction

Confidentialityprotectionhasmanyaspects.Thismanualattemptstodealwithmostofthem.Informationandrules

arepresentedgoverning:

A. Legalrequirementsandpenalties,

B. Employees1 responsibilities,

C. Promiseofconfidentialitytorespondents,

D. Treatmentofrequestsforinformation,

E. Physicalprotectionofrecords,

F. Disclosuresthatmaybepermitted,

G. Avoidanceofunintentionaldisclosuresthroughpublisheddata,

H. Maintenanceofconfidentialityin thereleaseofmicrodata,and

I. Requirementsplacedoncontractors.

2. LegislativeandRegulatoryBackground

TheHealthServicesResearchandEvaluationandHealthStatisticsActof1974(P.L.93353)establishedNCHSin

law.Indoingso,itmandatedthatNCHSmakestheinformationitcollectsavailableonaswideabasisaspracticable.

However, it placed a veryimportantrestriction on themanner in which this was to beaccomplished byenjoining NCHS

tostrictlyobservetheassurancesofconfidentialityprovidedtoitsrespondents.Makingusefulhealthstatisticsavailableto

asmanypeopleaspossibleisveryimportant,butitisequallyimportanttodosoinamannerthatwillnotinanywayharm

theprovidersofthesestatistics.

Althoughitisamatterofprinciple,aswellasgoodstatisticalpractice,fortheCentertomaintaintheconfidentiality

ofrecords,asetoflawsandregulationsexiststhatrequiresandpermitstheCentertodoso.

2.1

Section

308(d)

of

the

Public

Health

Service

Act

(42

U.S.C.

242m(d))

ThissectionprovidesthebasiclegalrequirementforprotectingtheCentersrecords.Itreads:

No information, if an establishment or person supplying the information or described in it is identifiable,obtainedinthecourseofactivitiesundertakenorsupportedundersection242b,242k,or242lofthistitlemaybeusedforanypurposeotherthanthepurposeforwhichitwassuppliedunlesssuchestablishmentorpersonhasconsented(asdeterminedunderregulationsoftheSecretary)toitsuseforsuchotherpurpose;andinthecaseofinformationobtainedinthecourseofhealthstatisticalorepidemiologicalactivitiesundersection242bor242kofthistitle,suchinformationmaynotbepublishedorreleasedinotherformiftheparticularestablishmentorperson supplying the information or described in it is identifiable unless such establishment or person hasconsented(asdeterminedunderregulationsoftheSecretary)toitspublicationorreleaseinotherform.

Thissectionoftheactisinterpretedasfollows:WhenevertheCenterrequestsinformation,itapprisesthepersonor

agencysupplyingtheinformationastotheusestobemadeofit.ThefirstclauseofSection308(d)guaranteesthatthereaftertheCenterwillbelimitedtothoseusessospecifiedtothe

supplier.

1Wherever the word employees is used in this document, contractors, agents, fellows, and all other persons whohave signed a nondisclosure

agreement (AppendixAor B)arealsoincluded.

- 1 -
http://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.html


7/27

The second clause states that the Center may never release identifiable information (See Section 3. Definitions)

without the advance, explicit approvalof the person or establishment supplying the informationorby the person or

establishmentdescribedintheinformation.

Access to information in identifiable form maybe grantedonly tostaff ofNCHS, its qualified agents, and those

collaboratorsandotherparties(includingotherFederalagencies)explicitlydescribedinthesurveyconsentstatement,and

maybeemployedbythemonlyinactivitiesdirectlyaimedatachievingthespecificpurposesasconveyedtorespondents.

2.2 PrivacyActof1974(5U.S.C.552a)

ThisactalsoprovidesfortheconfidentialtreatmentofrecordsofindividualsthataremaintainedbyaFederalagency

that areretrieved byeither theindividualsname orsomeother identifier. Thislaw alsorequires that suchrecordsin

NCHSaretobeprotectedfromusesotherthanthosepurposesforwhichtheywerecollectedwithouttheconsentof the

individualunlessauthorizedbythePrivacyAct.Itfurtherrequiresagenciesto(1)collectonlythatinformationnecessary

toperformagencyfunctions;(2)publishdescriptionsofdatasystemscontainingnamesorotherdirectidentifiers(called

systems of records)so that thepubliccanlearnwhatidentifiable recordsare maintainedby theagency;(3) inform

individualsatthetimeofdatacollectionastothelegislativeauthorityunderwhichitisrequested,whethertherequestis

mandatoryorvoluntary,theconsequences,ifany,ofnonresponse,andthepurposesandusestobemadeofthedata;(4)

maintain no records on how an individual exercises his rights under the first amendment except with special legal

authorization; (5) with certainexceptions, permit individuals to examine recordsmaintained about themselves and to

challenge the accuracy of those records; (6) establish rules of conduct governing persons involved in collecting and

maintainingrecords; and(7) establishappropriateadministrative, technical, andphysical safeguards toprotectrecords.

Employeesofagenciesandtheircontractorssubjecttotheactwhowillfullydisclosepersonalinformationcontrarytothelaw,orwhofailtogivenoticeofasystemofrecords,maybefinedupto$5,000,andtheagencymaybesuedfordamages.

Finally,theactplacessevererestrictionsontheuseofanindividualsSocialSecuritynumber,suchthattheCenteris

precludedfromcollectingandusingthemwithouttheexplicitconsentofrespondents.

The Department of Health and Human Services (DHHS) has allowed NCHS to have a K4 exemptionfor its

statisticalsystems,aspermittedunderthePrivacyAct.ThismeansthatNCHSdoesnothavetoallowsubjectsofitsdata

filestohaveaccesstotherecordsaboutthemselvesinthosefiles.ThisexceptiontoPrivacyActrequirementsispermitted

becauseNCHSdoesnothaveinitsdatafilesanyrecordsthatareusedinanydirectwaytoaffecttherights,benefits,or

privilegesofpersonswhoserecordsexistinthesefiles;rather,thefilesareusedstrictlyforstatisticalandrelatedpurposes.

TheCenter,however,mustcomplywithallotherrequirementsofthePrivacyAct.

ItmustbestressedthatwhileunderthePrivacyActidentifiableinformationmaybereleasedtoanumberofparties

suchastheGeneralAccountingOffice,eitherhouseofCongress,andcourts,theprovisionsofSection308(d)ofthePublic

HealthServiceAct,whicharemuchmorestrict,wouldtakeprecedence.Withouttheconsentofrespondents,identifiable

information

will

not

be

shared

with

such

parties.Regulations (45CFRPart5b) havebeenpublishedbyDHHSprovidingforimplementationofthePrivacyActwithin

thisDepartment.Allemployeesareboundtocomplywiththeseregulations.

2.3 Confidential InformationProtectionandStatisticalEfficiencyAct

(NOU.S.CODELINKAVAILABLEATPRESENT.ConsultKathyMoss.)

Thislegislationestablishesstrongstandards fortheprotectionofconfidentialdataprovidedto Federalagencies for

statisticalpurposes.Thislawrequiresthatalldatacollectedforstatisticalpurposesundera pledgeof confidentialitybe

used only for statistical purposes. As such, it covers all data collections currently undertaken by the Center. It also

providesstrongcriminalpenaltiesforunauthorizeddisclosureofconfidentialstatisticalinformation.Concerningfinesand

penalties,theactstates:

Whoever, being anofficer, employee,or agent ofanagencyacquiringinformation forexclusivelystatisticalpurposes,...comesintopossessionofsuchinformationbyreasonofhisorherbeinganofficer,employee,oragentand,knowingthatthedisclosureofthespecificinformationisprohibitedundertheprovisionsofthistitle,willfullydisclosestheinformationinanymannertoapersonoragencynotentitledtoreceiveit,shallbeguiltyofaclassEfelonyandimprisonedfornotmorethan5years,orfinednotmorethan$250,000,orboth.

ThisActdoesnotdiminishanyconfidentialityprotectionsuchasNCHS308(d)authorityorthoseofthePrivacyAct.

- 2 -
http://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://www.law.cornell.edu/uscode/html/uscode44/usc_sec_44_00003501----000-notes.htmlhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5bhttp://www.usdoj.gov/foia/privstat.htm


8/27

TheAct alsoauthorizes thedesignationof agents toperformstatisticalactivities.These agents functionunder the

supervisionofNCHSemployeesandaresubjecttothesameprovisionsoflawwithregardtoconfidentialityasanNCHS

employee.

2.4

Freedom

of

Information

Act

(FOIA)

(5

U.S.C.

552)

Firstpassed in1967andamendedmost recentlyin 1996, this act requiresFederalagencies tomaketheir records

availabletopersonswhorequestthem.WhileFOIAseekstomakegovernmentinformationmorewidelyavailable,itdoes

notunderminetheprivacyprotectionrequiredunderthelawsjustcited.Severalkindsofrecordsarespecificallyexemptedfrom the disclosure requirements of the FOIA. Two exclusions provided in Section 552(b) of the act are of special

relevance:Subsection(6)exemptspersonalandmedicalfilesandsimilarfilesthedisclosureofwhichwouldconstitute

aclearlyunwarrantedinvasionofpersonalprivacyandSubsection(3)providesthatmattersspecificallyexemptedfrom

disclosurebystatutearealsoexcludedfromthedisclosurerequirement.InthecaseofNCHS,theaforementionedSection

308(d)ofthePublicHealthServiceActrepresentsstatutoryprotection.ThusnorecordsthatarecollectedunderthePublic

HealthServiceActandprotectedbySection308(d)ofthatactarerequiredbytheFOIAtobereleasedbyanyone.

RegulationshavebeenpublishedbyDHHSimplementingFOIA.

IntheeventthatNCHSstafforcontractorsreceiveadatarequestcitingtheFOIA,theyarenottoresponddirectly,but

mustrefer therequesttotheNCHSFreedomofInformationCoordinator immediately.

2.5 FederalLawGoverningFederalEmployeesBehavior(18U.S.C.1905)

Thislaw includesthe following provision, which is alsorelevant to themaintenanceof confidentiality forNCHSrecords:

DisclosureofConfidentialInformation

Whoever,beinganofficeroremployeeoftheUnitedStatesoranydepartmentoragencythereof,...

publishes,divulges,disclosesormakesknowninanymannerortoanyextentnotauthorizedbylaw

anyinformationcomingtohiminthecourseofhisemploymentorofficialdutiesorbyreasonofany

examinationorinvestigationmadeby,orreturn,reportorrecordmadetoorfiledwith,suchdepartment

or agency or officer or employee thereof, which information relates to trade secrets, processes,

operations,styleofwork,orapparatus,or totheidentity,confidentialstatisticaldataamountorsource

of any income, profits, losses, or expenditures of any person, firm, partnership, corporation or

association; or permits any income return or copy thereof or any book containing any abstract or

particularthereoftobeseenorexaminedbyanypersonexceptasprovidedbylaw,shallbefinedunder

this title, or imprisoned not more than one year, or both; and shall be removed from office or

employment.

3. Definitions

Throughoutthisdocument,certainkeytermsareusedthatwarrantclearunderstanding.Thereaderiscautionedthat

presentusagemaynotalwayscoincidewithusagebyotheragenciesorentities.

IdentifiableInformationreferstoinformationthatcanbeusedtoestablishindividualorestablishmentidentity,whether

directlyusing items such as name, address, or unique identifying numberor indirectlyby linking data about

respondentswithexternalinformationthatdirectlyidentifiesthem.

ConfidentialInformationisanyidentifiableinformationorinformationassociatedwithidentifiableinformationabout

apersonorestablishmentcollectedunderanassurancethatrestrictsthedegreetowhichtheinformationcanbeshared

withothers.Itisimportanttounderstandthatinformationthatbyitselfwouldnot leadtotheidentityofa respondent,butwhich

coulddosoifcombinedwithinformationalreadyreleased(e.g.,theidentitiesofareasinwhichasurveywasconducted),

mustalsobeconsideredconfidential.

A disclosure occurs when identifiable information concerning an NCHS respondent (including the fact of his

participationinanNCHSsurvey)ismadeknowntoa thirdparty.Disclosuresmaybeauthorized(aswhenarespondent

hasconsented to theinformationbeing sodivulged),unauthorized (aswheninformationis intentionally revealedto a

partynotconsentedtobytherespondent),or inadvertent(aswhenatabulationorfileisunintentionallymadeavailableto

- 3 -
http://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htmhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5http://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5http://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5http://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://www.fcsm.gov/committees/cdac/IdentCDAC3.pdfhttp://www.fcsm.gov/committees/cdac/IdentCDAC3.pdfhttp://www.fcsm.gov/committees/cdac/IdentCDAC3.pdfhttp://www.fcsm.gov/committees/cdac/IdentCDAC3.pdfhttp://www.fcsm.gov/committees/cdac/IdentCDAC3.pdfhttp://www.fcsm.gov/committees/cdac/IdentCDAC3.pdfhttp://www.hq.nasa.gov/ogc/commercial_intnl/18usc1905.htmlhttp://cfr.law.cornell.edu/cfr/cfr.php?title=45&type=part&value=5http://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2.htm


9/27

the public that reveals or can beused to reveal personal informationprovidedbyanNCHS respondent). Authorized

disclosuresarediscussedinSection8,whilethepreventionof inadvertentdisclosureistreatedinSections9and10.

Anagentisapersondesignatedbyanagencytoperform,eitherinthecapacityofaFederalemployeeorotherwise,

activitiesauthorizedbylawandspecifiedinawrittendocumentunderthesupervisionorcontrolofanofficeroremployee

ofthatagency,andwhohasagreedinwritingtocomplywithallprovisionsoflawthataffecttheactivitiesconductedon

behalfoftheagency.

AcollaboratororcollaboratingpartyisonewithwhomNCHShasaformalworkingrelationshipattheinceptionof

asurveyorproject.Inmostcircumstances,aformalworkingarrangementisdefinedinsuchdocumentsasaMemorandum

of Understanding (MOU) or InteragencyAgreement (IA), but may also be defined in other appropriate instruments.Although the nature of the working relationship may vary from collaborator to collaborator, the description of that

relationshipmustbe veryspecificallystatedin whichever instrumentis chosen.Acollaboratormusthaveestablisheda

formalworkingarrangementwithNCHSattheinitialplanninganddesignstages.Thereafter,thecollaboratormusthave

tangibleandsignificantinvolvementintheplanning,design,funding,orexecutionofthesurveyorproject. A collaborator

canbe,butisnotlimitedto,otherFederalagencies,Stategovernments,universities,organizations,colleagues,andothers

workingoutsideNCHS.

Consent iswritten,oral,orinferredapprovalbyanNCHSrespondenttoprovidetherequestedinformation.Before

elicitinginformation,respondentsareclearlyinformedabouttheusestobemadeofdataheorsheisaskedtosupplyand

thepartieswhowouldreceiveitinidentifiableform.Thisinformationmustbeprovidedinsuchawayastorepresenta

full exposure of the facts the respondent needs to make an intelligentdecisionconcerning the provision ofpersonal

informationtoNCHS.

4.

Employee

Responsibilities

4.1 DivisionandOfficeDirectors

Eachdivisionandofficedirector intheCenterhasresponsibilityforassuringstaff compliancewithNCHSpolicies

pertainingtotheconfidentialityof recordsincaseswhereanassuranceofconfidentialityhasbeenoristobegiven.

4.2 ConfidentialityOfficer

TheConfidentialityOfficerwillbeavailabletoassisttheCenterDirectorandstaff inavarietyofways,including:

a. InterpretingDepartmentpoliciespertainingtoconfidentiality;

b. Assistingemployeesinobtaininginformationonandclarificationofconfidentialitylawandrelatedregulations;

c. DirectingtheNCHSDisclosureReviewBoard(seeSection9.2) inthereviewofelectronicdataproductsproposed

forpublicrelease;

d. Providingorientationfornewemployees,ongoingtrainingforcurrentemployees,andimplementingappropriate

exitprocedurestodepartingstaff;

e. Reviewingdatacollectioninstrumentsandprocedures;

f. Providing guidance in the development of appropriate inter and intraagency agreements, and contractual

languageforthesharingandcollectionofconfidentialinformation;

g. ConductingperiodicphysicalinspectionsofNCHSofficestoassurethatrequirementsforthephysicalsecurityof

confidentialrecordsareobserved(SeeSection7);and

h. Providing advice regarding appropriate disciplinaryaction thatmay be taken when laws, rules, or regulations

relatingtoconfidentialityareviolated.

4.3

Supervisors

Responsibilities

TheSupervisorsResponsibilitiesincludethefollowing:

a. Supervisors will inform all employees, and subsequently all new employees, of existing NCHS policies and

proceduresrelatingtothesubjectofconfidentialityandwilldiscusswithsuchemployeestheirresponsibilitiesin

thisarea.

b. Supervisorswillberesponsibleforassuringthatallemployeesundertheirjurisdictioncomplywithregulations

applyingtothedisclosureofofficialinformationthatpermitstheidentificationofindividualsorestablishments.

- 4 -


10/27

c. Supervisorsshouldrecognizeuniquesituationsthatcallformorethanusualprecautionarymeasuresandshould

makerecommendationsforimprovement,ifnecessary.

