Cal. Code Regs. Tit. 11, § 828.6 - Procedures for Requesting Identified Individual-Level Data and De-Identified Individual-Level Data from CURES
(a) "Data
Request Application," when used in this section, means the application developed by
the Department 's Research Services for a Bona Fide Researcher to obtain approval to
receive Identified Individual-Level Data or De-Identified Individual-Level Data from
CURES .
(b) A Bona Fide Researcher must
electronically submit a completed Data Request Application to the Department 's
Research Services.
(c) To complete the
Data Request Application, a Bona Fide Researcher must provide all of the following
information on the Data Request Application:
(1)
Designation as a new request or a modified request.
(2) Date of request.
(3) Name, phone number, and email address of the
Bona Fide Researcher .
(4) Address, city,
state, and postal code of the Bona Fide Researcher .
(5) Name of the public agency or research body
with which the Bona Fide Researcher is affiliated.
(6) Name, phone number, and email address of the
public agency 's or research body's information security officer or IT
manager.
(7) Project title.
(8) Date of anticipated completion of the project
or the report .
(9) List of information
for each Team Member that includes all of the following:
(A) Name of Team Member .
(B) The physical location from which the Team
Member will access individual-level data from CURES .
(C) Whether the Team Member is part of the data
analysis team.
(D) Whether the Team
Member is part of the IT team.
(10) Signature of the Bona Fide Researcher , and
date of signature of the Bona Fide Researcher .
(11) Completed Data Request Application checklist
that includes all of the following:
(A) Project
outline that describes all of the following:
1. The
purposes and objectives of the project or report .
2. How the requested data will be used to support
the educational purposes, Peer Review purposes, statistical purposes, or Research
Purposes , of the project.
3. The
expected benefits of the project.
4. If
applicable, the funding source of the project or report , including all of the
following:
a. Whether the funding source is a
public or private grant.
b. The grant
period.
c. The grant expiration
date.
5. Proposed project
design and methodology, including, but not limited to:
a. Where the data analysis will be
conducted.
b. A detailed description of
the requested individual-level data from CURES .
6. Security measures, compliant with NIST Special
Publication 800-171, Revision 2, Protecting Controlled Unclassified Information in
Nonfederal Systems and Organizations (February 2020), incorporated by reference in
this chapter, that the Bona Fide Researcher has in place to prevent the unauthorized
access of hard copies or electronic files containing Identified Individual-Level
Data or De-Identified Individual-Level Data from CURES , including, but not limited
to:
a. Encryption methods.
b. Anti-virus software.
c. Network security.
d. Physical storage location of the
data.
e. Risks or confidentiality issues
related to the storage location.
f.
Whether the data is stored on a device with an internet connection.
g. Any software protection on the device on which
the data is stored.
h. Whether hard
copies of the data will be stored.
i. If
Identified Individual-Level Data is requested, how the Bona Fide Researcher will
ensure the elimination of individual identifiers from subject records or
publications when the project is completed.
7. Whether the Bona Fide Researcher is capable of
transferring data over a secure file transfer protocol.
8. If applicable, any information pertaining to
other formal project approvals, including institutional review board approvals for
the academic community.
(B)
Curriculum vitae of the Bona Fide Researcher .
(C) Signature of the Bona Fide Researcher , and the
date of signature of the Bona Fide Researcher , acknowledging the restrictions on use
or disclosure of data from CURES , as specified in section
828.4.
(D) Completed Data Request Application security
requirements acknowledgement that includes all of the following:
1. The name, the signature, and the date of
signature of the public agency 's or research body's information security officer or
IT manager.
(E) Completed Data
Request Application supplemental security requirements acknowledgement that includes
all of the following:
1. The name of the public
agency or research body.
2. The name,
position, signature, and date of signature, of the public agency 's or research
body's information security officer or IT manager.
