(a) In accessing or obtaining nonpublic data through the secure environment, users shall only have access to the minimum amount of potentially identifiable data necessary for an approved project or access to a dataset designed for an approved purpose. Each person who accesses or obtains nonpublic personal data shall sign a data use agreement. Violation of a data use agreement shall be considered a violation of Section 1798.56 of the Civil Code and, if applicable, Section 1798.57 of the Civil Code.
(b) Access to data in the secure research environment shall be permissible as follows:
(1) If the data does not include any of the direct personal identifiers listed in Section 164.514(e) of Title 45 of the Code of Federal Regulations, access may be provided to qualified applicants for research and analysis purposes consistent with program goals.
(2) If the data includes any of the direct personal identifiers listed in Section 164.514(e) of Title 45 of the Code of Federal Regulations, access may be provided only to qualified applicants for research projects that offer significant opportunities to achieve program goals and meet all of the following criteria:
(A) Project approval has been recommended by the data release committee.
(B) The project has been approved by the Committee for the Protection of Human Subjects pursuant to subdivision (t) of Section 1798.24 of the Civil Code. Pursuant to that section, the office may release data to established nonprofit research institutions, the University of California, and other nonprofit educational institutions.
(C) The requester has documented expertise with privacy protection and with the analysis of large sets of confidential data.
(D) The research shall be made available to the office.
(c) The office’s policies shall limit release or transmittal of personal information outside the secure environment.
(1) The office may develop standardized limited datasets that do not include any of the direct personal identifiers listed in Section 164.514(e) of Title 45 of the Code of Federal Regulations, and have the minimum necessary personal information for types of purposes specified by the office. Standardized datasets may be transmitted to qualified applicants if the requester has documented expertise with privacy protection and with the analysis of large sets of confidential data, data security will meet the standards that the office shall apply to personal data, and project approval has been recommended by the data release committee.
(2) Data described in paragraph (2) of subdivision (b) may be transmitted to an outside researcher only if the researcher meets all the criteria of that paragraph, the researcher has documented expertise with data security and the protection of large sets of confidential data, and data security will meet the standards that the office shall apply to personal data.
(d) Program data, including personal information, may be shared with other state agencies pursuant to subdivision (e) of Section 1798.24 of the Civil Code. For purposes of that section, personal information has been collected for the purposes specified in Section 127671, which include analyzing and improving state programs related to public health and the provision of health care or health care coverage.
(Added by Stats. 2020, Ch. 12, Sec. 30. (AB 80) Effective June 29, 2020.)