SOM NIH Data Management and Sharing Policy: Ethics & Human Data

The NIH does not expect researchers to share all data under this new policy, and acknowledges that ethical, legal or technical factors may limit sharing of data. Researchers must outline their limitations and justification in the Data Management and Sharing Plan.

Potential examples of justifiable limitations (from the NIH FAQ):

• informed consent will not permit or will limit the scope or extent of sharing and future research use
• existing consent (e.g., for previously collected biospecimens) prohibits sharing or limits the scope or extent of sharing and future research use
• privacy or safety of research participants would be compromised or place them at greater risk of re-identification or suffering harm, and protective measures such as de-identification and Certificates of Confidentiality would be insufficient
• explicit federal, state, local, or Tribal law, regulation, or policy prohibits disclosure
• restrictions imposed by existing or anticipated agreements (e.g., with third party funders, with partners, with repositories, with Health Insurance Portability and Accountability Act (HIPAA) covered entities that provide Protected Health Information under a data use agreement, through licensing limitations attached to materials needed to conduct the research)
• datasets cannot practically be digitized with reasonable efforts

Potential examples of unjustifiable limitations:

• data are considered to be too small
• data that researchers anticipate will not be widely used
• data are not thought to have a suitable repository

Researchers must have a clear consent process that informs participants about potential future sharing (and re-use) of their data. If researchers intend to begin data sharing under this policy, they should review their informed consent process to make sure they provide:

• Clarity regarding future sharing of data
• Clarity regarding limitations on future use of data
• Understanding of how data will be managed

When a dataset is too sensitive to share in its entirety, it is necessary to consider: "how can a version that is safe to share be created?". The process of doing so involves de-identification or anonymisation to remove all data that can be used to identify individual participants in a research project, thereby protecting their privacy. This may require hiring a professional statistician, which can be written into a grant.

Controlled access refers to a data sharing model that requires a request for access to all or part of the dataset(s). Some data, e.g. about human participants, remains sensitive even after other measures (de-identification, etc.) have been taken, either because it cannot be sufficiently anonymized or because doing so would make the data less useful. In those cases, planning for controlled access may be necessary.

Controlled access repositories have different models for granting access, including Data Access Request (DAR), Data Use Agreement (DUA), Data Access Condition (DAC), or Data Use Limitation (DUL).

Adapted from NIH DMSP Guidance Working Group Glossary

Examples of Controlled access repositories: