Update to Standard Language for Developer Terms of Access in the Terms and Conditions of Award
Notice Number:
NOT-OD-26-078

Key Dates

Release Date:
April 24, 2026

Related Announcements

September 24, 2025 – Required Security and Operational Standards for NIH Controlled-Access Data Repositories. See notice  NOT-OD-25-159.

December 02, 2024 – Standard Language for Developer Terms of Access in the Terms and Conditions of Award. See notice NOT-OD-25-021.

July 25, 2024 – Implementation Update for Data Management and Access Practices Under the Genomic Data Sharing Policy. See notice NOT-OD-24-157

August 27, 2014 – NIH Genomic Data Sharing Policy. See Notice NOT-OD-14-124 

Issued by

NATIONAL INSTITUTES OF HEALTH (NIH)

Purpose

The "Required Security and Operational Standards for NIH Controlled-Access Data Repositories” (NOT-OD-25-159) applies “Minimum Standard Operating Procedures for Developer Oversight” (NOT-OD-24-157) to NIH CADRs independent of the applicability of the NIH Genomic Data Sharing (GDS) Policy.

The purpose of this Guide Notice is to update previously published Developer Terms of Access (NOT-OD-25-021) so that the terms apply to NIH Controlled-Access Data Repositories whose controlled studies may or may not be subject to the NIH GDS Policy. 

Expectations for Developer Use Statement and Overview of NIH Developer Data Access Committee

The Lead Developer(s) (e.g., the Principal Investigator (PI) who is listed as the Project Director (PD) or PI on the funding application), those that they directly supervise, and the funding NIH Institute, Center, or Office (ICO) agree that to gain access to data in the NIH Controlled-Access Data Repository (CADR) named in the Developer Use Statement (DUS), the Lead Developer will submit a request containing a DUS to the NIH Developer Data Access Committee (NIH Developer DAC) for review. Expectations for the DUS can be found in NIH Guide Notice NOT-OD-24-157.

If a project has multiple Lead Developers, (e.g., for multicomponent awards), each Lead Developer must submit a DUS. All Lead Developers must be associated with an institution that is receiving or applying for federal support for the developer work with a funding mechanism that has incorporated the developer terms of access.

The Lead Developer’s institution further certifies that the DUS’s description of the proposed developer activities is truthful and accurate.

Once the NIH Developer DAC has approved, NIH CADRs may provide access. Access is granted for two years. At the end of the approval period, the Lead Developer is expected to submit a progress report through either a Close-out or Renewal request.

To continue access, a Renewal request should be submitted to the NIH Developer DAC that contains at least the following:

  • Brief description of how access contributed to developer work.
  • Affirmation that the Lead Developer, and those they directly supervise, adhered to the developer terms of access and any NIH program or ICO-specific requirements for NIH controlled access.
  • Report any data misuse (e.g., violation of the terms of access and any NIH program or ICO-specific requirements for NIH controlled access), breach, or security incident.
  • Describe why additional access is needed.

Once the NIH Developer DAC has reviewed and approved, the NIH CADR can provide access for an additional two years. 

When access is no longer needed, a Close-out should be submitted to the NIH Developer DAC that contains at least the following:

  • Brief description on how access contributed to developer work.
  • Affirmation that the Lead Developer, and those they directly supervise, adhered to the developer terms of access and any NIH program or ICO-specific requirements for NIH controlled access.
  • Report any data misuse (e.g., violation of the terms of access and any additional NIH program or ICO-specific requirements for NIH controlled-access), breach, or security incident.

Terms of Access

The Lead Developer’s institution must certify that the Lead Developer is in good standing (i.e., no known sanctions) with the institution, relevant funding agencies, and applicable regulatory agencies and is eligible to conduct developer work (i.e., is not a postdoctoral fellow, student, or trainee).

The Lead Developer’s institution agrees that if access is approved, the Lead Developer, and those they directly supervise, shall become Approved Developers. An Approved Developer is a Lead Developer who has submitted a DUS to the NIH Developer DAC for review and is approved to access data for the purposes described in the approved DUS and agrees to adhere to terms of access described in the Terms and Conditions of Award. Those directly under the supervision of the Lead Developer who are conducting the work described in the approved DUS, are also Approved Developers and must abide by the terms laid out in the terms of access.  If the Approved Developers plan to conduct research (e.g., methods research), they must submit a Data Access Request (DAR) for research to the appropriate NIH DAC for review and approval.

New uses of these data outside those described in the approved DUS will require revisions to the DUS and resubmission to the NIH Developer DAC for review.

If a Lead Developer is managing a NIH CADR (e.g., performing activities such as NIH CADR maintenance and infrastructure development), the Lead Developer’s institution agrees that the Lead Developer has reviewed and understands the principles for responsible use and data management of controlled-access data as defined in the NIH Security Best Practices for Controlled-Access Data Repositories.

If a Lead Developer is not managing a NIH CADR (e.g., not performing activities such as NIH CADR maintenance or infrastructure development), the Lead Developer’s institution agrees that the Lead Developer has reviewed and understand the principles for responsible use and data management of controlled-access data as defined in the NIH Security Best Practices for Users of Controlled-Access Data.

The Lead Developer’s institution and the Lead Developer further acknowledge that they are responsible for ensuring that all uses of the data are consistent with applicable law including applicable local, state, Tribal, and federal laws and regulations, as well as relevant institutional policies.

The Lead Developer’s institution and Approved Developers agree that in using the data, they are not aware of significant potential for the developer activities to cause harm to participants; participants’ families, groups and populations; or the national security of the United States. The Lead Developer’s institution and Approved Developers agree that they will notify NIH within 24 hours if they become aware of significant potential for the developer activities to cause harm to participants; participants’ families, groups and populations; or the national security of the United States.

Public Posting of Approved Developer Use

Information about developer activities may be publicly posted. The information may include the name of the Lead Developer’s institution, intended developer activities, in both a scientific and lay format, and de-identified information about inadvertent data releases, breaches of data security, or other violations.

Non-Identification

The Lead Developer’s institution and Approved Developers agree to make no attempt to identify or contact individual participants or groups from whom data were collected or generate information that could allow participants’ identities to be re-identified.

Certificate of Confidentiality

Certificates of Confidentiality (Certificate) protect the privacy of research participants by prohibiting disclosure of protected information to anyone not connected with the approved use except in specific situations. The data that are stored in and shared through the NIH CADR accessed under this agreement may be protected by a Certificate. Therefore, the Lead Developer’s institution and the Approved Developers, whether or not funded by the NIH, who are approved to access a copy of information protected by a Certificate, are also subject to the requirements of the Certificate of Confidentiality and subsection 301(d) of the Public Health Service Act

Under Section 301(d) of the Public Health Service Act and the NIH Policy for Issuing Certificates of Confidentiality, recipients of a Certificate of Confidentiality shall not:

  • Disclose or provide, in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding, the name of such individual or any such information, document, or biospecimen that contains identifiable, sensitive information about the individual and that was created or compiled for purposes of the research, unless such disclosure or use is made with the consent of the individual whom the information, document, or biospecimen pertains; or
  • Disclose or provide to any other person not connected with the research the name of such an individual or any information, document, or biospecimen that contains identifiable, sensitive information about such an individual and that was created or compiled for purposes of the research.
  • Disclosure is permitted only when:
    1. Required by Federal, State, or local laws (e.g., as required by the Federal Food, Drug, and Cosmetic Act, or state laws requiring the reporting of communicable diseases to State and local health departments), excluding instances of disclosure in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding.
    2. Necessary for the medical treatment of the individual to whom the information, document, or biospecimen pertains and made with the consent of such individual.
    3. Made with the consent of the individual to whom the information, document, or biospecimen pertains; or
    4. Made for the purposes of other scientific research that is following applicable Federal regulations governing the protection of human subjects in research.

