Notice Number: NOT-OD-14-073
Release Date: March 28, 2014
NOT-OD-22-044 - Maintaining Security and Confidentiality in NIH Peer Review: Rules, Responsibilities and Possible ConsequencesNOT-OD-18-115
National Institutes of Health (NIH)
NIH takes seriously our responsibility to maintain confidentiality throughout the peer review process. This announcement serves to remind NIH peer review members and NIH Advisory Council members of their responsibility concerning, and rules that apply to, confidentiality in the NIH peer review process. Confidentiality applies to all individuals participating in peer review, including Federal and non-Federal peer reviewers, Special Government Employees, non-Federal ad hoc attendees, Federal officials who attend review meetings as observers, and individuals who are invited to attend closed sessions of advisory committee meetings. The NIH recognizes that peer reviewers and Council level members are valuable resources to explain the process of peer review to colleagues and individuals in training, and encourages them to do so, within the parameters of this Notice.
NIH grants policy directs grant applicants to identify in grant applications information that the applicant considers to be trade secrets, information that is commercial or financial, or information that is privileged or confidential. The second paragraph of Section 184.108.40.206 of the NIH Grants Policy Statement is hereby amended to state the following (changes are highlighted):
When such information is included in the application, it is furnished to the Federal government in confidence, with the understanding that the information will be used or disclosed only for evaluation of the application. The information contained in an application will be protected by NIH from unauthorized disclosure, consistent with the need for peer review of the application; the agreement by peer reviewers and Advisory Council members to the NIH confidentiality and nondisclosure rules; and the requirements of the Freedom of Information Act (5 U.S.C. 552) and Privacy Act (5 U.S.C. 552a, discussed below).
As described in this notice, the NIH has multiple safeguards to protect such information, including measures to ensure confidentiality in peer review.
Before participating in the initial phase of NIH peer review for grant applications or the technical evaluation of R&D contract proposals, every member must read the NIH Confidentiality and
Non-disclosure Rules and Information for Reviewers and must certify a Confidentiality Agreement before gaining access to information about the applications, proposals, or meetings. At the meeting, each Designated Federal Official instructs the committee members on the importance of maintaining confidentiality, and at the conclusion of the SRG meeting, each peer reviewer must again certify that he or she fully understands the confidential nature of the review process. Members of NIH Advisory Councils must submit Confidential Financial Disclosure statements and certify a similar Confidentiality Agreement.
Confidentiality in NIH peer review prohibits a member (peer reviewer or Council level) from, among other actions:
An applicant or offeror may not contact a reviewer or Council member who is serving on an advisory committee that is evaluating an application or proposal in which he, his employer, close relative, or professional associate plays a major role, to discuss the review or materials related to it. Peer reviewers and Council members are instructed to direct all such inquiries to the attention of, and notify directly, the Designated Federal Official in charge of the committee.
2. Data Security for Grant Applications
The NIH has multiple safeguards to protect information in NIH grant applications and review meeting information, such as conflicts of interest and assignments to particular applications, from unauthorized disclosure. Nearly all initial peer review meetings for grant applications use the Internet Assisted Review (IAR) system for communicating application and meeting materials to peer reviewers. The IAR system operates with a secure internet connection that requires both password protection for peer reviewer access and authorization by the SRO. (Note that by June 2014 all applications submitted to the NIH will be converted to electronic format.)
Communications and materials required for Council meetings are managed in the Electronic Council Book (ECB), another secure, online information system. The ECB is used by Advisory Council members to create queries, view basic application data and Summary Statements and, when appropriate, vote on applications as part of an Early Concurrence process. The ECB operates with a secure internet connection that requires both password protection and authorization by NIH staff to access meeting materials.
Peer reviewers and Council members receive specific instructions for protecting such materials in electronic and paper formats (see Protecting the Security of NIH Grant Applications), and NIH staff are instructed to report any loss of sensitive or confidential information to the NIH Chief Information Officer within an hour of such an incident.
3. Meeting Attendance
Meetings held to conduct peer review of grant applications and contract proposals are closed under 5 U.S.C.§552b(c), exemptions (4) and (6), The Government in the Sunshine Act. At NIH, peer review meetings are closed under these exemptions to ensure the confidentiality of trade secrets, commercial or financial information, and personal information about individuals submitting grant applications or contract proposals. NIH policy restricts access to closed sessions of NIH advisory committee meetings (including NIH peer review and Advisory Council meetings) to committee members, Federal officials involved in the operation of the committee, and Federal officials with a need to know. In some cases, individuals who are not committee members or Federal officials are invited to attend closed sessions of advisory committee meetings. Generally these additional attendees provide support functions for the Designated Federal Official. Remote access to committee meetings through teleconference, videoconference, or other means is managed with secure connections and password control, and the NIH expects that the remote committee member will maintain confidentiality at his or her site.