4.4 IndividualFederalEmployeesResponsibilities

a. Individualemployeesareexpectedatalltimestofollowtheprinciplesandobeythelaws,rules,andregulations

thatarecitedorreferencedinthismanual.Whenindoubt,employeesshouldobtainadvicefromthesupervisoror

theConfidentialityOfficer.

b. Eachemployee ofNCHSis responsible formaintainingandprotecting atalltimes theconfidentialrecords,inwhateverformormedia,whichareintheemployeespresenceorundertheemployeescontrol.

c. Toassurethattheemployeeisfullyawareofhisresponsibilities,eachperson,onenteringemploymentinNCHS,

isgiventheNondisclosureAffidavitfoundinAppendixBtoreadandsign.Theyareaskedtoreasignthisform

annually.

4.5 ContractorsandAgentsResponsibilities

PersonsworkingundercontracttoorwhoareotherwiseconsideredagentsofNCHSaresubjecttothesamelawsand

regulationsas NCHSemployees.Inaccordancewith theconfidentialityprovisions incorporatedinallNCHScontracts,

contractors and agents, and contractor employees are expected to observe all Departmental and Centers for Disease

Control and Prevention (CDC) rules and regulations and NCHS policy relating to official information for which

confidentialityassuranceshavebeengiven.

Whenindoubtconcerninganyconfidentialitylaw,regulationorpractice,adviceshouldbeobtainedfromtheNCHSprojectofficerortheNCHSConfidentialityOfficer.

EachagentandcontractemployeeofNCHSisresponsibleformaintainingandprotectingatalltimestheconfidential

records,inwhateverformsormedia,thatareintheirpresenceorundertheircontrol.Inaddition,theymustatalltimes

followtheprinciplesandobeythelaws,rules,andregulationsthatarecitedor referencedin thismanual. Toassurethat

the agent or contractor employee is fully aware of his responsibilities, each person, on entering on duty, signs a

Nondisclosure Affidavit (Appendix C),whichspellsouttheparticularsofthelawscoveringtheirconductwhileunder

contracttoNCHS.

4.6CollaboratorsResponsibilities

Althoughconsent will have been obtained from respondents for access to confidential data by collaborators (See

definitionofcollaboratorinSection3above),itisnonethelessNCHSpolicythatsharingofconfidentialdataoutsidethe

Center requirespositiveassurances that they will beaccorded the same rigorouscare as they receive within NCHS.Accordingly,collaboratorsarenotpermittedtoreceiveconfidentialdataunlesstheyhaveprovidedsuchassurancesand,

indoingso,committedthemselvesto followingtheprinciplesandobeyingthelaws,rules,andregulationscitedin this

manual.Appropriatemodelagreementsareavailableforthispurpose.

4.7 AdministrativeOfficersResponsibilities

Eachnewemployeeorcontractorisrequiredtoviewaconfidentialityvideo,signaconfidentialitypledge,andreceive

documents and material dealing with their responsibilities with respect to confidential information while working at

NCHS.TheAdministrativeOfficerisresponsibleformakingsurethatpersonsenteringondutyattheCentercomplywith

allappropriaterequirementsestablishedby theConfidentialityOfficer. Similarly,upondeparture from NCHSemploy-

ment,staffarerequiredtoundergoawelldefinedexitprocess.TheAdministrativeOfficerisresponsibleforensuringthat

departingstaffcomplywithallrequirements.

5.NCHSPoliciesonConsentandAssurancesofConfidentiality

5.1 Consent

Obtainingconsentfromindividuals.Consentmaybeobtainedbymeansofasignatureorbyconstruction.Inthefirst

instance,therespondentmaybeprovidedawrittendescriptionoftheintendedtreatmentofinformationhe/sheisaskedto

- 5 -


11/27

provideandaskedtosignhis/hername,therebyindicatingpermissiontousethatinformationasdescribed.Insomecases,

however,he/sheisgiven thisinformationeitherinwritingorverbally. Iftherespondentthensuppliestherequesteddata,

NCHSconstruesthattherespondentagreestothoseintendedusesandsharingofdatawithpartieshehasreadorbeen

toldabout.TheCentercanthenmakesuchusesofthedataashavebeendescribedtotherespondent,butnootheruses

ofthedatamaybemade.Inarrivingatthecontentofastatementofconsent,the ConfidentialityOfficerandtheChairof

theNCHSResearchEthicsReviewBoard(ERB) cooperateclosely.AllprotocolssubmittedtotheERBarereviewedfor

conformancewithNCHSconfidentialityrequirements,andthefinal,consentdocumentsmustbeplacedonfilewiththe

ConfidentialityOfficerpriortouseinthefield.(NOTE:Followingconfidentialityrequirementsdoesnotreleasestafffrom

therequirementsoftheERB.Obtainingconsentfromanestablishment. Inthecaseofestablishments,theapproachdependspartlyuponwhetherthe

requestforinformationismadeinapersonalintervieworbymail.

A. Iftherequestforinformation ismade inpersonby astaffmember oragentofNCHS, the contactpersonfirst

inquires as to who is authorized to provide the requested data on behalf of the establishment. When such

authorizedpersonisinformedoftheusestobemadeofthedata,andhe/shethensuppliesthedata,NCHSstaff

construesthattheestablishmenthasgivenconsentto theusesofdataasspecified.

B. Whendataaresoughtfromanestablishmentbymail,therequestmaybeaddressedtotheestablishmentitself,to

the manager of the establishment, or to some other person who, as the Center has previously ascertained, is

authorizedtoproviderequesteddataonbehalfoftheestablishment.Thelettertransmittingtherequestexplainsthe

uses tobemade of the data.WhenNCHS staff then receives the requested data from the establishment, itis

construedthattheestablishmenthasconsentedtothoseusesofwhichithasbeeninformed.

5.2AssurancesofConfidentiality

Background. WheneverNCHSrequestsdataconcerningan individualoranestablishment, itisobligatedtoprovide

certain information and assurances to the supplier of information.Although this is considered a moral obligation by

NCHS,itisalsostatedorimpliedinboththePublicHealthServiceActandthePrivacyActof1974.ThePublicHealth

ServiceAct,inSection308(d)statesthatinformationmaynotbeusedforanypurposeotherthanthepurposeforwhich

it was supplied; therefore, such purposes must be explained to the supplier of information before obtaining the

informationfromhim/her.ThePrivacyActof1974statesinSection(e)(3)thattheagencyshall:

Informeachindividualwhomitaskstosupplyinformation,ontheformthatitusestocollecttheinformationorona

separateformthatcanberetainedby theindividual...

A. the authority (whether granted by statute, or by executive order of the President) which authorizes thesolicitationoftheinformationandwhetherdisclosureofsuchinformationismandatoryorvoluntary;

B. theprincipalpurposeorpurposesforwhichtheinformationisintendedtobeused;

C. intendeddisclosure(ifany)ofidentifiableinformationtootherparties;and

D. the effectsonhim/her, ifany, ofnotprovidingalloranypartoftherequestedinformation.

Suchinformationmustbeconsistentwiththeinformationinthedescriptionofthesystemofrecordspublishedinthe

Federal Register.If any release of any identifiable information is to bemade, then the law requires that consent be

obtainedinadvanceforthatspecificrelease.ThePublicHealthServiceAct,Section308(d)statesthatsuchinformation

maynot bepublished or releasedin other form if theparticularestablishment orperson supplyingthe informationor

describedinit isidentifiableunlesssuchestablishmentorpersonhasconsented(asdeterminedunderregulationsofthe

Secretary)toitspublicationorreleaseinotherform.ThePrivacyAct(in552A(b)statesthat,withcertainexceptions,an

individualsrecordmaynotbedisclosedexceptpursuanttoawrittenrequestby,orwiththepriorwrittenconsentofthe

individualtowhomtherecordpertains.

Statementofassurances.Thesetofinformationgiventoanyindividualorestablishmentaskedtoprovidedatatothe

Centermustincludeastatementofassurances.Thismustinclude:

(1)Thelegalauthorization(s)forsolicitingthedata(inthecaseofNCHS,thePublicHealthServiceAct);

(2)Thepurposesforwhichthedataarebeingcollectedandthepartieswithwhomidentifiableinformationwillbe

shared;

(3)Thevoluntarynatureoftheresponse;

(4)Theconsequences,if any,to therespondentforfailingtoprovideanypartoftherequesteddata;and

- 6 -
http://www.cdc.gov/od/ads/hsr2.htmhttp://www.cdc.gov/od/ads/hsr2.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www4.law.cornell.edu/uscode/42/242m.htmlhttp://www.usdoj.gov/foia/privstat.htmhttp://www.cdc.gov/od/ads/hsr2.htm


12/27

(5)AnassurancethattheCenterwillprotectthedataagainstotheruses.

