May 12, 2022
NOT-OD-22-104– Notice of Extension of the Public Comment Period for NOT-OD-22-064 DRAFT Supplemental Information to the NIH Policy for Data Management and Sharing: Responsible Management and Sharing of American Indian/ Alaska Native Participant Data
NOT-OD-21-013– Final NIH Policy for Data Management and Sharing
NOT-OD-21-014– Supplemental Information to the NIH Policy for Data Management and Sharing: Elements of an NIH Data Management and Sharing Plan
NOT-OD-21-015– Supplemental Information to the NIH Policy for Data Management and Sharing: Allowable Costs for Data Management and Sharing
NOT-OD-21-016– Supplemental Information to the NIH Policy for Data Management and Sharing: Selecting a Repository for Data Resulting from NIH-Supported Research
Office of The Director, National Institutes of Health (OD)
NIH is seeking public comments on draft supplemental information to the NIH Policy for Data Management and Sharing to address privacy considerations. This information is not intended to provide a guide for compliance with regulatory requirements, but is rather a set of principles, best practices, and points to consider for creating a robust framework for protecting the privacy of research participants when sharing data under the NIH Policy for Data Management and Sharing. After considering public comments on this draft supplemental information, NIH intends to issues revised supplemental information in 2022.
Effective data stewardship and protection of human research participant (hereinafter “participant”) privacy are achieved in tandem through responsible scientific data sharing practices. Accordingly, NIH has developed supplemental information to the NIH Policy for Data Management and Sharing (DMS Policy) to assist stakeholders in achieving this goal by establishing 1) operational principles for protecting participants’ privacy when sharing scientific data, 2) best practices for implementing these principles, and 3) points to consider for designating scientific data for controlled access. This supplemental information was developed in response to and informed by comments on the draft DMS Policy requesting further clarity and direction for researchers and their institutions about NIH’s principles and preferred practices regarding privacy.
DRAFT Operational Principles for Protecting Participant Privacy When Sharing Scientific Data
Respect for and protection of participant privacy is the foundation of the biomedical and behavioral research enterprise. In developing a Data Management and Sharing Plan for NIH-funded or supported research, it is paramount that researchers uphold the following principles in their Plans and throughout the research project.,
DRAFT Best Practices for Protecting Participant Privacy When Sharing Scientific Data
NIH acknowledges there are multiple, effective strategies for achieving privacy protection in the context of the DMS Policy. Building upon the operational principles described above, the following best practices, when implemented together, along with consideration of the Points to Consider for Designating Scientific Data for Controlled-Access (below), provide a robust privacy framework.
DRAFT Points to Consider for Designating Scientific Data for Controlled Access
The DMS Policy expects researchers to consider whether access to scientific data from participants should be controlled (i.e., measures such as requiring data requesters to verify their identity and the appropriateness of their proposed research use to access protected data), even if de-identified and lacking explicit limitations on subsequent use.The points below are intended to assist researchers when considering whether controlled-access repositories may be needed to protect participant privacy. Note that controls may be needed for data at any level of processing (e.g., raw or fully cleaned data) and from any source (e.g., research, clinical, or public health data). In cases where participants explicitly consent to share scientific data without restrictions, it may be appropriate to share data without access controls. Investigators should consider sharing participants’ scientific data through controlled access repositories if data:
1. Have explicit limitations on subsequent use, such as those imposed by laws, regulations, policies, informed consent, and/or agreements.
2. Could be considered sensitive, such as including information regarding potentially stigmatizing traits, illegal behaviors, or other information that could be perceived as causing group harm or used for discriminatory purposes. Sensitive data may also include data from individuals, groups, or populations with unique attributes that increase the risk of re-identification.
3. Cannot be de-identified to established standards or cannot sufficiently reduce the possibility of re-identification. Access controls, among other measures, may be appropriate to further mitigate the risk of re-identification.
4. Due to previously unanticipated approaches or technologies, pose risks to participant privacy if released without controls on access. When such risks are realized prior to sharing the scientific data and not outlined in original Data Management and Sharing Plans, necessary changes to Data Management and Sharing Plans should be immediately communicated to NIH.
