Section 964 - Restrictions on Use or Disclosure of CARPOS De-Identified Individual-Level Data or Identified Individual-Level Data(a) A Nonprofit Bona Fide Research Institution, Bona Fide Researcher, or Team Member may only use CARPOS De-Identified Individual-Level Data or Identified Individual-Level Data as specified in the Data Request Standard Application, and as outlined in this section.(b) For De-Identified Individual-Level Data or Identified Individual-Level Data, a Bona Fide Researcher from a Nonprofit Bona Fide Research Institution shall only obtain CARPOS data during the timeframe defined in the Bona Fide Researcher's Data Request Standard Application.(c) A Nonprofit Bona Fide Research Institution, Bona Fide Researcher, or Team Member shall not transfer, disclose, or disseminate CARPOS De-Identified Individual-Level Data or Identified Individual-Level Data to any third party, unless approved in the Data Request Standard Application or in writing by the Department's Research Services, and the purpose and transfer, disclosure, or dissemination is authorized by statute or court order. The Department's Research Services shall respond to any request for any transfer, disclosure, or dissemination under this subdivision within 10 business days, and shall either approve it, deny it, or state whether approval depends on any other requirements consistent with these regulations, such as a background check.(d) A Nonprofit Bona Fide Research Institution, Bona Fide Researcher, or Team Member shall aggregate CARPOS De-Identified Individual-Level Data or Identified Individual-Level Data before it is published, disseminated, disclosed, or released to ensure that it does not create a risk of identifying individuals.(e) A Nonprofit Bona Fide Research Institution, Bona Fide Researcher, or Team Member shall not publish, disseminate, disclose, or release CARPOS De-Identified Individual-Level Data or Identified Individual-Level Data or documents received from the Department's Research Services in any form if there is a reasonable possibility that an individual can be directly or indirectly identified from the information released, unless approved in writing by the Department's Research Services.(f) Data is considered to have a reasonable possibility of directly or indirectly identifying an individual, if it includes: (1) Any of the following identifying information: (A) Name of Respondent or Petitioner.(B) Federal Bureau of Investigations (FBI) Number or Universal Control Number.(C) California Identification and Index Number.(D) Driver's License Number.(E) Any other PII, either alone or in combination with other factors, including geographic or county-level information, that creates a risk of indirectly identifying that individual.(2) Rates, frequencies, other tabulations, or combined factors, including geographic information (other than state and county-level information) and social stratification information (e.g., gender, race, economics), which will result in a category with fewer than 10 individuals.(g) At least 10 business days before any publication or dissemination of any report, evaluation, or other document that uses or relies on CARPOS De-Identified Individual-Level Data or Identified Individual-Level Data, a Bona Fide Researcher shall provide to the Department's Research Services a complete draft of any report, evaluation, or other document. Within 10 business days of receiving the draft, the Department's Research Services shall review and comment on any draft report, evaluation, or other document, to ensure protection of confidentiality and to confirm that CARPOS De-Identified Individual-Level Data or Identified Individual-Level Data obtained in accordance with this section is used for the project's purpose that was identified in the Data Request Standard Application and approved by the Department's Research Services.(1) If the Department's Research Services determines that any publication, dissemination, disclosure, or release of CARPOS De-Identified Individual-Level Data or Identified Individual-Level Data or analyses could compromise the identity of any individual, the Department's Research Services shall notify the Bona Fide Researcher in writing within 10 business days of receiving the draft. The Nonprofit Bona Fide Research Institution, Bona Fide Researcher, or Team Member shall not publish, disseminate, disclose, or release the report, evaluation, or other document containing any CARPOS De-Identified Individual-Level Data or Identified Individual-Level Data or analyses without first removing the data or analyses that could compromise the identity of any individual.(2) If the Department's Research Services determines that any CARPOS De-Identified Individual-Level Data or Identified Individual-Level Data was not used for the purposes for which it was requested, but the use would be a permitted purpose under these regulations, the Department's Research Services shall require the Bona Fide Researcher to submit a new or revised Data Request Standard Application. A new Data Request Standard Application shall be required when the purpose is not reasonably related to the purpose originally stated in the Data Request Standard Application. A revised Data Request Standard Application shall be required when the purpose reasonably relates to the purpose originally stated in the Data Request Standard Application. Any required new or revised Data Request Standard Application will be subject to review and approval in accordance with these regulations.(3) Once the Department's Research Services has completed its review and submitted its comments, the Bona Fide Researcher shall ensure that all subsequent revisions to the report, evaluation, or other document do not create a risk of identifying individuals or otherwise violate the conditions of release.(h) A Nonprofit Bona Fide Research Institution or Bona Fide Researcher may appeal any determination by the Department's Research Services that (1) the Nonprofit Bona Fide Research Institution or Bona Fide Researcher is not permitted to transfer, disclose, or disseminate CARPOS De-Identified Individual-Level Data or Identified Individual-Level Data, (2) any publication, dissemination, disclosure, or release of CARPOS De-Identified Individual-Level Data or Identified Individual-Level Data or analyses could compromise the identity of any individual, or (3) that the CARPOS De-Identified Individual-Level Data or Identified Individual-Level Data obtained in accordance with this section was not used for the purposes for which it was requested. (1) Any appeal shall be filed with the Chief of the California Justice Information Services (CJIS) Division within 10 calendar days of receiving the Department's Research Services' findings. The appeal shall be filed at datarequests@doj.ca.gov.(2) The Chief of the CJIS Division may serve as the appeal officer, or may appoint another designee. At their sole discretion, the appeal officer reserves the right to collect additional facts or information to aid in the resolution of any appeal, and to set the timeline for any additional collection of facts.(3) The appeal officer may request other entities, that may have relevant information or evidence that would assist in making the decision, that may be impacted by the decision, and/or that may be affiliated with the Department of Justice, Nonprofit Bona Fide Research Institution, Bona Fide Researcher, including but not limited to, the Department's Research Services, to submit a written response to the appeal request, and has discretion to set the deadlines for any additional written responses.(4) The decision of the appeal officer shall be based on all relevant statutory authority and these regulations, all facts and evidence, including but not limited to, the Department's Research Services denial and facts supporting the denial, the appeal, any other written responses, any additional facts or information collected, the underlying Data Request Standard Application, and any other documents submitted by the Nonprofit Bona Fide Research Institution or Bona Fide Researcher related to the Data Request Standard Application, including but not limited to, any publication. The decision of the appeal officer shall consider the relevant statutory authority, these regulations, and the balance of harms to the Nonprofit Bona Fide Research Institution or Bona Fide Researcher and the public.(5) The appeal officer shall render a decision in writing within 30 calendar days of receiving the appeal.(6) The decision of the appeal officer shall be final and there will be no further administrative appeal.(i) A Nonprofit Bona Fide Research Institution, Bona Fide Researcher, Team Member, or Entity, shall not sell any CARPOS Aggregated Data, De-Identified Individual-Level Data, or Identified Individual-Level Data. This prohibition does not apply to any report, evaluation, or other document that uses or relies on Aggregated Data, CARPOS De-Identified Individual-Level Data, or Identified Individual-Level Data.(j) A Nonprofit Bona Fide Research Institution, Bona Fide Researcher, or Team Member shall not disclose or transfer CARPOS De-Identified Individual-Level Data or Identified Individual-Level Data in a legal proceeding or in response to a subpoena in the absence of a court order. A Nonprofit Bona Fide Research Institution, Bona Fide Researcher, or Team Member shall give immediate notice to the Department's Research Services of any subpoena or other legal proceeding in which the disclosure or transfer of CARPOS De-Identified Individual-Level Data or Identified Individual-Level Data is requested.(k) The Nonprofit Bona Fide Research Institution, Bona Fide Researcher, and Team Member shall protect the confidentiality and security of CARPOS De-Identified Individual-Level Data or Identified Individual-Level Data, shall ensure that the system or network containing CARPOS De-Identified Individual-Level Data or Identified Individual-Level Data is secure and segmented from other applications, shall limit access to the system or network to authorized persons identified in the Data Request Standard Application, and shall take the following actions in the event of a security breach:(1) Immediately notify the Department's Research Services of a breach in the security of the system or network.(2) Submit a notification letter to the Department for publication on the Department's public website of any security breach affecting the PII of 500 individuals or more.(3) The Nonprofit Bona Fide Research Institution and/or Bona Fide Researcher shall reimburse the Department for any losses or expenses resulting from the security breach, such as expenses related to credit monitoring for individuals whose data was exposed by the security breach.(l) A Nonprofit Bona Fide Research Institution or Bona Fide Researcher shall notify the Department's Research Services, within 30 days of when the project, as specified in the applicable Data Request Standard Application, has been completed. All restrictions imposed in this section regarding use or disclosure of CARPOS De-Identified Individual-Level Data or Identified Individual-Level Data survive the completion of the project.(m) A Team Member is limited to accessing or analyzing data obtained by a Bona Fide Researcher only for the purposes specified in the Data Request Standard Application.Cal. Code Regs. Tit. 11, § 964
Note: Authority cited: Sections 13202, 14231.5 and 14240, Penal Code. Reference: Sections 13125, 13202, 14231.5 and 14240, Penal Code; and Section 1798.21, Civil Code.
Note: Authority cited: Sections 13202, 14231.5 and 14240, Penal Code. Reference: Sections 13125, 13202, 14231.5 and 14240, Penal Code; and Section 1798.21, Civil Code.
1. New section filed 4-7-2022; operative 7/1/2022 (Register 2022, No. 14). Filing deadline specified in Government Code section 11349.3(a) extended 60 calendar days pursuant to Executive Order N-40-20.
2. Change without regulatory effect amending subsections (c), (e), (g)-(h)(1), (h)(3)-(4), (j), (k)(1) and (l) filed 5-29-2024 pursuant to section 100, title 1, California Code of Regulations (Register 2024, No. 22).