For more information see: Certificates of Confidentiality (CoC) | Grants & Funding. The Lead Developer can contact the NIH CADR to confirm whether the data is protected by a Certificate of Confidentiality.

Non-Transferability

The Lead Developer’s institution and Approved Developers agree not to distribute controlled-access data and any data derivatives (e.g., imputed datasets and single nucleotide polymorphisms) to any entity or individual not identified in the approved DUS without appropriate approvals from the NIH. The Requester and Approved Developers agree that controlled-access datasets, and any data derivatives of controlled-access datasets, accessed through the DUS, in whole or in part, may not be sold to any individual at any point in time for any purpose.

Data Security Training

The Approved Developers agree to have reviewed role-based training on the NIH Security Awareness Course (https://irtsectraining.nih.gov/publicUser.aspx).

Data Security and Unauthorized Data Release

If a Lead Developer is managing an NIH CADR, the Lead Developer’s institution and Approved Developers acknowledge that they have reviewed and agree to manage the requested controlled-access data and any data derivatives of controlled-access data in accordance with the NIH Security Best Practices for Controlled-Access Data Repositories.

If the Lead Developer is not managing an NIH CADR, the Lead Developer’s institution and Approved Developers acknowledge that they have reviewed and agree to manage the requested controlled-access data and any data derivatives of controlled-access datasets in accordance with the NIH Security Best Practices for Users of Controlled-Access Data.

The Lead Developer’s institution or the Lead Developer agree to notify the NIH Incident Response Team, the NIH Developer DAC, and the NIH Data Management Incident Notification inbox of any unauthorized data sharing, breaches of data security, or inadvertent data releases that may compromise data confidentiality within 24 hours of when the incident is identified. For the NIH Incident Response Team notifications can be made by phone (301) 496-HELP (4357); Toll Free Number: (866) 319-4357or TTY: (301) 496-8294 and can also be sent by email to [email protected] or via the Report an Incident Link: https://irtportal.ocio.nih.gov/.  For the NIH Developer DAC, email [email protected]. For the NIH Data Management Incident Notification inbox, email [email protected].

As permitted by law, notifications should include any known information regarding the incident and a general description of the activities or process in place to define and remediate the situation fully. Within 3 business days of the NIH Developer DAC notification, the Lead Developer’s institution and the Lead Developer agree to submit to the NIH Developer DAC and the NIH Data Management Incident Notification inbox a detailed written report including the date and nature of the event, actions taken or to be taken to remediate the issue(s), and plans or processes developed to prevent further problems, including specific information on timelines anticipated for action. The Lead Developer’s institution and Lead Developer agree to provide documentation verifying that the remediation plans have been implemented. Repeated violations or unresponsiveness to NIH requests may result in further compliance measures.

NIH, or another entity designated by NIH may, as permitted by law, also investigate any data security incident or policy violation. The Lead Developer’s institution and Lead Developer agree to support such investigations and provide information, within the limits of applicable local, state, Tribal, and federal laws and regulations. In addition, the Lead Developer’s institution and Lead Developer agree to work with the NIH to ensure that plans and procedures that are developed to address identified problems are mutually acceptable and consistent with applicable law.

Terms of Access Violation

The Lead Developer institution’s and Approved Developers acknowledge that the NIH may immediately revoke or suspend access to all controlled-access data at any time if the Lead Developer’s institution or Approved Developers are found to no longer be in compliance with these terms, any additional program or NIH ICO-specific requirements for NIH controlled access, or with other policies and procedures of the NIH. In addition, NIH may apply for injunctive or other equitable relief before courts of competent jurisdiction as remedy for breach of the terms, in addition to all other remedies available at law or in equity.

The Lead Developer’s institution and Lead Developer agree to notify the NIH Developer DAC and the NIH Data Management Incident Notification inbox of any actual or suspected violations of the terms or any additional program or NIH ICO-specific requirements for NIH CADRs, within 24 hours of when the incident is identified. For the NIH Developer DAC, email DAC [email protected]. For the NIH Data Management Incident Notification inbox, notifications can be sent to [email protected]. As permitted by law, notifications should include any known information regarding the incident and a general description of the activities or process in place to define and remediate the situation fully.

Within 3 business days of the notification(s), the Lead Developer’s institution and the Lead Developer agree to submit to the NIH Developer DAC and the NIH Data Management Incident Notification inbox a detailed written report including the date and nature of the event, actions taken or to be taken to remediate the issue(s), and plans or processes developed to prevent future incidents, including specific information on timelines anticipated for action. The Lead Developer’s institution and Lead Developer agree to provide documentation verifying that the remediation plans have been implemented. Repeated violations or unresponsiveness to NIH requests may result in further compliance measures.

NIH, or another entity designated by NIH, may, as permitted by law, also investigate any terms of access violation. The Lead Developer’s institution and Lead Developer agree to support such investigations and provide information, within the limits of applicable local, state, Tribal, and federal laws, and regulations. In addition, the Lead Developer’s institution and Lead Developer agree to work with the NIH to ensure that plans and procedures that are developed to address identified problems are mutually acceptable and consistent with applicable laws and policies.  The Lead Developer’s institution and Lead Developer also acknowledge that NIH may revoke access for any reason without cause.

Developer Use Reporting

The Lead Developer who is seeking Project Renewal or Project Close-out agrees to complete the appropriate forms and provide an update, as well as report any violations of the terms of access described in this Agreement and the implemented remediation. 

Non-Endorsement, Indemnification

The Lead Developer’s institution and Approved Developers acknowledge that although all reasonable efforts have been taken to ensure the accuracy and reliability of controlled-access data, NIH and all contributors to these data disclaim all warranties as to performance or fitness of the data for any particular purpose. No indemnification for any loss, claim, damage, or liability is intended or provided by any party under this agreement. Each party shall be liable for any loss, claim, damage, or liability that said party incurs as a result of its activities under this agreement, except that NIH, as an agency of the United States, may be liable only to the extent provided under the Federal Tort Claims Act, 28 USC 2671 et seq.

Lower Tier Agreements

If the Lead Developer seeks to work with a partner not directly funded by the federal government that will need access to NIH controlled-access data (and is not a third-party IT system or Cloud Service Provider) NIH will only provide the developer partner access to controlled-access data if:

  • Both the Lead Developer and developer partner enter into a contract containing the terms of developer access in the Terms and Conditions of the Award.
  • The Lead Developer identifies the developer partnerinstitution and developer partner program manager in their DUS and submits it to the NIH Developer DAC and is approved. For ongoing developer work, the Lead Developer can revise and resubmit the DUS.
  • The developer partner submits a DUS to the NIH Developer DAC for review that contains information about the developer partner program manager and IT Director and, if approved, the developer partner and their Institutional Signing Official co-sign the Developer Data Use Agreement and any additional NIH program or ICO-specific requirements. 

Termination and Data Destruction

Upon close-out, the Lead Developer’s institution and Approved Developers agree to destroy all copies, versions, and data derivatives of the data retrieved from NIH CADRs, regardless of the storage medium or format, in accordance with the NIH Security Best Practices for Controlled-Access Data Repositories if the Lead Developer is managing a NIH CADR, or the NIH Security Best Practices for Users of Controlled-Access Data if the Lead Developer is not managing a NIH CADR.

Inquiries

Please direct all inquiries to:

Office of Science Policy
Email: [email protected]  
Telephone: 301-496-9838

Weekly TOC for this Announcement
NIH Funding Opportunities and Notices
NIH Office of Extramural Research Logo
Department of Health and Human Services (HHS) - Home Page
Department of Health
and Human Services (HHS)
USA.gov - Government Made Easy
NIH... Turning Discovery Into Health®