However, meetings of peer review groups reviewing R&D contract project concepts are open to the public in accordance with the provisions of the Federal Advisory Committee Act, as amended (5 U.S.C. appendix 2) and the Government in the Sunshine Act, as amended (5 U.S.C. 552b).
4. Procurement Integrity (Procurement Integrity Act - 41 USC 423) and Data Security for Contracts
For most NIH Institutes and Centers, R&D contract proposals are received in paper, rather than electronic, format. Submission of contract proposals is governed by specific instructions in the solicitation and access to proposals is controlled by the Contracting Officer and the Scientific Review Officer. The Scientific Review Officer sends the proposals to the peer reviewers once reviewers have certified their Confidentiality agreements. Each copy is labelled, tracked, collected after review, and (except for administrative copies) shredded after the secondary (Contracting Officer Representative's and Contracting Officer's) review. In addition, access to contract proposals, and information about offerors, meeting information, and evaluations is restricted to only NIH staff with a need to know.
Data contained in the portions of a proposal which the offeror has specifically identified by page number, paragraph, etc. as containing restricted information shall not be used or disclosed except for evaluation purposes, unless disclosure is required by the Freedom of Information Act, as determined by Freedom of Information (FOI) officials.
Scientific Review Groups reviewing contract proposals perform their work in closed meetings in order to preserve the confidentiality of evaluation and source selection material.
5. Special Government Employees/Federal Employees
Members of NIH Advisory Councils are appointed as Special Government Employees (SGEs), and therefore are subject to the Standards of Ethical Conduct for Employees of the Executive Branch. The Standards of Ethical Conduct state that an employee has a duty to protect and conserve Government property and to not use such property, or allow its use, for other than authorized purposes. Government property in this context includes Government records, which include grant applications, R&D contract proposals, and related documents. 5 C.F.R. 2635.704. Employees are also prohibited from using nonpublic information, or allowing the improper use of nonpublic information, to further their own private interests or that of another, whether through advice or recommendation, or by knowing unauthorized disclosure. Non-public information includes confidential information gained in peer review. 5 C.F.R. 2635.703. Federal employees who serve as peer reviewers also are subject to the Standards of Ethical Conduct. Upon entry to duty, these individuals receive ethics training, as well as annual ethics training from the NIH Ethics Office or from their agency officials.
When certifyng the Confidentiality Agreements, each peer reviewer agrees, under penalty of perjury, 18 U.S.C. §1001, to maintain confidentiality in peer review. 18 USC § 1001 states:
"Except as otherwise provided in this section, whoever, in any matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States, knowingly and willfully—
(1) falsifies, conceals, or covers up by any trick, scheme, or device a material fact;
(2) makes any materially false, fictitious, or fraudulent statement or representation; or
(3) makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry;
shall be fined under this title, imprisoned not more than 5 years or, if the offense involves international or domestic terrorism (as defined in section 2331), imprisoned not more than 8 years, or both."
Other laws may apply to breaches of confidentiality. For information on additional, applicable laws and regulations, as well as possible consequences for violations, see Confidentiality in NIH Peer Review.
If the NIH determines that a situation involves a bona fide breach of confidentiality in the peer review process, the NIH may take remedial steps including, but not limited to:
Confidentiality — preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
Contract Proposal - a written offer to enter into a contract that is submitted to the appropriate agency official by an individual or nonfederal organization which includes, at a minimum, a description of the nature, purpose, duration and cost of the project, and the methods, personnel, and facilities to be utilized in carrying it out. A contract proposal may be unsolicited by the federal government or submitted in response to a Request for Proposals (RFP).
Designated Federal Official - the full-time, permanent NIH staff member who has legal responsibility under the Federal Advisory Committee Act (FACA) for managing the peer review meeting in a manner consistent with the applicable statute, regulations, and policies.
Need to Know — the necessity for access to or knowledge of or possession of specific information required to carry out official duties.
Privacy Act System of Records Notice 09-025-0036 - notifies the subject individual of how the agency will protect extramural award records, including grant applications.
Procurement Integrity Act (see 41 U.S.C. 423 and FAR 3.104-4) - specifies that contractor proposal information and source selection information must be protected from unauthorized disclosure in accordance with FAR 3.104 and 15.207, applicable law, and agency regulations for handling R&D contract proposals.
Sensitive Information (see Guide for Identifying and Handling Sensitive Information at the NIH)- information is considered sensitive if the loss of confidentiality, integrity, or availability could be expected to have a serious, severe, or catastrophic adverse effect on organizational operations, organizational assets, or individuals. Further, the loss of sensitive information confidentiality, integrity, or availability might:
Please direct all inquiries to:
Sally A. Amero, Ph.D.
NIH Review Policy Officer