Appendix G Privacy Certificate

NOT HUMAN RESEARCH DETERMINATION
March 12, 2020
Stephanie Hawkins
919-485-5723, x25723
hawkins@rti.org
Dear Stephanie Hawkins:
On 3/12/2020, the IRB reviewed the following submission:
Type of Review:
Title:
Investigator:
IRB ID:
Funding Source:
Customer/Client Name:
Project/Proposal Number:
Contract/Grant Number:
IND, IDE, or HDE:

Initial Study
FY 18 Redesign
Stephanie Hawkins
STUDY00020991
Dept of Justice OJJDP
Dept of Justice OJJDP
0216671.000
2018-JX-FX-K001
None

The IRB determined that the proposed activity is not research involving human subjects as
defined by 28 CFR 46.
Although RTI IRB oversight of this activity is not required, this determination applies only to the
activities described in the IRB submission and may not apply should any changes be made. If the
nature or scope of the activity changes and there are questions about whether the revised
activities constitute human subjects research, you should contact the IRB to discuss whether a
new submission and determination is necessary.
Sincerely,
The RTI Office of Research Protection

Privacy Certificate
Grantee Stephanie Hawkins, RTI International, certifies that data identifiable to a private
person will not be used or revealed, except as authorized in 28 CFR Part 22, Sections
§22.21 & §22.22.
Brief Description of Project (required by 28 CFR §22.23(b):
Grantee will partner with OJJDP to evaluate, redesign, and field test the Census of Juveniles
in Residential Placement (CJRP) and the Juvenile Residential Facility Census (JRFC). Tasks
associated with this project include convening a panel of juvenile justice and survey
methodology experts, appraising the current CJRP and JRFC, assessing current data needs
about juvenile residential placement, and developing new versions of the surveys.
The new surveys will first be tested with cognitive interviews with no more than 40 minutes
participants representing administrative staff at 40 juvenile residential facilities. Cognitive
interviews will take place over the phone and will last approximately 1.5 hours. The surveys
will be revised after the cognitive testing and prepared for a field test.
The surveys will be tested with a target sample of 202 respondents to each survey, for a
total of 404 facility respondents. Respondents will be representatives of 404 juvenile
residential facilities.
All focus group guides, cognitive interviews, and the field test, along with consent
procedures for each will be shared with NIJ in the form of an updated privacy certificate
once drafted and before implementation. Content of the surveys for cognitive interviews and
the field test will be determined by the design work under the contract under the
consultation of the expert panel, but will include questions about the number of residents in
a facility, the types of sentences, demographic characteristics, treatment programs, etc.
RTI will prepare reports on the cognitive interviewing and the field test results. These
reports will not identify respondents by name or facility name but may indicate their
demographic characteristics, facility characteristics and location as part of the analysis.
Grantee certifies that any private person from whom identifiable information is collected or
obtained shall be notified, in accordance with 28 CFR §22.27, that such data will only be
used or revealed for research or statistical purposes, compliance with the request for
information is not mandatory, and participation in the project may be terminated at any
time. In addition, grantee certifies that where findings in a project cannot, by virtue of
sample size or uniqueness of subject, be expected to totally conceal the identity of an
individual, such individual shall be so advised.
Procedures to notify subjects that such data will only be used or revealed for
research or statistical purposes and that compliance with the request for
information is not mandatory and participation in the project may be terminated at
any time as required by 28 CFR §22.23(b)(4):
Consent procedures will be used to notify focus group participants, cognitive interview
participants and field test respondents that their data will only be used or revealed for
research or statistical purposes. For the cognitive interviews, participants will be emailed or
mailed the consent form in advance. When the telephone interview begins, the cognitive
interviewer will go over the content of the form with the participant and obtain their consent
verbally before continuing with the interview. For the field test, the survey will be selfadministered. The advance letter/email will provide information on the use of the data.
Further procedures will be developed and submitted in a revised privacy certificate and will
be fully compliant with 28 CFR 22.23 (b)(4).