(F) Any relevant research materials, including,
but not limited to:
1. Proposals.
2. Endorsements.
3. Questionnaires.
(G) Copy of the institutional review board
approval and all documentation submitted as part of that review and approval
process, including the application number and expiration date. This requirement is
not applicable if the Bona Fide Researcher is a public health officer, acting in the
capacity of a public health officer, and is requesting De-Identified
Individual-Level Data . This approval must demonstrate that the institutional review
board is aware of, and has considered, relevant federal and State laws and
regulations regarding the general use of human subjects, and specifically the use of
human subjects who are incarcerated, minors, or otherwise vulnerable
populations.
(H) If the Bona Fide
Researcher is requesting Identified Individual-Level Data , the Bona Fide Researcher
must comply with Civil Code section
1798.24, subdivision
(b), or Civil Code section
1798.24, subdivision
(t).
1. To comply with Civil Code section
1798.24, subdivision
(b), for purposes of this article, the Bona Fide Researcher must provide a signed
CURES 0001 Consent for Use of Personal Information from CURES form (Orig. 07/2021),
incorporated by reference in this chapter, for each individual for whom Identified
Individual-Level Data is being requested on the Data Request Application. Each
signed Consent for Use of Personal Information from CURES form must be retained for
at least as long as each consenting individual's Identified Individual-Level Data is
retained by the Bona Fide Researcher . The Bona Fide Researcher must obtain a signed
Consent for Use of Personal Information from CURES form from each individual not
more than 30 days before obtaining the individual's Identified Individual-Level Data
from CURES , or within the time limit agreed to by the individual in the individual's
signed Consent for Use of Personal Information from CURES form. A Bona Fide
Researcher must not obtain an individual's Identified Individual-Level Data from
CURES outside of that 30 days, or the time limit agreed to by the individual in the
individual's signed Consent for Use of Personal Information from CURES form, unless
the individual has provided a renewed Consent for Use of Personal Information from
CURES form. If any individual withdraws consent to obtain that individual's
Identified Individual-Level Data from CURES , the Bona Fide Researcher must
immediately notify the Department 's Research Services of that withdrawal of
consent.
2. To comply with Civil Code
section
1798.24, subdivision
(t), for purposes of this article, the Bona Fide Researcher must obtain formal
approval for the use of Identified Individual-Level Data , in accordance with the
requirements of Civil Code section
1798.24, subdivision
(t), by the Committee for the Protection of Human Subjects for the California Health
and Human Services Agency or the Bona Fide Researcher 's institutional review board,
if that institutional review board has a written agreement with the Committee for
the Protection of Human Subjects for that institutional review board to provide the
data security approvals required by Civil Code section
1798.24, subdivision
(t). The Bona Fide Researcher may first submit its application to the Department 's
Research Services. If the Bona Fide Researcher has met all other application and
security requirements pursuant to these regulations and would be approved by the
Department 's Research Services, the Department 's Research Services will provide
written documentation to the Bona Fide Researcher to allow the Committee for the
Protection of Human Subjects to review the Bona Fide Researcher 's application. The
Bona Fide Researcher must provide written verification to the Department 's Research
Services of formal approvals by the Committee for the Protection of Human Subjects
or the Bona Fide Researcher 's institutional review board, if operating under a
written agreement under Civil Code section
1798.24, subdivision
(t), for the request of Identified Individual-Level Data from CURES . The written
verification must include the review and determination by the Committee for the
Protection of Human Subjects or the Bona Fide Researcher 's institutional review
board, if operating under a written agreement under Civil Code section
1798.24, subdivision
(t), that the data security approvals required by Civil Code section
1798.24, subdivision
(t), have been satisfied.
(I)
Certification of human subjects protection training for the Bona Fide Researcher and
all Team Members.