5Thestatementofassurancesmay becontainedinaletterorbrochurehandedormailedtoa respondentsothat

he/she receivesit beforeprovidingthe information.Thestatementmay begivenorally toa respondent,but italso

mustbeprovidedinwrittenform, onpaper, to beretained bytherespondent;theonlyexceptionstothisrequirement

are: (a) ifa selfadministeredquestionnaire isused,thestatement may be madepart ofthequestionnaire, andno

separatecopy needbegiventotherespondent,and(b)inthecaseof atelephoneinterview, anoralreadingmay be

sufficient(see Section5.6).

Theassuranceofconfidentialityconstitutestheguaranteegiventothedatasupplier thatNCHSwilllimititsusesof

thedatatothosespecifiedtotherespondentandthatNCHSwillactivelyprotecttheinformationfromanyotherusesbyanyotherparty.

5.3 Responsibility forFormalAssurancesofConfidentiality

FormalassurancesofconfidentialitywillbegivenbytheDirectorofNCHSorhisdesignee.Suchauthorityisvested

intheDirectorof theCenterandtheDirectorofeachof itsdivisionsandoffices.However, incidentalreferencesto the

assurancesarepermittedincommunicationssignedbyotherstaffmemberssuchassurveymanagersdirectlyinvolved

with the development and negotiation of such assurances. In view of the complexities involved in confidentiality

assurancesresultingfromlegislativeandregulatoryrequirements,DivisionandOfficeDirectorsarerequiredtosubmitthe

confidentialityassurancesrelatingtoeachdatacollectionprogramtothe ConfidentialityOfficerforreviewandapproval.

ThisapprovalshouldbeobtainedbeforetheRequestforClearancegoestotheNCHSResearchEthicsReviewBoardor

OMBClearanceOfficer.

5.4

Data

Collected

Directly

From

Individuals

or

Establishments

Wheneverdataaretobecollectedwithapromiseofconfidentiality2 directlyfromindividualsorestablishmentsbyan

employee, agent, or contractor of NCHS, primarily toaccomplish an NCHS function, the following rules governing

assurancesandinformationaretobemet:

1. Includeonthedatacollectioninstrument(whetherelectronicorpaper) inaclearlyvisiblelocationandinclearly

visible letters the following notice (or words to this effect) of the confidential treatment to be accorded the

informationintheinstrumentbyanyonewhomayseeit:

ConfidentialInformation

Informationcontainedonthisformwhichwouldpermitidentificationof anyindividualorestablish-

menthasbeencollectedwithaguaranteethatitwillbeheldinstrictconfidence,willbeusedonlyforpurposesstatedinthisstudy,andwillnotbedisclosedorreleasedwithouttheconsentoftheindividual

or theestablishment inaccordance with Section308(d) of thePublic HealthServiceAct (42U.S.C.

242m)andtheConfidentialInformationProtectionandStatisticalEfficiencyAct.

2. Onaletterorotherformthatcanberetainedby theindividualortheestablishment,oronthequestionnaireform

itselfif itis aselfadministeredquestionnaire,informinclearand simpletermseachindividualorestablishment

askedtosupplyinformation:

a. ThatthecollectionoftheinformationisauthorizedbySection306ofthePublicHealthServiceAct(42U.S.C.

242k);

b. Ofthepurposeorpurposesforwhichtheinformationistobeused,clearlystatingthattherecordswillbeused

solelyforstatisticalresearchandreportingpurposes;

c. Ofintendeddisclosures(ifany)ofidentifiableinformationtootherparties;

d. Thatparticipationisvoluntaryandtherearenopenaltiesfordecliningtoparticipateinwholeorinpart;ande. Thatinformationwillnotbeusedforanypurposeotherthanstatisticalresearchandreporting,norwillitbe

sharedin identifiableformwithanyoneotherthannamedagenciesandcollaborators.

2Intherareinstanceinwhichdataarecollectedwithouta promiseofconfidentiality,permissionto collectthe datamustbegrantedbytheDirector,

NCHS.

- 7 -


13/27

When social securitynumber orMedicareclaimnumber (which may incorporate the social securitynumber) are

collected, respondentsmust,atthepointofcollectionof that information,be informed,inclearandunderstandable

languageofitemsathroughd.

5.5DataCollectedFromAnotherOrganization

WhenevertheCenterarrangestopurchaseorotherwiseobtainfromanotherorganizationdatathatcontainidentifiers

ofindividualsorestablishments,itwillprovidetothesuppliertheinformationspecifiedinthepreviousitems5.42a,b,

c, and e. This information will be provided in written form, either in the contract, purchase order, or other writtenstatement.

5.6 DataCollectedOver theTelephone

Wheneverdataaretobecollected over the telephone byanemployee,agent,orcontractorofNCHS,primarilyto

accomplishanNCHSfunction,thefollowingrulesgoverningassurancesand informationaretobemet:

1. Beforeelicitingsurvey informationfroma respondentinany telephonesurvey, therespondentwillbegiventhe

followinginformation(thoughnotnecessarilywiththisexactwording)overthetelephone:

a. Thelawauthorizingcollectionoftheinformation.IfthesurveyisbeingconductedundertheCenterslegal

authority, the interviewer should say, Thesurvey is being conducted under authorityof thePublic Health

ServiceAct. Iftherespondentrequeststhespecificlegalcitation,the interviewerwillsaythatitis Volume42oftheU.S.Code,Section242k.

b. Thepurposeorpurposesfor which theinformationis tobeused, suchas for statisticalresearch onhealth

problems.

c. Thatparticipationinthesurveyispurelyvoluntary.

d. AnypossibledisclosuresofidentifiabledatatobemadeoutsideNCHS.

e. An assurance that (except for any such disclosures) the confidentiality of all information supplied will be

carefullyprotected,andnooneotherthanNCHSanditsagentsandanycollaboratorswillhaveaccesstoany

datathatidentifytherespondents.

Theexactwordingproposedforinformingrespondentsinanyparticularsurveymayvaryfromthatsuggestedabove,

butmustbesubmittedforapprovalbytheConfidentialityOfficerpriortotherequestforOMBapproval.

2. Thetelephoneinterviewermustsignastatementthattheinformationrequired(asindicatedabove)wasgivenorally

to each respondent. This information shall be given by reading the approved text and answering any of therespondents questions about it before proceeding with the interview. The statement to be signed by each

interviewermaybeontheformusedtocollectthesurveydata.

Incomputerassisted telephone interviewingwherethere isnohardcopyquestionnaire,the following procedure

maybeusedinlieuofhavingtheinterviewersignastatement:Followingthepromptingfortheinterviewertoread

theprescribedstatementstotherespondent,thecomputerthenaskstheinterviewerwhetherheorshecertifiesthat

he/shehasreadtotherespondentallthestatements,intheirentirety,containedinitems______through________.

Ifso,theinterviewerisaskedtotouchY(oranotherappropriatesymbol)foryes,andtoenterhis/herpersonal

identifiercodeandthedate.Thecomputerthencheckswhetherthesehavebeenenteredcorrectlyand,iftheyhave,

thecomputermakesthiscertificationapermanentpartoftheinterviewrecord.Iftheyarenotenteredcorrectly,the

computerwillnotproceedwiththeinterview.

5.7 RepositoryofAssurances

A. Acentral repository forthe filingofstatementsof assuranceshasbeenestablishedunder thesupervisionof the

ConfidentialityOfficer.

B. Each organizational unit ofNCHS,whichhas givenstatements ofassurances,will forward copies ofall such

statementstotherepository.Thiswillnormallyincludebut,notbelimitedto,assurancesgivenincontracts,special

letters,brochures,surveyquestionnaires,andforms.

C. TheassurancessubmittedtotheConfidentialityOfficerforapprovalwillbefiledintheRepositoryofAssurances

- 8 -


14/27

asatentativeissuance.Whenallclearanceshavebeenreceivedandfinalprintedcopiesofthesurveyorstudy

materialshavebeenproduced,acopyofthesematerialsisforwardedtotheRepositorytoreplacethetentative

materials.

6. TreatmentofRequestsfor InformationUndertheFreedomofInformationAct

Whenever a request is received for a specified record3

concerning a named individual, that request is subject torequirementsoftheFreedomofInformationAct(FOIA). Withcertainexceptions,thislawrequiresthatFederalagencies

providecopiesofrequestedrecords.Thereare,however,twoimportantexceptionstotherequirementthatusuallyapply

totheCenter.Theyare(1)personalandmedicalfilesandsimilarfiles,thedisclosureofwhichwouldconstituteaclearly

unwarrantedinvasionofpersonalprivacyand(2)mattersspecificallyexemptedfromdisclosurebystatute.Inthecaseof

NCHS, Section 308(d) of the Public Health Service Act specifically exempts personal information from disclosure.

RequeststoNCHSforrecordsunderFOIA,wherethereisanamedindividual,arenotsubjecttoFOIAwhendataare

identifiable.

Policy. If anemployee receivesa request for a record or an item of information that cites the FOIA, he should

immediatelyreferthisrequesttotheNCHSFreedomofInformationActCoordinatorasresponsemustbemadewithin10

days.Anyrequestfor informationwherethere isany doubtas towhether it can beprovided shallbe referredto the


7. TheProtectionofRecordsandDataSystems

Employees ofNCHSareresponsibleforprotectingallconfidential records from pryingeyes, unauthorizedaccess,

theft,andfromaccidentallossormisplacementduetocarelessness.

OnthissubjectthePrivacyAct,inSection552a(e)prescribesthateachagencyshall:

(9) Establishrulesofconductforpersonsinvolvedinthedesign,development,operation,ormaintenanceofany

systemofrecords,orinmaintaininganyrecord,andinstructeachsuchpersonwithrespecttosuchrulesandthe

requirementsofthissection,includinganyotherrulesandproceduresadoptedpursuanttothissectionandthe

penaltiesfornoncompliance;

(10) Establishappropriateadministrative,technical,andphysicalsafeguardstoinsurethesecurityandconfidentiality

ofrecordsandtoprotectagainstanyanticipatedthreatsorhazardstotheirsecurityorintegritywhichcould

resultinsubstantialharm,embarrassment,inconvenience,orunfairnesstoanyindividualonwhominformationismaintained. . . .

In the case of NCHS, the StaffManual on Confidentiality, taken as a whole, together with other administrative

practices, fully addresses these requirements. Particular attention is directed to two major aspects: the protection of

confidentialrecordsandthesecurityofautomateddatasystems.

7.1PhysicalProtectionofConfidentialRecords

Absoluteprotection of the recordswould be impossible;nevertheless,all reasonable precautionsmust be taken to

protectthem.

ItisthepolicyofNCHSthat:

A. Confidentialrecordsmustbekeptlockedupatalltimeswhentheyarenotbeingused.Thatis,theymustbekept

inlockedcabinetsor inlockedroomsafterbusinesshoursandwheneverthepersonsusingthemarenotpresent.Ifrecordsaremaintainedinelectronicform,themediumonwhichthefilesarestored(floppydisks,CDROMS,

andremovableharddrives)mustalsobekeptinlockedcontainersor, ifmaintainedonacomputer,accesssecured

byall availablemeans(includingkeyboardlocks,passwords,encryption,officelocks,etc.).Personalcomputers

3RecordisdefinedintheDepartmentsregulations (45CFRPart 5) asincludingbooks,brochures,punchcards,magneticfiles,papertapes,sound

recordings, maps, pamphlets,photographs, slides, motion pictures,or other documentary materials...In the caseofNCHS, other examplesof a

recordwouldbevideos,xrays,andtissueorbloodsamplesaswellaselectronicfilesinwhateverformCDROMS,diskettes,etc.

- 9 -
http://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://www.usdoj.gov/foia/privstat.htmhttp://squid.law.cornell.edu/cgi-bin/get-cfr.cgi?TITLE=45&PART=5b&SECTION=1&TYPE=TEXThttp://squid.law.cornell.edu/cgi-bin/get-cfr.cgi?TITLE=45&PART=5b&SECTION=1&TYPE=TEXThttp://squid.law.cornell.edu/cgi-bin/get-cfr.cgi?TITLE=45&PART=5b&SECTION=1&TYPE=TEXThttp://squid.law.cornell.edu/cgi-bin/get-cfr.cgi?TITLE=45&PART=5b&SECTION=1&TYPE=TEXThttp://www.usdoj.gov/foia/privstat.htm


15/27

containingconfidentialrecordsshouldneverbemaintainedinanopen,unsecuredspace.Onlyalimitednumberof

staff,asauthorizedbytheDivisionorBranchChief,mayhavekeysorothermeansofaccesstosuchcabinetsor

rooms.

B. Whenconfidentialrecordsareinuse,whetherbythemselvesorviewedoncomputermonitors,theymustbekept

outofthesightofpersonsnotauthorizedtoworkwiththerecords.

C. Exceptasneededforoperationalpurposes,copiesofconfidentialrecords(paperdocuments,electronicfiles,video

recordings,orrecordsofotherkinds)arenottobemade.Anyduplicatecopiesmadeofconfidentialrecordsareto

be destroyed as soon as operational requirements permit. Records not otherwise covered by record retention

regulations(whenindoubt,consulttheNCHS RecordsManagementLiaison) thatarenolongerneededshouldalsobedestroyed.Approvedmeansofdestructionincludeshredding,burning,andmacerating.Shouldreuseof

electronic media (hard drives, rewriteable compact disks) containing confidential records be contemplated,

extremecareshouldbetakennottodisposeofinformationinsuchawaythatitcanberecoveredbyunauthorized

usersof the electronic mediuminvolved.For furtherguidance for the dispositionofpaperand other typesof

records,consulttheNCHSInformationSystemsSecurityOfficer.

D. Paper orelectronic recordscontaining personally identifying information such as respondent name, address,or

socialsecuritynumbershouldbeheldtotheminimumnumberdeemedessentialtoperformtheCentersfunctions,

kept in ahighlysecuremanner, and kept only so long asneeded tocarry outthosefunctions. A writtenjustification

formaintainingfileswiththeseitemsmustbesubmittedtoth eConfidentialityOfficer and,ifapproved,access

restricted to the smallest number of staff consistent with that justification. The justification must include a

statement specifying the timeperiod afterwhich these itemswill no longer beneeded and provision for their

subsequentdeletionordestruction.

E. No record containing direct personal identifiers (name, address, social security or other identifying number,unretouchedvideo, oraudio recording)ofNCHSsurveyrespondentsmaybe electronically sent tooraccessed

fromanemployeesor contractorsalternateworksiteorremovedfromNCHSofficesexceptas requiredinthe

conductofdatacollectionactivities. WorkoutsidetheCenter(whetherathomeoratanalternativeworksite)with

inhousefiles(recordsstrippedofdirectidentifiersbutnotapprovedforpublicuse)mustreceiveapprovalin

advance. Such applications include all cases where confidential data would be accessed from outside NCHS

offices and arenot limited toflexiplace requests.The staff member will agreein writingnot todownload the

contents of confidential files accessed from home or from an alternate work site. Confidential files are not

approved to be used on laptop computers. Other security requirements as dictated by the NCHS Information

SystemsSecurityOfficer mustalsobemet.

F. WhenrecordsaretransferredtotheNationalArchivesandRecordsAdministrationoritsrecordcentersforstorage,

theircontainersmustbesealed.Thestoragecentermustbeadvisedthatnoonemayhaveaccesstothoserecords

exceptasauthorizedoverthesignatureofanappropriateofficialofNCHS.Wheredestructionofrecordsatafuture

date is cited in the NCHS Records Schedule, such destruction of records containing personally identifyinginformationmustbepersonallywitnessedbytheNCHSRecordsManagementLiaison orhis/herdesignee.

G. When records containing names or other direct identifiers are transmitted between NCHS offices or between

NCHS and its contractors, they must bepackaged securelyand sent by the most secure and trackable means

available(e.g.,FedEx,personalmessenger,ordirectlybyNCHSstaff).

H. ConfidentialrecordsmaynotbereleasedoutsideNCHS(toanotheragency,contractor,orotherparty)unlessthat

releaseisconsistentwiththeassuranceofconfidentialityunderwhichtheyweregatheredandpositiveevidence

(appropriate contract language,a memorandum of understanding,or interagency agreement) that the receiving

partywillprovidethesamelevelofconfidentialityprotectionasthatrequiredofNCHS.Agencystaffandany

contractorsmustbemadeliabletolegalsanctionsiftheconfidentialitypledgeshouldbeviolated,andrecordsmust

bemaintainedby theProgramor Divisionunderwhose direction theinformationwas collected listingallfiles

released(towhomandunderwhatagreement)containingconfidentialinformation.Suchrecordsshouldcoverfiles

madeavailabletootherdivisionswithinNCHSaswellasoutsidetheCenter.

7.2 AutomatedDataProcessingSystemsSecurityGeneral

InachievingthegoalsofthePrivacyActof1974,policyandguidancedocumentshavepointedtotheimportantarea

ofautomaticdataprocessing(ADP)inestablishingsafeguardstoensurethesecurityandintegrityofrecords.Identifiable

NCHSdata areconsidered highly sensitive.TheDHHSAutomated Information SystemsSecurity ProgramManual is

a Departmental directive which provides practices and procedures intended to carry out OMB Circular A130,

regulatesthesecurityofFederalautomatedinformationresources.Appendix 3 oftheCirculardefinesadequatesecurity

- 10 -
http://www.whitehouse.gov/omb/circulars/a130/a130.htmlhttp://www.whitehouse.gov/omb/circulars/a130/a130.htmlhttp://www.whitehouse.gov/omb/circulars/a130/a130.htmlhttp://www.whitehouse.gov/omb/circulars/a130/a130.html


16/27

as security commensuratewiththe risk andmagnitude of theharm resultingfrom the loss, misuse,or unauthorized

accesstoormodification ofinformation.All technical,personnel, administrative,environmental, andtelecommunica-

tions safeguards necessary toprotect the confidentiality, integrity, andavailabilityof NCHSdatamust be inplace.

OMBCircularNo.A123,ManagementAccountabilityandControlandtheFederalManagersFinancialIntegrityAct

(FMFIA), also are applicable. The FMFIAcarries both fine and imprisonment penalties for misuse of Government

resources. These laws are applicable todata collected byNCHS under308(d). NCHS staff, prior todevelopmentof

contractsorprojects,mustconsultwiththe InformationSystemsSecurityOfficer toensurecompliancewithapplicable

lawsandregulations.

AlthoughtheSystemManageristheFederalofficialwhoislegallyresponsibleforthesystemofrecordssubjecttothePrivacyAct,allotherswhocontrol,handle,orusethedataalsoshareresponsibilityforthesecurityandintegrityofthe

records.TheseincludetheNCHS TopSecretCoordinatorandprogram TopSecretAdministrators,ADPSystemsSecurity

Officer,systemsanalysts,programmers,datapreparationpersonnel,andADPsystemsusers.Contractorswhodealwith

data that come underthe provisions ofthe Public Health ServiceAct and/or the PrivacyAct are subject tothe same

regulationsasareDHHSemployees.

DocumentControl. While not inuse,alldocumentationcontaining or relatingto identifiableinformationmust be

storedinsuchamannerastopreventdisclosure.Thisincludes:

A. Documentationoffunctionalandprogramspecifications;

B. Documentationillustratingrecordlayoutsoffilescontainingpersonaldata;

C. Documentationcontainingdescriptionsofinternalcontrolsandaudittechniquesemployedwithinthesystem;

D. Anyotherhardcopyassociatedwithconfidentialinformation;

E. Computerprogramlistingsandsourcedecks;

F. Documentationproductionrunprocedures;and

G. Documentationrelatedtostatisticaldisclosurelimitationproceduresanddisclosurereview.

AllADPsystemsusersshouldfamiliarizethemselveswiththecontentsoftheDHHSAutomatedInformationSystems

SecurityManual.Centerpersonnelarerequiredtocomplywiththeregulationsinthismanual.

8. AuthorizedDisclosures

GoverningPrinciples.NCHSactionisgovernedorconstrainedbyfourprinciples:

A. Theactionleadingtodisclosuremustbeclearlywithintherelevantlawsandregulations,andifthereisanydoubt,

theadviceoflegalcounselshouldbesought.B. TheCentermustalwaysbecandidwithrespondents,makingitclearwhowillhaveaccesstoindividualresponses

andforwhat(general)purposethedataarebeingcollected.

C. Anessentialrequirementforreleaseofdatais theconsentoftherespondent.

D. ThereleaseofconfidentialdatamustbecarriedoutunderagreementasdescribedinSection8.3.

8.1 Disclosureto theParentLocatorService

With but one exception, no informationabouta person orestablishment may bedisclosed toanyone without the

informedconsentofthepersonorestablishmentsupplyingtheinformationordescribedinit.

Thatsingleexceptioniscontainedinthe1974AmendmentstotheSocialSecurityActrelatingtotheParentLocator

Service(42U.S.C.653)whichreadsinpart:

(b)Uponrequest,filedinaccordancewithSubsection(d),ofanyauthorizedperson(asdefinedinSubsection(c))forthemostrecentaddressandplaceofemploymentofanyabsentparent,theSecretaryshall,notwithstandingany

otherprovision of law, provide through the Parent Locator Service such information to such person, if such

information(l)is containedinanyfilesorrecordsmaintainedby theSecretaryorbytheDepartmentof Health,

Education,and Welfare. . . .

ItseemsunlikelythatanyinformationinthefilesofNCHSwouldeverbeusefultotheParentLocatorServicein

locating absent parents. However, if any such request were ever received, it should be referred immediately to the

ConfidentialityOfficer,whowilldecidetheactiontobetaken.

- 11 -
http://www.whitehouse.gov/omb/circulars/a123/a123.htmlhttp://www.whitehouse.gov/omb/circulars/a123/a123.htmlhttp://www.dod.mil/comptroller/fmfia.htmlhttp://www.dod.mil/comptroller/fmfia.htmlhttp://www.dod.mil/comptroller/fmfia.htmlhttp://irm.cit.nih.gov/policy/aissp.htmlhttp://irm.cit.nih.gov/policy/aissp.htmlhttp://irm.cit.nih.gov/policy/aissp.htmlhttp://irm.cit.nih.gov/policy/aissp.htmlhttp://www4.law.cornell.edu/uscode/42/653.htmlhttp://www4.law.cornell.edu/uscode/42/653.htmlhttp://www4.law.cornell.edu/uscode/42/653.htmlhttp://www4.law.cornell.edu/uscode/42/653.htmlhttp://irm.cit.nih.gov/policy/aissp.htmlhttp://www.dod.mil/comptroller/fmfia.htmlhttp://irm.cit.nih.gov/policy/aissp.htmlhttp://www.dod.mil/comptroller/fmfia.htmlhttp://www.whitehouse.gov/omb/circulars/a123/a123.html


17/27


18/27

interdepartmental transfer of data may be done only with the express approval of the Director of NCHS under an

agreementasdescribedinSection8.4.Inaddition,NCHSwouldnottransferanyconfidentialdatatoanotherdepartment

withoutpositiveassurance that thedatawillbeusedonlyfor theauthorizedpurposeand that theconfidentialityof the

datawillbeprotectedquiteaseffectivelyintheotherorganizationasitwouldbebyNCHS.NCHSreservestherightnot

totransferconfidentialdata toanyoneif it isnotconvinced thatthosedatawillbehandledappropriately.

8.6

Special

Cooperative

or

Contractual

Arrangements

NCHS may be a party to any of several types of arrangements in which the Center is but one of two or moreorganizations that are collecting, processing, or using data under a joint or cooperative agreement. These types of

situationsarenotdiscussedindetailinthismanual,butthreeprominentclassesofcasesareidentified:

A. Aspecialsituationprevailsin the VitalStatisticsCooperativeProgram,wheretheStateisthecollectorunderits

own law. The Center uses the data under a contractual arrangement with the State, which fills the role of

respondentinthiscontext.TheCenterabidesbythetermsofthecontracts,althoughitcanexercisenocontrolover

how the Statemanages other confidentiality aspects of its documents. Under the terms of the Statecontracts,

NCHSwillnotpermitaccesstoindividualdocumentsthatmaybeinitspossessionforcodingpurposes;norwill

NCHSgivethekey(certificatenumber)toindividualcertificatestoanyonewithouttheexpresswrittenconsent

oftheState(registrationarea).Underspecialarrangements,NCHSmakesavailabletothepublicmicrodatafiles

containingpersonrecordinformation.

B. Contractualarrangementsexistinwhichanotherpersonororganizationeither(1)providesaservicesuchasfield

collectiontoNCHS,or(2)undertakesanalysisofdataprovidedbyNCHSand,ineithercase,hasaccessanddefactocontrolofmicrodata.(SeeAppendix Aforconfidentialityrequirementsinsuchcontracts.)

C. Other instruments that legally obligate other parties to NCHS nondisclosure rules and obligations include

professional service contracts, task orders, intergovernmental personnel act (IPA) appointments, unfunded

memoranda ofagreement, interagency, andintraagency confidentiality agreements.If notalreadyincluded, the

languagecontainedinAppendixAmustbemadepartofallsuchdocuments.

Certification(NCHS Confidentiality Pledge)must be includedwithin these documentsindicating that theparty or

partiesreceivingidentifiableNCHSdataunderstandtheirobligationtoabidebyallNCHSru lesandregulations.Specific

wordingforeachdocumentofthistypeshouldbedevelopedinconsultationwiththeNCHS ConfidentialityOfficerwho

must,alongwiththeNCHSDirector,approvethefinalwording.