If notification of subjects is to be waived, pursuant to 28 CFR §22.27(c), please
provide a justification:
A waiver is not requested.
Grantee certifies that project plans will be designed to preserve the confidentiality of private
persons to whom information relates, including where appropriate, name-stripping, coding
of data, or other similar procedures.
Procedures developed to preserve the confidentiality of personally identifiable
information, as required by 28 CFR §22.23(b)(7):
RTI has systems and procedures in place to ensure that CJRP and JFRC will be maintained in
a manner that protects the confidentiality of the data. All data files that contain information
identifiable to a private person as defined under 28 CFR §22.2(e) will be located on a secure
file server within the RTI secure network. Access to the CJRP and JFRC areas of this server
will be controlled by granting privileges only to those staff who need to access the data. All
of RTI's servers are located on the RTI side of our firewall and are not accessible from
outside the RTI network.
Grantee certifies that, if applicable, a log will be maintained indicating that (1) identifiable
data have been transferred to persons other than employees of NIJ, BJA, BJS, OJJDP, OVC,
OJP, or grantee/contractor/subcontractor staff; and (2) such data have been returned or
that alternative arrangements have been agreed upon for future maintenance of such data,
in accordance with 28 CFR §22.23(b)(6).
Justification for the collection and/or maintenance of any data in identifiable form,
if applicable:
For some tasks, identifiable information is part of the sampling frames from which we draw
samples and recruit research subjects. Our practice is to maintain identifiable data separate
from the other administrative and survey data we collect, and these files, along with the link
file that can be used to associate identified individuals with their survey data, are
maintained at all times securely on RTI servers.
Procedures for data storage, as required by 28 CFR §22.23(b)(5):
All data for the CJRP and JFRC will be stored in a responsible, appropriate, and sufficiently
protected manner. All data files that contain information identifiable to a private person as
defined under 28 CFR §22.2(e) will be stored on a secure file server located within the RTI
secure network. Access to the CJRP and JFRC areas of this server will be controlled by
granting privileges only to those staff who need to access the data. All of RTI's servers
containing client data are owned by RTI on assets controlled by RTI administrators including
any disaster recovery colocation servers and devices (as required for compliance purposes).
Only information that does not include ANY personally identifiable data and that are defined
under 28 CFR § 22.20(b) as “…records which are designated under existing statutes as
public; or to any information extracted from any records designated as public,” may be
stored, transmitted, or accessed via a cloud service provider. Any cloud service provider
will be subject to rigorous review by RTI’s evaluation committee.
Grantee certifies that all contractors, subcontractors, and consultants requiring access to
identifiable data will agree, through conditions in their subcontract or consultant agreement,
to comply with the requirements of 28 CFR §22.24, regarding information transfer
agreements. Grantee also certifies that the sponsor will be provided with copies of any and

all transfer agreements before they are executed, as well as the name and title of the
individual(s) with the authority to transfer data.
Description of any institutional limitations or restrictions on the transfer of data in
identifiable form, if applicable:
N/A.
Name and title of individual with the authority to transfer data:
Stephanie Hawkins
Grantee certifies that access to the data will be limited to those employees having a need
for such data and that such employees will be advised of and agree in writing to comply
with the regulations in 28 CFR Part 22.
Grantee certifies that all project personnel, including subcontractors, will be advised of and
agree, in writing, to comply with all procedures to protect privacy and the confidentiality of
personally identifiable information before being granted access to such information.
Access to data is restricted to the following individuals, as required by 28 CFR
§22.23(b)(2):
Principal Investigator(s):
Stephanie Hawkins
Project Staff:
Debbie Dawes, Rebecca Powell, Megan Waggy, Amanda Smith, Sherri Spinks, Camille
Gourdet, Eric Villeneuve, Yamanda Wright
Consultant:
Howard Snyder
Grantee certifies that adequate precautions will be taken to ensure administrative and
physical security of identifiable data and to preserve the confidentiality of the personally
identifiable information. A category of individuals, characterized as institutional personnel,
in the course of doing work on the project, may have incidental access to project data.
Those individuals shall view the data only as necessitated by the terms of their position at
RTI for investigatory or compliance purposes (such as a security incident, personnel issue,
etc.) and then, only in accordance with their job requirements. Such institutional personnel
may include but is not limited to members of the Institutional Review Board (IRB), the
Privacy Officer, Compliance Officer, members of the Information Technology staff and Office
of Corporate Counsel. Personnel have received and acknowledge training on sensitive
information, personally identifiable information and Protected Health Information as
applicable.
Procedures to insure the physical and administrative security of data, as required
by 28 CFR §22.25(b), including, if applicable, a description of those procedures
used to secure a name index:
We will take adequate precautions to ensure physical and administrative security of
identifiable data including measures such as segregation of data, encryption, secure storage
of hard copies, audit logs, and restriction of access.
Procedures for the final disposition of data, as required by 28 CFR §22.25:
In accordance with 28 CFR §22.25, upon completion of the pilot test, the security of
identifiable research or statistical information will be protected by the removal of identifiers

from data and/or separate maintenance of a name-code index in a secure location. The
name-code index will be maintained within the access-controlled/restricted confines of RTI’s
infrastructure.
Name and title of individual authorized to determine the final disposition of data:
Stephanie Hawkins
Project Director
Grantee certifies that copies of all questionnaires, informed consent forms and informed
consent procedures that have been developed are included in the submission of this
proposal are attached to this Privacy Certificate.
Grantee certifies that project findings and reports prepared for dissemination will not
contain information which can reasonably be expected to be identifiable to a private person,
except as authorized by 28 CFR §22.22.
Grantee certifies that the procedures described above are correct and shall be carried out.
Upon award and as required by regulation, these procedures will be submitted to the RTI
IRB for review and approval. If revisions to such procedures are required, they will be
submitted and approved by the RTI IRB before implementation of such changes to ensure
ongoing compliance with the relevant regulations. In addition, if these or any future
revisions represent a material change from the information and procedures provided in this
Privacy Certificate, the sponsor shall be notified, and the Privacy Certificate will be amended
as necessary.
Grantee certifies that the project will be conducted in accordance with all the requirements
of the Omnibus Crime Control and Safe Streets Act of 1968 as amended and the regulations
contained in 28 CFR Part 22.
Signature(s):

(Principal Investigator) Date:

March 13, 2020

_________________________(Principal Investigator) Date: ____________________

March 16, 2020
_________________________(Institutional Representative*) Date: _______________

3/16/2020
XXXXXXXXXXXX
_________________________(IRB
Representative/Privacy Officer**) Date:____________