NIH seeks public comments on any aspect of the Draft Operational Principles for Protecting Participant Privacy When Sharing Scientific Data, Draft Best Practices for Protecting Participant Privacy When Sharing Scientific Data, and Draft Points to Consider for Designating Scientific Data for Controlled Access. If you are commenting on a particular element or section (e.g., the Operational Principles), please identify the element or section on which you are commenting.
How to Submit a Response
Comments must be submitted at https://osp.od.nih.gov/rfc-draft-supplemental-information-to-the-nih-policy-for-dms/. Responses will be accepted through June 27, 2022.
Responses to this RFC are voluntary and may be submitted anonymously. You may also voluntarily include your name and contact information with your response. Other than your name and contact information, please do not include in the response any personally identifiable information or any information that you do not wish to make public. Proprietary, classified, confidential, or sensitive information should not be included in your response. After OSP has finished reviewing the responses, the unredacted responses may be posted to the OSP website.
 Compiled Public Comments on a DRAFT NIH Policy for Data Management and Sharing and Supplemental DRAFT Guidance. https://osp.od.nih.gov/wp-content/uploads/RFI_Final_Report_Feb2020.pdf
 These principles are not intended to address data security standards, though such standards may apply. Relevant standards and policies include the HHS Policy for Preparing for and Responding to a Breach of Personally Identifiable Information (PII) (https://www.hhs.gov/web/governance/digital-strategy/it-policy-archive/hhs-policy-preparing-and-responding-breach.html) and the National Institute of Standards and Technology’s (NIST) Special Publications on Computer Security (https://csrc.nist.gov/publications/sp800). Awardees are also expected to follow all other applicable federal, Tribal, state, and local laws, regulations, statutes, guidance, and institutional policies that govern research involving human participants and the sharing and use of scientific data derived from human participants.
 NIH’s proposed approach for applying the DMS Policy for responsible sharing of American Indiana/Alaska Native data can be found in the Request for Public Comments on DRAFT Supplemental Information to the NIH Policy for Data Management and Sharing: Responsible Management and Sharing of American Indian/ Alaska Native Participant Data. https://grants.nih.gov/grants/guide/notice-files/NOT-OD-22-064.html
 “Controlled access” and “access controls” refer to measures such as requiring data requesters to verify their identity and the appropriateness of their proposed research use to access protected data.
 See Informed Consent for Secondary Research with Data and Biospecimens: Points to Consider and Sample Language for Future Use and/or Sharing. https://osp.od.nih.gov/wp-content/uploads/Informed-Consent-Resource-for-Secondary-Research-with-Data-and-Biospecimens.pdf
 45 CFR 46.102(e)(5)
 45 CFR 164.514(b)(1)
 45 CFR 164.514(b)(2)
 Final NIH Policy for Data Management and Sharing. https://grants.nih.gov/grants/guide/notice-files/NOT-OD-21-013.html
 As an example of a resource for community developed, standardized templates for data transfer and use agreements, see the Federal Demonstration Partnership. https://thefdp.org/default/committees/research-compliance/data-stewardship/. Note that not all templates and agreements may meet all principles outlined in this supplemental information, and that other templates and agreements may be developed in the future.
 Certificates of Confidentiality. https://grants.nih.gov/policy/humansubjects/coc.htm
 Certificates of Confidentiality. https://grants.nih.gov/policy/humansubjects/coc.htm
 See the Supplemental Information to the NIH Policy for Data Management and Sharing: Selecting a Repository for Data Resulting from NIH-Supported Research. https://grants.nih.gov/grants/guide/notice-files/NOT-OD-21-016.html
 Preferred repositories may be specified in Funding Opportunity Announcements or through NIH Institute and Center policy expectations.
 Other risk-mitigation measures that repositories can employ are listed in Section II of the Supplemental Information to the NIH Policy for Data Management and Sharing: Selecting a Repository for Data Resulting from NIH-Supported Research. https://grants.nih.gov/grants/guide/notice-files/NOT-OD-21-016.html. Awardees can also employ strategies found in NIST’s Privacy Framework (https://www.nist.gov/privacy-framework/resource-repository/browse/guidelines-and-tools) and tools for de-identification (https://www.nist.gov/itl/applied-cybersecurity/privacy-engineering/collaboration-space/focus-areas/de-id).
NIH Office of Science Policy