9.

Avoiding

Inadvertent

Disclosures

Through

Release

of

Microdata

ItisCenterpolicytomakeitsfilesonindividualelementarydataunitswidelyavailabletothescientificcommunity

sothatadditionalanalysescanbemadeofthesedataforthecountrysbenefit.Thescientificcommunityhasshowngreat

interest insuchfiles,andmanyrequestsfortheCenterselectronicfilesarereceivedeachyear.

9.1

Problem

A microdatafileconsistsofindividualrecordseachcontainingvaluesofvariablesforasinglepersonorestablishment.

Evenwhenallpersonalidentifiersareremoved,alargeamountofinformationremains,andthisinformationmayidentify

NCHSrespondentsto apersonwhohasaccessto that informationfromanothersource.Forexample,if filedescriptors

indicatethattherespondentisaPh.D.inthe3034yearsagegroupwhoreportshis/herraceaswhiteandlivesinthe

Northeastsectionofthecountry,therespondentisnotidentifiable.If,however,thefileindicatesthathisageis31,thathe

ismarriedtoa42yearoldwomanwhoreportsherraceasAsian,hasthreechildren,andlivesinLitchfieldCounty,Conn.,therespondentmaynowbeidentifieduniquely,andallinformationinthefileabouthimandhisfamilywouldbedisclosed

toanyonewithaccesstothefile(whocouldthenidentifythepersonfromthegivensetofcharacteristicsorbymatching

thisinformationtothatcontainedinanotherfilecontainingtherespondentsname).Theplaceofresidence,especially

whenitisnotaheavilypopulatedarea,isparticularlyusefulintheidentificationprocess.Moreover, if it isknownthata

particular person or establishment has been selected in the sample, chances are much better that the person or

establishmentcan beidentified. Insuchcases, informationmaybeknown toa potential intruderwho can beusedto

establishidentity.

- 13 -


19/27

Itshouldberecognizedthattheinformationgainedbyanintruderneednotbe exact torepresentadisclosureifit

pertainstoanidentifiedindividual. Tables(seeSection10),generatedusingmicrodatafiles,shouldtakeintoaccount

thatitmaybepossibletoassociaterangesofvaluesofcertainvariables(e.g.,income,age)withotherinformation.This

is particularly applicable to files containing establishment data. In addition, it may be possible to use certain other

informationcontainedinthemicrodatafiletoidentifyanindividualorestablishment.Amoredetaileddiscussionofthese

pointsisfoundinSection10.1.

ThelowratiosamplethattheCenterusesinitssurveyswouldusuallyfrustrateapersonwhoistryingtolocatea

known individual in the Centerssurvey files. From time to time,however, an individual orestablishment may have

characteristicsrarelyencounteredin thepopulationfromwhicha sampleisdrawn.Theonlyabsolutelysurewaytoavoiddisclosurethroughmicrodatafilesis torefraincompletelyfromreleasingany

microdata files,but this would deprive theNationofagreat deal ofveryimportanthealth research.It is theCenters

policy to release microdata files for purposesofstatistical researchonly when the risk ofdisclosure is judged tobe

extremelylow.Inordertomakesuchjudgments,theCenterhasestablisheda DisclosureReviewBoard(DRB)which

meets regularly to consider proposals for public release of microdata files and makes recommendations to the


Allmicrodatafilesintendedforpublicreleasemustbe submittedforreviewby theNCHSDRB.

9.2Rules

Thefollowing rules apply toall files releasedby NCHSthat containany informationabout individual personsor

establishments,exceptwherethesupplierofinformationwastold,priortohisgivingtheinformation,thattheinformationwouldbemadepublic:

A. Beforeanynewor revisedmicrodata files arepublished, they, togetherwiththeir full documentation, must be

approvedforpublicationbyth eConfidentialityOfficerwhowillrelyuponassistancefromtheNCHSDisclosure

ReviewBoardinreachingdecisions.

B. Thefilemustnotcontainanydetailedinformationaboutthesubjectthatcouldfacilitateidentificationand

that is not essential for research purposes (e.g., exact date of the subjects birth, excessive detail for

occupation,extremevaluesofincomeandage,detailedraceorethnicityforsmallandhighlyvisiblegroups,

and other characteristics that would make an individual or establishment easier to identify). It is

recommendedthatthefollowingbeconsultedconcerningpossibletechniquesthatwouldpermitthemaximum

amountofinformationtobereleasedconsistentwithsoundprinciplesofstatisticaldisclosurelimitation:The

ConfidentialityandDataAccessCommitteesChecklistonDisclosurePotentialofDataandStatisticalPolicy

Working

Paper

22,

Report

on

Statistical

Disclosure

Limitation

Methodology.

Office of Information andRegulatoryAffairs,OfficeofManagementandBudget.

C. Geographicplacesthathavefewerthan100,000peoplearenottobeidentifiedonthefile.Dependinguponthe

statisticalstructureof afileandothercircumstances,ahigherfiguremaybeemployed.Itistheresponsibilityof

theprogramproposingthedatareleasetodeterminethedisclosureriskassociatedwiththeproposedminimumsize

ofgeographicareastobeidentified.

D. Characteristicsofanareaarenottoappearonthefileiftheywoulduniquelyidentifyanareaoflessthan100,000

people(e.g.,avariabledescribingthesizeofametropolitanareainwhicharespondentwasinterviewedproviding

foracategoryoflessthan100,000inafilewherearegionisalsoprovided).

E. Informationonthedrawingofthesamplethatmightassistinidentifyingarespondentmustnotbereleasedoutside

theCenter.Thus,theidentitiesofprimarysamplingunits(PSUs)arenottobemadeavailableoutsidetheCenter

exceptinlimitedcircumstancesandasapprovedbythe ConfidentialityOfficer.Whensuchcircumstancesrequire

thedisclosureoftheidentityofareasinwhichdatacollectionactivitiestakeplace,thesurveymanagermustensure

thatallinformationforthissurveyproposedforreleasetakeintoaccountthegreaterriskofidentificationbecauseofthisexception.ThedecisionastowhetherPSUidentitiesaretobemadepublicshouldbemadebeforedataare

collectedandplansfordatareleasefinalized.

Thissection hasdescribedprocedures fordisclosure review andprotection of microdata files.Any tabulations or

statisticalmeasuresbaseduponfilessopreparedandapprovedforpublicreleasebytheNCHSConfidentialityOfficer

wouldmeetNCHSrequirementsfordisclosureprotectionand,alongwiththemicrodata,canbereleasedtothepublic.In

othercases,wheretabulationsarebasedupondatainaformnotapprovedforpublicuse,proceduresinthefollowing

sectionmustbefollowed.

- 14 -
http://www.cdc.gov/nchs/data/NCHS%20Micro-Data%20Release%20Policy%204-02A.pdfhttp://www.cdc.gov/nchs/data/NCHS%20Micro-Data%20Release%20Policy%204-02A.pdfhttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/working-papers/wp22.htmlhttp://www.fcsm.gov/committees/cdac/checklist_799.dochttp://www.cdc.gov/nchs/data/NCHS%20Micro-Data%20Release%20Policy%204-02A.pdf


20/27

9.3 RestrictedAccess toMicrodataFilesWith IdentifiableData

Undercertaincircumstances,accesstomicrodatafilescontaininghighlevelsofdetailsuchasdescribedin9.2B,C,

orD,maybegrantedtoresearchersintheNCHSResearchDataCenter(RDC)orbymeansoftheNCHSRemoteData

Access System. In the RDC, analytical manipulation of elements of confidential files not released to the public is

permitted.Filescontainnonames,addresses,orotherdirectidentifiers.Becausetheremaininginformationwouldrequire

complex manipulation with other informationnot permitted inoraccessible from the RDC inorder to reidentifyan

NCHSrespondent, theresearcherhas,ineffect,noaccesstoidentifiableinformation.Nevertheless,no statisticaloutput

can be removed from the RDC withoutbeingsubjected tostatisticaldisclosure analysisbyRDC staff, and access to

informationwithintheRDCishighlyrestricted.Requests for tabulations may also be submitted electronically. No direct access to confidential files is permitted,

however,andonlythosetabulationsthathavebeensubjecttostatisticaldisclosureanalysisaretransmittedbacktothe

requestor.

10. AvoidingInadvertentDisclosuresinPublishedTabularData

Theprevious sectionconsidered detailedprocedures fordisclosure review andprotection of microdata files made

availableforpublicuse.AnytabulationsorcalculationsbasedupondatasopreparedandapprovedwouldmeetNCHS

requirementsfordisclosureprotectionand,alongwiththemicrodata,canbereleasedtothepublic.Whereatabulationis

basedupondatain aformnotapprovedforpublicuse,the followingproceduresmustbefollowed.