(d) If the Bona Fide Researcher requests remote
access authorization, the Bona Fide Researcher and each applicable Team Member must
complete and submit a DOJRS 0003 Researcher Confidentiality and Non-Disclosure
Agreement (Rev. 05/2024), incorporated by reference in this chapter, and a DOJRS
0002 Researcher Data Access User Agreement (Rev. 05/2024), incorporated by reference
in this chapter. If the Bona Fide Researcher or any Team Member is unable to meet
the security requirements of the Researcher Data Access User Agreement, that Bona
Fide Researcher or Team Member may submit a DOJRS 0001 Security Variance Form for
Data Access Non-Compliance of Security Requirements (Rev. 05/2024), incorporated by
reference in this chapter, for consideration by the Department 's Research
Services.
(e) If the Data Request
Application is approved, the Bona Fide Researcher and all Team Members must complete
and submit a notarized identification verification. After all notarized
identification verifications, applicable Researcher Confidentiality and
Non-Disclosure Agreements, applicable Researcher Data Access User Agreements, and
applicable Security Variance Form for Data Access Non-Compliance of Security
Requirements are received and approved, the Department 's Research Services will
securely transfer the requested De-Identified Individual-Level Data or Identified
Individual-Level Data to the Bona Fide Researcher .
(f) The Bona Fide Researcher must complete the
Department 's Research Services renewal process during the 90 days before the
expiration date of the approved Data Request Application. The Department 's Research
Services will notify the Bona Fide Researcher to submit a project renewal before the
expiration date of the approved Data Request Application. A Bona Fide Researcher
must submit all of the following:
(1) A written
project renewal, on the Bona Fide Researcher 's official letterhead, to the
Department 's Research Services, that includes all of the following information:
(A) Any personnel changes and updated contact
information, including removal or addition of the Bona Fide Researcher or other Team
Members.
(B) Any technology changes to
the location or procedures around where the individual-level data from CURES is
stored or accessed.
(C) Any
environmental changes to the location or procedures around where the
individual-level data from CURES is stored or accessed.
(D) The name and contact information of the public
agency 's or research body's information security officer or IT manager.
(E) If applicable, a copy of the institutional
review board approval and all documentation submitted as part of that review and
approval process, including the application number and expiration date.
(F) A certification of human subjects protection
training for the Bona Fide Researcher and all Team Members.
(2) If continued remote access authorization is
requested, renewed Researcher Confidentiality and Non-Disclosure Agreements and
Researcher Data Access User Agreements for the Bona Fide Researcher and each Team
Member . If the Bona Fide Researcher or any Team Member is unable to meet the
security requirements of the Researcher Data Access User Agreement, that Bona Fide
Researcher or Team Member may submit a Security Variance Form for consideration by
the Department 's Research Services.
(g) When the Bona Fide Researcher has concluded a
research project or report , in accordance with the restrictions on use or disclosure
of data from CURES , as specified in section
828.4, the Bona Fide Researcher must
submit to the Department 's Research Services, in writing, a signed and dated
certificate of data destruction confirming all of the following:
(1) The project name and project number.
(2) The type of data to be destroyed.
(3) The name of the Bona Fide
Researcher .
(4) All confidential
information received from the Department 's Research Services has been sanitized
using one or more of the approved destruction methods listed in National Institute
of Standards and Technology (NIST) Special Publication 800-88, Revision 1,
Guidelines for Media Sanitation (December 2014).
(5) The date that all electronic files containing
Identified Individual-Level Data or De-Identified Individual-Level Data from CURES
were destroyed.
(6) The name of the
witness or witnesses.
(7) The position
of the witness or witnesses in the research team.
(8) Acknowledgement by the Bona Fide Researcher
that failure to comply with the data destruction protocols required by this section
may result in an audit of the project associated with the Identified
Individual-Level Data or De-Identified Individual-Level Data from CURES .
(9) A description of the items disposed of or
destroyed.
(10) An explanation of the
method of destruction used.
(h) National Institute of Standards and Technology
(NIST) Special Publication 800-88, Revision 1, Guidelines for Media Sanitation
(December 2014) is incorporated by reference in this chapter.
Notes
Note: Authority cited: Section 11165, Health and Safety Code. Reference: Section 11165, Health and Safety Code; and Section 1798.24, Civil Code.
