The Food and Drug Administration (FDA) has published guidance on certificates of confidentiality. The document is intended to provide additional clarifications to study sponsors, investigators, researchers, and other industry representatives. All interested parties may submit their comments and suggestions. Due to its legal nature, the present guidance only provides the recommendations to be considered, while an alternative approach could still be applied, providing that such an approach is compliant with the applicable rules and regulations. 

Regulatory Background 

The present FDA guidance describes the procedures and other important aspects associated with the Certificates of Confidentiality (CoC) to be issued by the FDA upon request. The appropriate concept was introduced by The 21st Century Cures Act (Cures Act) which amended the Public Health Service Act (PHS Act). 

A Certificate of Confidentiality is initially intended to improve the privacy protection for participants of studies and researches. Privacy protection becomes especially important due to the sensitivity of the identifiable information about the participants collected in the course of the study. The main purpose of a CoC is to prevent disclosure of the aforementioned personal information, providing that such information could be disclosed only in certain specific cases. 

According to the Cures Act, the following rules should be applied:

  • In the case of federally-funded human subject research, the issuance of a CoC is mandatory, 
  • In the case of non-federally funded research, the issuance of a certificate is not mandatory, however, it still could be issued if the Agency finds it necessary. 

This particular FDA guidance is dedicated to the second option and describes in detail the situations when the interested party applies for a discretionary Certificate of Confidentiality. Thus, a discretionary CoC could be issued by the FDA only upon request of the interested party (study sponsor or researcher). Each such request would be treated by the Agency on a case-by-case basis. 

It is also important to mention that irrespectively of the certain differences in the issuance procedures, the scope of protection provided by both types of certificates is the same. 

Under the general rule, a certificate of confidentiality is intended to protect a researcher from being compelled to disclose identifiable, sensitive information about the research participant, created or compiled for purposes of the research, in any Federal, State, or local civil, criminal, administrative, legislative, or any other proceeding. Thus, a CoC could be used to confirm that any sensitive and identifiable participant-related personal information could not be disclosed, except the cases when such disclosure is explicitly prescribed by the applicable legislation. 

For this purpose, the FDA implements the steps necessary to simplify the process of requesting for the issuance of a CoC, and also to reduce the scope of information to be provided by the applicant entity, and the time required for the authority to assess the request and issue a CoC. 

Certificate of Confidentiality in Detail

According to the guidance, the entities applying for the issuance of a Certificate of Conformity should be the sponsors or sponsor-investigators, since they are the entities responsible for the data protection in the context of identifiable and sensitive personal information related to the human subject research participants. The Agency also places an emphasis on the following eligibility criterion to be considered: the product in question should be subject to the FDA`s jurisdiction and regulatory authority. 

One of the most important concepts used in the context of the certificates of confidentiality is the term “identifiable, sensitive information”. According to the applicable legislation, it covers the information about a person collected or applied in the context of a study, providing that:

  • this information could be used to identify a particular individual, or
  • there is a risk that a combination of the information could be used to identify the particular individual. 

The study sponsor shall carry out the internal assessment in order to determine whether the information to be collected or processed in the course of a study meets the criteria listed hereinabove. In the course of such an assessment, the sponsor shall take into consideration such aspects as the type of information, the way it would be used, and also the information security measures implemented to protect privacy. The Agency emphasizes that novel technologies make it possible to identify the particular person participating in the study just by combining several pieces of de-identified data.

The FDA guidance on certificates of confidentiality also describes the obligations of the study sponsor after obtaining a CoC. In particular, the applicable legislation sets forth the following obligations of a sponsor:

  • Do not disclose protected information to any person that is not directly involved in the study, except the cases when such disclosures are permitted under the law (e.g. required by the specially authorized bodies, necessary for providing treatment to the study participant, committed with the consent of the participant, or takes place under the scientific research exclusion,
  • Do not disclose the name of a study participant or any protected information in the course of any proceeding, 
  • Do not use any documents containing protected information in any legal proceedings.

Any document and materials containing identifiable, sensitive information are protected under the CoC concept. Moreover, not only the applicant entity (the study sponsor) but also all the parties engaged in the study, with whom the protected information has been shared for the purposes associated with the study, shall be also bound by the disclosure requirements described here. 

Request for Discretionary CoC 

According to the FDA guidance, before filing the appropriate request to the Agency, the study sponsor shall consider the following points: 

  • Does the human subject research in question requires identifiable, sensitive information to be collected?
  • Does the entity applying for the issuance of a CoC is the person responsible for the data collected and processed?
  • Is the research in question subject to the FDA`s jurisdiction?
  • Are the measures implemented by the applicant sufficient to ensure the protection of identifiable, sensitive information? 

The Agency states that the applicant shall submit its request in case if all the points above are met. The request itself should be submitted in the form of a letter to the appropriate Center via email.

When applying for the issuance of a certificate of confidentiality, the applicant shall provide the following information: 

  • Name, address, and email address of the sponsor or sponsor-investigator, or its authorized representative,
  • FDA Application Number,
  • Numerical Identifier for 
  • Research Title.

In case if the exemption from submission of an investigational application could be applied, the applicant shall provide the same information except for the FDA Application Number. 

The application should be signed by the sponsor,  sponsor-investigator, or its authorized representative. 

Summarizing the information provided here above, the FDA guidance on certificates of confidentiality describes the intended purpose of a CoC, outlines the eligibility criteria for the applicants, and also provides additional recommendations regarding the way the appropriate request should be submitted to the FDA. Besides this, the guidance also highlights the obligations of the study sponsor after obtaining a CoC.

How Can RegDesk Help?

RegDesk is a next-generation web-based software for medical device and IVD companies. Our cutting-edge platform uses machine learning to provide regulatory intelligence, application preparation, submission, and approvals management globally. Our clients also have access to our network of over 4000 compliance experts worldwide to obtain verification on critical questions. Applications that normally take 6 months to prepare can now be prepared within 6 days using RegDesk Dash(TM). Global expansion has never been this simple.