10.1

Types

of

Disclosure

Centerpolicyrecognizesandattemptstodealwithseveralclassesofinformationdisclosure:

A. Exactversusapproximatedisclosures.Exactdisclosureis thedisclosureofaspecificcharacteristic,suchasrace,

sex, or a particular pathological condition. Approximate disclosure is the disclosure that a subject has a

characteristicthatfallswithinacertainrangeofpossibilities,suchasbeingbetween45and55yearsofageor

having an income between $15,000 and $25,000. An approximate disclosure may in a given situation be

consideredharmlessbecauseofitsindefinitenature.

B. Probability-basedversuscertaintydisclosures.Datainatablemayindicatethatmembersofagivenpopulation

segmenthavean80percentchanceofhavingacertaincharacteristic;thiswouldbeaprobabilitybaseddisclosure

as opposed to a certainty disclosure of information on given individuals. In a sense, every published table

containingdataorestimatesofdescriptorsofaspecificpopulationgroupprovidesprobabilitybaseddisclosureson

membersofthatgroup,andonlyinunusualcircumstancescouldanysuchdisclosurebeconsideredunacceptable.

Itispossiblethatasituationcouldariseinwhichdataintendedforpublicationwouldrevealthatahighlyspecific

group had an extremely high probability of having a given sensitive characteristic; in such a case the

probabilitybaseddisclosureperhapsshouldnotbepublished.

C. Internalversusexternaldisclosures.Internaldisclosuresarethosethatresultcompletelyfromdatapublishedfrom

oneparticularstudy.Externaldisclosuresoccurwhenoutsideinformationisbroughttobearuponthestudydatato

createdisclosures.Thispossibilitymustberecognizedinanydisclosureanalysis.

10.2Problem

In an effort to make available to the public a full set of information on a given subject, statisticians mayand

sometimes dopresent so much detail in published tabulations that they accidentally reveal confidential information

aboutparticularstudysubjects.When completecountdataarebeingtabulated*thismayhappeninthefollowingways:

1. All casesin lineyi ofa statisticaltable fall inthecell incolumnxi.We thenknow that any individual inthepopulationwithcharacteristicyi alsohascharacteristicxi.

2. Cellxiyigivesthetotalincomeofallindividualswithcharacteristicsxiandyi. Ifthereareonlytwoindividuals,a

andb, inthepopulationwiththatcombinationofcharacteristics,thena,knowinghis/herownincome,willbeable

todeterminebsincomebysimplesubtraction,and bwillalsobeabletodetermineasincome.

*Aswhenallcases in a givenstratumhavebeenincluded in asample or allvitaleventsaretabulated.

- 15 -
http://www.cdc.gov/nchs/r&d/rdc.htmhttp://www.cdc.gov/nchs/r&d/rdc.htmhttp://www.cdc.gov/nchs/r&d/rdc.htmhttp://www.cdc.gov/nchs/r&d/rdc.htmhttp://www.cdc.gov/nchs/r&d/rdc.htmhttp://www.cdc.gov/nchs/r&d/rdc.htmhttp://www.cdc.gov/nchs/r&d/rdc.htmhttp://www.cdc.gov/nchs/r&d/rdc.htmhttp://www.cdc.gov/nchs/r&d/rdc.htm


21/27

Inaddition,whenestablishmentdataareinvolved:

1. Atablegivesthetotalannualreceiptsforallfivenursinghomesincountym.However,nursinghome aismuch

largerthanalltherestcombined;itaccounts,infact,forthreefourthsofallnursinghomereceiptsinthecounty.

Knowingthecountytotal,themanagerofnursinghomeaisabletocalculatetheincomesoftheotherfourhomes,

atleastwithinsomefairlynarrowlimits.

2. Ametropolitanstatisticalarea(MSA)containstwocounties,aandb.Fourhospitalsarelocatedincountyaand

onlyoneincounty b.Astatisticalreportispublished,givingconfidentialhospitaldatatotaledforeachSMSA.

Anotherreportispublishedwithconfidentialdataonhospitalsbycounty,butonlyforcountieswiththreeormore

hospitals. Using the two reports, one can subtract the data for county a

from the SMSA data, deriving theconfidentialdataforthelonehospitalincountyb.

Theseexamplesimplytheexistenceofseveralgeneraltypesofsituationsinwhichstatisticaldisclosuremayoccur. An

additional possibilitymay be found ina groupof threeormore tables ofsubsets of a givenpopulation from which

disclosuresarepossiblethroughthesolutionofsimultaneousequations.CenterguidelinesassetforthinSection10.3take

intoaccounttheseveralpossibledisclosuresituations.

10.3 SpecialGuidelines forAvoidingDisclosure

Exceptwhereotherwiseindicated,thefollowingguidelinesapplytoallCenterpublicationsofstatistics:

A. Innotableshouldallcasesofanylineorcolumnbefoundina singlecell.

B. Innocaseshouldthetotalfigurefora lineor columnofacrosstabulationbelessthanfiveunweightedcases.C. Innocaseshoulda quantityfigurebebaseduponfewerthanfiveunweightedcases.

D. Innocaseshouldaquantityfigurebepublishedifonecasecontributesadisproportionateamounttothetotal.A

minimumpercentagefigureshouldbeadoptedforthispurposeandthisfigureshouldnotbepubliclyreleased.

E. Inno case should dataonan identifiable case,norany ofthekindsof data listed inpreceding itemsAD,be

derivablethroughsubtractionorothercalculationfromthecombinationoftablespublishedonagivenstudy.

F. DatapublishedbyNCHSshouldneverpermitdisclosurewhenusedincombinationwithotherknowndata.

Reportwritersaretofollowtheseguidelines.Itistheresponsibilityofallbranchchiefstoseethattheseguidelinesare

followed.Inapplyingthem,branchchiefsarenotrequiredtoconsultwiththeNCHSConfidentialityOfficer.However, if

aguidelineappearsunreasonableinagivensituation,approvalforaspecialexceptionshouldberequestedfromtheNCHS


Aspecificexceptionnotrequiringspecialapprovalappliesinthefieldofvitalstatistics.Ithasbeenalongstanding

traditioninthefieldofvitalstatisticsnottosuppresssmallfrequencycellsinthetabulationandpresentationofdata.For

example,ithasbeenconsideredimportanttoknowthatthereweretwodeathsfromrabiesinRioArribaCounty,NewMexico,inagivenyear,orthattherewereonlyoneinfantdeathandtwofetaldeathsinAitkinCounty,NewMexico.

Public release of such tabular data is consented to by data providers and is in the interest ofpublic health. Special

proceduresforthereleaseofmicrodatawithlowlevelsofgeographyand/orexactdateofavitaleventareinplaceandare

describedathttp://www.cdc.gov/nchs/nvss.htm.

10.4

Evaluating

a

Disclosure

Problem

Theremaybemitigatingcircumstancesinagivensituationthatmaymakeitacceptabletopublishdatathat,strictly

speaking,couldresultindisclosures.Suchcircumstancescouldprovidegroundsforrequestingthespecialexception

tothepreviouslynotedrules:

A. Whendatainastudyarebaseduponasmallfractionsample,forexample,lessthan10percentoftheuniverse,it

mightgenerallybeassumedthatdisclosurewillnotoccurthroughpublishedtabulations.However,therecouldbeexceptions.Somuchdetailmaybepresentedthatanindividualuniqueinthepopulationisidentifiedthroughthe

tables ora member of the sample may find himself/herself and others in the data.The usualrules precluding

publicationofsampleestimatesthatdonothaveareasonablysmallrelativesamplingerrorshouldpreventany

disclosuresfromoccurringintabulationsfromsampledata.Thisdoesnotabsolvethereportwriterfromreviewing

tabulationsusingtheprinciplespresentedinthissection.

B. The existence oferrors orimputations in the data brings some small reduction in the likelihood ofdisclosure

throughtablepublication.

- 16 -
http://www.cdc.gov/nchs/nvss.htmhttp://www.cdc.gov/nchs/nvss.htmhttp://www.cdc.gov/nchs/nvss.htmhttp://www.cdc.gov/nchs/nvss.htm


22/27

C. Incompletenessofreporting,whichoftenoccursevenwherestudiesaresupposedtoinclude100percentofagiven

groupin thepopulation,alsoreducesthecertaintyofanydisclosuretakingplacethroughpublicationofdata.

D. In some instances the danger of disclosure might be mitigated by the fact that the data in question have no

sensitivity. They may already have appeared in a published directory, or th

staffmanual2004.pdf

Documents