Section 828.6 - Procedures for Requesting Identified Individual-Level Data and De-Identified Individual-Level Data from CURES(a) "Data Request Application," when used in this section, means the application developed by the Department's Research Services for a Bona Fide Researcher to obtain approval to receive Identified Individual-Level Data or De-Identified Individual-Level Data from CURES.(b) A Bona Fide Researcher must electronically submit a completed Data Request Application to the Department's Research Services.(c) To complete the Data Request Application, a Bona Fide Researcher must provide all of the following information on the Data Request Application: (1) Designation as a new request or a modified request.(3) Name, phone number, and email address of the Bona Fide Researcher.(4) Address, city, state, and postal code of the Bona Fide Researcher.(5) Name of the public agency or research body with which the Bona Fide Researcher is affiliated.(6) Name, phone number, and email address of the public agency's or research body's information security officer or IT manager.(8) Date of anticipated completion of the project or the report.(9) List of information for each Team Member that includes all of the following: (B) The physical location from which the Team Member will access individual-level data from CURES.(C) Whether the Team Member is part of the data analysis team.(D) Whether the Team Member is part of the IT team.(10) Signature of the Bona Fide Researcher, and date of signature of the Bona Fide Researcher.(11) Completed Data Request Application checklist that includes all of the following: (A) Project outline that describes all of the following:1. The purposes and objectives of the project or report.2. How the requested data will be used to support the educational purposes, Peer Review purposes, statistical purposes, or Research Purposes, of the project.3. The expected benefits of the project.4. If applicable, the funding source of the project or report, including all of the following: a. Whether the funding source is a public or private grant.c. The grant expiration date.5. Proposed project design and methodology, including, but not limited to: a. Where the data analysis will be conducted.b. A detailed description of the requested individual-level data from CURES.6. Security measures, compliant with NIST Special Publication 800-171, Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (February 2020), incorporated by reference in this chapter, that the Bona Fide Researcher has in place to prevent the unauthorized access of hard copies or electronic files containing Identified Individual-Level Data or De-Identified Individual-Level Data from CURES, including, but not limited to: d. Physical storage location of the data.e. Risks or confidentiality issues related to the storage location.f. Whether the data is stored on a device with an internet connection.g. Any software protection on the device on which the data is stored.h. Whether hard copies of the data will be stored.i. If Identified Individual-Level Data is requested, how the Bona Fide Researcher will ensure the elimination of individual identifiers from subject records or publications when the project is completed.7. Whether the Bona Fide Researcher is capable of transferring data over a secure file transfer protocol.8. If applicable, any information pertaining to other formal project approvals, including institutional review board approvals for the academic community.(B) Curriculum vitae of the Bona Fide Researcher.(C) Signature of the Bona Fide Researcher, and the date of signature of the Bona Fide Researcher, acknowledging the restrictions on use or disclosure of data from CURES, as specified in section 828.4.(D) Completed Data Request Application security requirements acknowledgement that includes all of the following: 1. The name, the signature, and the date of signature of the public agency's or research body's information security officer or IT manager.(E) Completed Data Request Application supplemental security requirements acknowledgement that includes all of the following:1. The name of the public agency or research body.2. The name, position, signature, and date of signature, of the public agency's or research body's information security officer or IT manager.(F) Any relevant research materials, including, but not limited to:(G) Copy of the institutional review board approval and all documentation submitted as part of that review and approval process, including the application number and expiration date. This requirement is not applicable if the Bona Fide Researcher is a public health officer, acting in the capacity of a public health officer, and is requesting De-Identified Individual-Level Data. This approval must demonstrate that the institutional review board is aware of, and has considered, relevant federal and State laws and regulations regarding the general use of human subjects, and specifically the use of human subjects who are incarcerated, minors, or otherwise vulnerable populations.(H) If the Bona Fide Researcher is requesting Identified Individual-Level Data, the Bona Fide Researcher must comply with Civil Code section 1798.24, subdivision (b), or Civil Code section 1798.24, subdivision (t).1. To comply with Civil Code section 1798.24, subdivision (b), for purposes of this article, the Bona Fide Researcher must provide a signed CURES 0001 Consent for Use of Personal Information from CURES form (Orig. 07/2021), incorporated by reference in this chapter, for each individual for whom Identified Individual-Level Data is being requested on the Data Request Application. Each signed Consent for Use of Personal Information from CURES form must be retained for at least as long as each consenting individual's Identified Individual-Level Data is retained by the Bona Fide Researcher. The Bona Fide Researcher must obtain a signed Consent for Use of Personal Information from CURES form from each individual not more than 30 days before obtaining the individual's Identified Individual-Level Data from CURES, or within the time limit agreed to by the individual in the individual's signed Consent for Use of Personal Information from CURES form. A Bona Fide Researcher must not obtain an individual's Identified Individual-Level Data from CURES outside of that 30 days, or the time limit agreed to by the individual in the individual's signed Consent for Use of Personal Information from CURES form, unless the individual has provided a renewed Consent for Use of Personal Information from CURES form. If any individual withdraws consent to obtain that individual's Identified Individual-Level Data from CURES, the Bona Fide Researcher must immediately notify the Department's Research Services of that withdrawal of consent.2. To comply with Civil Code section 1798.24, subdivision (t), for purposes of this article, the Bona Fide Researcher must obtain formal approval for the use of Identified Individual-Level Data, in accordance with the requirements of Civil Code section 1798.24, subdivision (t), by the Committee for the Protection of Human Subjects for the California Health and Human Services Agency or the Bona Fide Researcher's institutional review board, if