Note: Authority cited: Section 11165, Health and Safety Code. Reference: Section 11165, Health and Safety Code; and Section 1798.24, Civil Code.
2. Change without regulatory effect amending subsections (a)-(b), (c)(11)(H)1.-2., (d)-(f)(1), (f)(1)(F)(2), (g) and (g)(4) filed 5-29-2024 pursuant to section 100, title 1, California Code of Regulations (Register 2024, No. 22).
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
(a) "Data Request Application," when used in this section, means the application developed by the Department's Research Services for a Bona Fide Researcher to obtain approval to receive Identified Individual-Level Data or De-Identified Individual-Level Data from CURES.
(b) A Bona Fide Researcher must electronically submit a completed Data Request Application to the Department's Research Services.
(c) To complete the Data Request Application, a Bona Fide Researcher must provide all of the following information on the Data Request Application:
(1) Designation as a new request or a modified request.
(2) Date of request.
(3) Name, phone number, and email address of the Bona Fide Researcher.
(4) Address, city, state, and postal code of the Bona Fide Researcher.
(5) Name of the public agency or research body with which the Bona Fide Researcher is affiliated.
(6) Name, phone number, and email address of the public agency's or research body's information security officer or IT manager.
(7) Project title.
(8) Date of anticipated completion of the project or the report.
(9) List of information for each Team Member that includes all of the following:
(A) Name of Team Member.
(B) The physical location from which the Team Member will access individual-level data from CURES.
(C) Whether the Team Member is part of the data analysis team.
(D) Whether the Team Member is part of the IT team.
(10) Signature of the Bona Fide Researcher, and date of signature of the Bona Fide Researcher.
(11) Completed Data Request Application checklist that includes all of the following:
(A) Project outline that describes all of the following:
1. The purposes and objectives of the project or report.
2. How the requested data will be used to support the educational purposes, Peer Review purposes, statistical purposes, or Research Purposes, of the project.
3. The expected benefits of the project.
4. If applicable, the funding source of the project or report, including all of the following:
a. Whether the funding source is a public or private grant.
b. The grant period.
c. The grant expiration date.
5. Proposed project design and methodology, including, but not limited to:
a. Where the data analysis will be conducted.
b. A detailed description of the requested individual-level data from CURES.
6. Security measures, compliant with NIST Special Publication 800-171, Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (February 2020), incorporated by reference in this chapter, that the Bona Fide Researcher has in place to prevent the unauthorized access of hard copies or electronic files containing Identified Individual-Level Data or De-Identified Individual-Level Data from CURES, including, but not limited to:
a. Encryption methods.
b. Anti-virus software.
c. Network security.
d. Physical storage location of the data.
e. Risks or confidentiality issues related to the storage location.
f. Whether the data is stored on a device with an internet connection.
g. Any software protection on the device on which the data is stored.
h. Whether hard copies of the data will be stored.
i. If Identified Individual-Level Data is requested, how the Bona Fide Researcher will ensure the elimination of individual identifiers from subject records or publications when the project is completed.
7. Whether the Bona Fide Researcher is capable of transferring data over a secure file transfer protocol.
8. If applicable, any information pertaining to other formal project approvals, including institutional review board approvals for the academic community.
(B) Curriculum vitae of the Bona Fide Researcher.
(C) Signature of the Bona Fide Researcher, and the date of signature of the Bona Fide Researcher, acknowledging the restrictions on use or disclosure of data from CURES, as specified in section 828.4.
(D) Completed Data Request Application security requirements acknowledgement that includes all of the following:
1. The name, the signature, and the date of signature of the public agency's or research body's information security officer or IT manager.
(E) Completed Data Request Application supplemental security requirements acknowledgement that includes all of the following:
1. The name of the public agency or research body.
2. The name, position, signature, and date of signature, of the public agency's or research body's information security officer or IT manager.