that institutional review board has a written agreement with the Committee for the Protection of Human Subjects for that institutional review board to provide the data security approvals required by Civil Code section 1798.24, subdivision (t). The Bona Fide Researcher may first submit its application to the Department's Research Services. If the Bona Fide Researcher has met all other application and security requirements pursuant to these regulations and would be approved by the Department's Research Services, the Department's Research Services will provide written documentation to the Bona Fide Researcher to allow the Committee for the Protection of Human Subjects to review the Bona Fide Researcher's application. The Bona Fide Researcher must provide written verification to the Department's Research Services of formal approvals by the Committee for the Protection of Human Subjects or the Bona Fide Researcher's institutional review board, if operating under a written agreement under Civil Code section 1798.24, subdivision (t), for the request of Identified Individual-Level Data from CURES. The written verification must include the review and determination by the Committee for the Protection of Human Subjects or the Bona Fide Researcher's institutional review board, if operating under a written agreement under Civil Code section 1798.24, subdivision (t), that the data security approvals required by Civil Code section 1798.24, subdivision (t), have been satisfied.(I) Certification of human subjects protection training for the Bona Fide Researcher and all Team Members.(d) If the Bona Fide Researcher requests remote access authorization, the Bona Fide Researcher and each applicable Team Member must complete and submit a DOJRS 0003 Researcher Confidentiality and Non-Disclosure Agreement (Rev. 05/2024), incorporated by reference in this chapter, and a DOJRS 0002 Researcher Data Access User Agreement (Rev. 05/2024), incorporated by reference in this chapter. If the Bona Fide Researcher or any Team Member is unable to meet the security requirements of the Researcher Data Access User Agreement, that Bona Fide Researcher or Team Member may submit a DOJRS 0001 Security Variance Form for Data Access Non-Compliance of Security Requirements (Rev. 05/2024), incorporated by reference in this chapter, for consideration by the Department's Research Services.(e) If the Data Request Application is approved, the Bona Fide Researcher and all Team Members must complete and submit a notarized identification verification. After all notarized identification verifications, applicable Researcher Confidentiality and Non-Disclosure Agreements, applicable Researcher Data Access User Agreements, and applicable Security Variance Form for Data Access Non-Compliance of Security Requirements are received and approved, the Department's Research Services will securely transfer the requested De-Identified Individual-Level Data or Identified Individual-Level Data to the Bona Fide Researcher.(f) The Bona Fide Researcher must complete the Department's Research Services renewal process during the 90 days before the expiration date of the approved Data Request Application. The Department's Research Services will notify the Bona Fide Researcher to submit a project renewal before the expiration date of the approved Data Request Application. A Bona Fide Researcher must submit all of the following: (1) A written project renewal, on the Bona Fide Researcher's official letterhead, to the Department's Research Services, that includes all of the following information: (A) Any personnel changes and updated contact information, including removal or addition of the Bona Fide Researcher or other Team Members.(B) Any technology changes to the location or procedures around where the individual-level data from CURES is stored or accessed.(C) Any environmental changes to the location or procedures around where the individual-level data from CURES is stored or accessed.(D) The name and contact information of the public agency's or research body's information security officer or IT manager.(E) If applicable, a copy of the institutional review board approval and all documentation submitted as part of that review and approval process, including the application number and expiration date.(F) A certification of human subjects protection training for the Bona Fide Researcher and all Team Members.(2) If continued remote access authorization is requested, renewed Researcher Confidentiality and Non-Disclosure Agreements and Researcher Data Access User Agreements for the Bona Fide Researcher and each Team Member. If the Bona Fide Researcher or any Team Member is unable to meet the security requirements of the Researcher Data Access User Agreement, that Bona Fide Researcher or Team Member may submit a Security Variance Form for consideration by the Department's Research Services.(g) When the Bona Fide Researcher has concluded a research project or report, in accordance with the restrictions on use or disclosure of data from CURES, as specified in section 828.4, the Bona Fide Researcher must submit to the Department's Research Services, in writing, a signed and dated certificate of data destruction confirming all of the following: (1) The project name and project number.(2) The type of data to be destroyed.(3) The name of the Bona Fide Researcher.(4) All confidential information received from the Department's Research Services has been sanitized using one or more of the approved destruction methods listed in National Institute of Standards and Technology (NIST) Special Publication 800-88, Revision 1, Guidelines for Media Sanitation (December 2014).(5) The date that all electronic files containing Identified Individual-Level Data or De-Identified Individual-Level Data from CURES were destroyed.(6) The name of the witness or witnesses.(7) The position of the witness or witnesses in the research team.(8) Acknowledgement by the Bona Fide Researcher that failure to comply with the data destruction protocols required by this section may result in an audit of the project associated with the Identified Individual-Level Data or De-Identified Individual-Level Data from CURES.(9) A description of the items disposed of or destroyed.(10) An explanation of the method of destruction used.(h) National Institute of Standards and Technology (NIST) Special Publication 800-88, Revision 1, Guidelines for Media Sanitation (December 2014) is incorporated by reference in this chapter.Cal. Code Regs. Tit. 11, § 828.6
Note: Authority cited: Section 11165, Health and Safety Code. Reference: Section 11165, Health and Safety Code; and Section 1798.24, Civil Code.
Note: Authority cited: Section 11165, Health and Safety Code. Reference: Section 11165, Health and Safety Code; and Section 1798.24, Civil Code.
1. Renumbering and amendment of former section 826.6 to new section 828.6 filed 8-15-2022; operative 8/15/2022 pursuant to Government Code section 11343.4(b)(3) (Register 2022, No. 33).
2. Change without regulatory effect amending subsections (a)-(b), (c)(11)(H)1.-2., (d)-(f)(1), (f)(1)(F)(2), (g) and (g)(4) filed 5-29-2024 pursuant to section 100, title 1, California Code of Regulations (Register 2024, No. 22).