(F) Any relevant research materials, including, but not limited to:
1. Proposals.
2. Endorsements.
3. Questionnaires.
(G) Copy of the institutional review board approval and all documentation submitted as part of that review and approval process, including the application number and expiration date. This requirement is not applicable if the Bona Fide Researcher is a public health officer, acting in the capacity of a public health officer, and is requesting De-Identified Individual-Level Data. This approval must demonstrate that the institutional review board is aware of, and has considered, relevant federal and State laws and regulations regarding the general use of human subjects, and specifically the use of human subjects who are incarcerated, minors, or otherwise vulnerable populations.
(H) If the Bona Fide Researcher is requesting Identified Individual-Level Data, the Bona Fide Researcher must comply with Civil Code section 1798.24, subdivision (b), or Civil Code section 1798.24, subdivision (t).
1. To comply with Civil Code section 1798.24, subdivision (b), for purposes of this article, the Bona Fide Researcher must provide a signed CURES 0001 Consent for Use of Personal Information from CURES form (Orig. 07/2021), incorporated by reference in this chapter, for each individual for whom Identified Individual-Level Data is being requested on the Data Request Application. Each signed Consent for Use of Personal Information from CURES form must be retained for at least as long as each consenting individual's Identified Individual-Level Data is retained by the Bona Fide Researcher. The Bona Fide Researcher must obtain a signed Consent for Use of Personal Information from CURES form from each individual not more than 30 days before obtaining the individual's Identified Individual-Level Data from CURES, or within the time limit agreed to by the individual in the individual's signed Consent for Use of Personal Information from CURES form. A Bona Fide Researcher must not obtain an individual's Identified Individual-Level Data from CURES outside of that 30 days, or the time limit agreed to by the individual in the individual's signed Consent for Use of Personal Information from CURES form, unless the individual has provided a renewed Consent for Use of Personal Information from CURES form. If any individual withdraws consent to obtain that individual's Identified Individual-Level Data from CURES, the Bona Fide Researcher must immediately notify the Department's Research Services of that withdrawal of consent.
2. To comply with Civil Code section 1798.24, subdivision (t), for purposes of this article, the Bona Fide Researcher must obtain formal approval for the use of Identified Individual-Level Data, in accordance with the requirements of Civil Code section 1798.24, subdivision (t), by the Committee for the Protection of Human Subjects for the California Health and Human Services Agency or the Bona Fide Researcher's institutional review board, if that institutional review board has a written agreement with the Committee for the Protection of Human Subjects for that institutional review board to provide the data security approvals required by Civil Code section 1798.24, subdivision (t). The Bona Fide Researcher may first submit its application to the Department's Research Services. If the Bona Fide Researcher has met all other application and security requirements pursuant to these regulations and would be approved by the Department's Research Services, the Department's Research Services will provide written documentation to the Bona Fide Researcher to allow the Committee for the Protection of Human Subjects to review the Bona Fide Researcher's application. The Bona Fide Researcher must provide written verification to the Department's Research Services of formal approvals by the Committee for the Protection of Human Subjects or the Bona Fide Researcher's institutional review board, if operating under a written agreement under Civil Code section 1798.24, subdivision (t), for the request of Identified Individual-Level Data from CURES. The written verification must include the review and determination by the Committee for the Protection of Human Subjects or the Bona Fide Researcher's institutional review board, if operating under a written agreement under Civil Code section 1798.24, subdivision (t), that the data security approvals required by Civil Code section 1798.24, subdivision (t), have been satisfied.
(I) Certification of human subjects protection training for the Bona Fide Researcher and all Team Members.
(d) If the Bona Fide Researcher requests remote access authorization, the Bona Fide Researcher and each applicable Team Member must complete and submit a DOJRS 0003 Researcher Confidentiality and Non-Disclosure Agreement (Rev. 05/2024), incorporated by reference in this chapter, and a DOJRS 0002 Researcher Data Access User Agreement (Rev. 05/2024), incorporated by reference in this chapter. If the Bona Fide Researcher or any Team Member is unable to meet the security requirements of the Researcher Data Access User Agreement, that Bona Fide Researcher or Team Member may submit a DOJRS 0001 Security Variance Form for Data Access Non-Compliance of Security Requirements (Rev. 05/2024), incorporated by reference in this chapter, for consideration by the Department's Research Services.
(e) If the Data Request Application is approved, the Bona Fide Researcher and all Team Members must complete and submit a notarized identification verification. After all notarized identification verifications, applicable Researcher Confidentiality and Non-Disclosure Agreements, applicable Researcher Data Access User Agreements, and applicable Security Variance Form for Data Access Non-Compliance of Security Requirements are received and approved, the Department's Research Services will securely transfer the requested De-Identified Individual-Level Data or Identified Individual-Level Data to the Bona Fide Researcher.
(f) The Bona Fide Researcher must complete the Department's Research Services renewal process during the 90 days before the expiration date of the approved Data Request Application. The Department's Research Services will notify the Bona Fide Researcher to submit a project renewal before the expiration date of the approved Data Request Application. A Bona Fide Researcher must submit all of the following:
(1) A written project renewal, on the Bona Fide Researcher's official letterhead, to the Department's Research Services, that includes all of the following information:
(A) Any personnel changes and updated contact information, including removal or addition of the Bona Fide Researcher or other Team Members.
(B) Any technology changes to the location or procedures around where the individual-level data from CURES is stored or accessed.
(C) Any environmental changes to the location or procedures around where the individual-level data from CURES is stored or accessed.
(D) The name and contact information of the public agency's or research body's information security officer or IT manager.
(E) If applicable, a copy of the institutional review board approval and all documentation submitted as part of that review and approval process, including the application number and expiration date.
(F) A certification of human subjects protection training for the Bona Fide Researcher and all Team Members.
(2) If continued remote access authorization is requested, renewed Researcher Confidentiality and Non-Disclosure Agreements and Researcher Data Access User Agreements for the Bona Fide Researcher and each Team Member. If the Bona Fide Researcher or any Team Member is unable to meet the security requirements of the Researcher Data Access User Agreement, that Bona Fide Researcher or Team Member may submit a Security Variance Form for consideration by the Department's Research Services.
(g) When the Bona Fide Researcher has concluded a research project or report, in accordance with the restrictions on use or disclosure of data from CURES, as specified in section 828.4, the Bona Fide Researcher must submit to the Department's Research Services, in writing, a signed and dated certificate of data destruction confirming all of the following:
(1) The project name and project number.
(2) The type of data to be destroyed.
(3) The name of the Bona Fide Researcher.
(4) All confidential information received from the Department's Research Services has been sanitized using one or more of the approved destruction methods listed in National Institute of Standards and Technology (NIST) Special Publication 800-88, Revision 1, Guidelines for Media Sanitation (December 2014).
(5) The date that all electronic files containing Identified Individual-Level Data or De-Identified Individual-Level Data from CURES were destroyed.
(6) The name of the witness or witnesses.
(7) The position of the witness or witnesses in the research team.
(8) Acknowledgement by the Bona Fide Researcher that failure to comply with the data destruction protocols required by this section may result in an audit of the project associated with the Identified Individual-Level Data or De-Identified Individual-Level Data from CURES.
(9) A description of the items disposed of or destroyed.
(10) An explanation of the method of destruction used.
(h) National Institute of Standards and Technology (NIST) Special Publication 800-88, Revision 1, Guidelines for Media Sanitation (December 2014) is incorporated by reference in this chapter.
Notes
Note: Authority cited: Section 11165, Health and Safety Code. Reference: Section 11165, Health and Safety Code; and Section 1798.24, Civil Code.
Note: Authority cited: Section 11165, Health and Safety Code. Reference: Section 11165, Health and Safety Code; and Section 1798.24, Civil Code.
2. Change without regulatory effect amending subsections (a)-(b), (c)(11)(H)1.-2., (d)-(f)(1), (f)(1)(F)(2), (g) and (g)(4) filed 5-29-2024 pursuant to section 100, title 1, California Code of Regulations (Register 2024, No. 22).