May 12, 2022
NOT-OD-22-104– Notice of Extension of the Public Comment Period for NOT-OD-22-064 DRAFT Supplemental Information to the NIH Policy for Data Management and Sharing: Responsible Management and Sharing of American Indian/ Alaska Native Participant Data
NOT-OD-21-013– Final NIH Policy for Data Management and Sharing
NOT-OD-21-014– Supplemental Information to the NIH Policy for Data Management and Sharing: Elements of an NIH Data Management and Sharing Plan
NOT-OD-21-015– Supplemental Information to the NIH Policy for Data Management and Sharing: Allowable Costs for Data Management and Sharing
NOT-OD-21-016– Supplemental Information to the NIH Policy for Data Management and Sharing: Selecting a Repository for Data Resulting from NIH-Supported Research
Office of The Director, National Institutes of Health (OD)
NIH is seeking public comments on draft supplemental information to the NIH Policy for Data Management and Sharing to address privacy considerations. This information is not intended to provide a guide for compliance with regulatory requirements, but is rather a set of principles, best practices, and points to consider for creating a robust framework for protecting the privacy of research participants when sharing data under the NIH Policy for Data Management and Sharing. After considering public comments on this draft supplemental information, NIH intends to issues revised supplemental information in 2022.
Background
Effective data stewardship and protection of human research participant (hereinafter “participant”) privacy are achieved in tandem through responsible scientific data sharing practices. Accordingly, NIH has developed supplemental information to the NIH Policy for Data Management and Sharing (DMS Policy) to assist stakeholders in achieving this goal by establishing 1) operational principles for protecting participants’ privacy when sharing scientific data, 2) best practices for implementing these principles, and 3) points to consider for designating scientific data for controlled access. This supplemental information was developed in response to and informed by comments on the draft DMS Policy requesting further clarity and direction for researchers and their institutions about NIH’s principles and preferred practices regarding privacy.[1]
DRAFT Operational Principles for Protecting Participant Privacy When Sharing Scientific Data
Respect for and protection of participant privacy is the foundation of the biomedical and behavioral research enterprise. In developing a Data Management and Sharing Plan for NIH-funded or supported research, it is paramount that researchers uphold the following principles in their Plans and throughout the research project.[2],[3]
- NIH and the institutions it funds are obligated and required to protect the privacy and confidentiality of every participant as described in informed consent and in line with all applicable laws, policies, and regulations.
- Researchers and institutions should proactively assess appropriate protections for sharing scientific data from participants, including determining whether sharing should be restricted through controlled access,[4] regardless of whether the data meet technical and/or legal definitions of “de-identified” and can legally be shared without additional protections (e.g., the research does not meet the definition of “human subjects research” under the Common Rule).
- Investigators and institutions should develop robust consent processes that prioritize clarity regarding future sharing and use of scientific data, including limitations on future use, and general aspects regarding how data will be managed (see Informed Consent for Secondary Research with Data and Biospecimens: Points to Consider and Sample Language for Future Use and/or Sharing).[5] Importantly, when a study offers the possibility of a direct benefit for research participants, the DMS Policy does not require sharing of data in order to participate.
- Institutional review of the conditions for data sharing, including that proposed limitations on the future use of data are appropriate and that risks have been considered. Limitations should be conveyed with the data when they are transferred, such as when sharing through repositories to secondary users.
- Collection of data from non-traditional research settings, such as mobile health devices, social media, consumer reports, and public health surveillance also warrant strict privacy considerations.
- There may be justifiable exceptions to sharing scientific data, regardless of the sufficiency of access controls and de-identification techniques. In these rare instances, researchers should outline these justifications in their Data Management and Sharing Plans.[6]
- Responsible data sharing practices require a commitment from the entirety of the biomedical and behavioral research enterprise. Researchers and institutions should remain vigilant regarding potential misuse and work in concert with NIH to prevent unauthorized use of scientific data from NIH-supported platforms and repositories. In addition, NIH is committed to enforcing the terms of its data use agreements.
DRAFT Best Practices for Protecting Participant Privacy When Sharing Scientific Data
NIH acknowledges there are multiple, effective strategies for achieving privacy protection in the context of the DMS Policy. Building upon the operational principles described above, the following best practices, when implemented together, along with consideration of the Points to Consider for Designating Scientific Data for Controlled-Access (below), provide a robust privacy framework.
-
- Ensure Appropriate De-identification. NIH recommends scientific data to be de-identified to the greatest extent possible in a manner that maintains sufficient scientific utility. Researchers and institutions should consider the following strategies and their appropriateness given their particular research and scientific data:
- Relying on the standards for identifiability outlined in the Common Rule[7] (participant identity cannot “readily be ascertained”) and in the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (i.e., Expert Determination[8] or Safe Harbor[9]), regardless of whether these rules apply to the sharing, disclosure, or subsequent use of data.
- As methods for re-identifying individuals continue to become increasingly sophisticated and available for use, employing advanced statistical or computational methods to de-identify data and maintain privacy whenever feasible and appropriate.
- In some cases, scientific utility may be lost if shared data are de-identified. It may consequently be justifiable in certain cases to share scientific data under the DMS Policy that meet a legal or regulatory standard for identifiability.[10] In those cases, data sharing may be subject to particular rules, and researchers should also consider whether other relevant protections should be employed.
- Ensure Appropriate De-identification. NIH recommends scientific data to be de-identified to the greatest extent possible in a manner that maintains sufficient scientific utility. Researchers and institutions should consider the following strategies and their appropriateness given their particular research and scientific data:
-
- Establish Scientific Data Sharing and Use Agreements. NIH recommends the use of scientific data sharing and/or use agreements, preferably standardized, when sharing data from participants with and from repositories. These agreements should be considered even if scientific data are de-identified[11] and should be negotiated among researchers, institutions, and repositories. Key elements that promote the privacy of research participants in such agreements include:
-
-
- Oversight. Agreements should clearly include certification from an institutional official that, at a minimum, scientific data have been appropriately de-identified (and to which standard), that an institutional oversight body has reviewed and considered the risks of data sharing, and that sharing is consistent with informed consent (as applicable).
- Responsibilities. Agreements should delineate responsibilities of all parties having access to the data and clearly inform parties on data use limitations as well as responsibilities regarding privacy and confidentiality, including those required by Certificates of Confidentiality,[12] as applicable.
- Restrictions. Agreements should explicitly outline sharing limitations and explicitly prohibit attempts to re-identify and/or recontact participants or their family members unless there is explicit agreement to do so. Such restrictions should travel with the data.
-
-
- Understand Legal Protections Against Disclosure and Misuse. Per the NIH Certificates of Confidentiality Policy, data subject to the Policy are deemed issued a Certificate of Confidentiality, including some data that have been de-identified (e.g., human genomic data).[13] Certificates of Confidentiality protect the privacy of research participants by prohibiting disclosure of protected information for non-research purposes to anyone not connected with the research except in specific situations. Protections afforded by Certificates apply to all copies of a dataset in perpetuity.
DRAFT Points to Consider for Designating Scientific Data for Controlled Access
The DMS Policy expects researchers to consider whether access to scientific data from participants should be controlled (i.e., measures such as requiring data requesters to verify their identity and the appropriateness of their proposed research use to access protected data), even if de-identified and lacking explicit limitations on subsequent use.[14]The points below are intended to assist researchers when considering whether controlled-access repositories may be needed to protect participant privacy.[15] Note that controls may be needed for data at any level of processing (e.g., raw or fully cleaned data) and from any source (e.g., research, clinical, or public health data). In cases where participants explicitly consent to share scientific data without restrictions, it may be appropriate to share data without access controls. Investigators should consider sharing participants’ scientific data through controlled access repositories if data:
1. Have explicit limitations on subsequent use, such as those imposed by laws, regulations, policies, informed consent, and/or agreements.
2. Could be considered sensitive, such as including information regarding potentially stigmatizing traits, illegal behaviors, or other information that could be perceived as causing group harm or used for discriminatory purposes. Sensitive data may also include data from individuals, groups, or populations with unique attributes that increase the risk of re-identification.
3. Cannot be de-identified to established standards or cannot sufficiently reduce the possibility of re-identification. Access controls, among other measures, may be appropriate to further mitigate the risk of re-identification.[16]
4. Due to previously unanticipated approaches or technologies, pose risks to participant privacy if released without controls on access. When such risks are realized prior to sharing the scientific data and not outlined in original Data Management and Sharing Plans, necessary changes to Data Management and Sharing Plans should be immediately communicated to NIH.
Information Requested
NIH seeks public comments on any aspect of the Draft Operational Principles for Protecting Participant Privacy When Sharing Scientific Data, Draft Best Practices for Protecting Participant Privacy When Sharing Scientific Data, and Draft Points to Consider for Designating Scientific Data for Controlled Access. If you are commenting on a particular element or section (e.g., the Operational Principles), please identify the element or section on which you are commenting.
How to Submit a Response
Comments must be submitted at https://osp.od.nih.gov/rfc-draft-supplemental-information-to-the-nih-policy-for-dms/. Responses will be accepted through June 27, 2022.
Responses to this RFC are voluntary and may be submitted anonymously. You may also voluntarily include your name and contact information with your response. Other than your name and contact information, please do not include in the response any personally identifiable information or any information that you do not wish to make public. Proprietary, classified, confidential, or sensitive information should not be included in your response. After OSP has finished reviewing the responses, the unredacted responses may be posted to the OSP website.
References
[1] Compiled Public Comments on a DRAFT NIH Policy for Data Management and Sharing and Supplemental DRAFT Guidance. https://osp.od.nih.gov/wp-content/uploads/RFI_Final_Report_Feb2020.pdf
[2] These principles are not intended to address data security standards, though such standards may apply. Relevant standards and policies include the HHS Policy for Preparing for and Responding to a Breach of Personally Identifiable Information (PII) (https://www.hhs.gov/web/governance/digital-strategy/it-policy-archive/hhs-policy-preparing-and-responding-breach.html) and the National Institute of Standards and Technology’s (NIST) Special Publications on Computer Security (https://csrc.nist.gov/publications/sp800). Awardees are also expected to follow all other applicable federal, Tribal, state, and local laws, regulations, statutes, guidance, and institutional policies that govern research involving human participants and the sharing and use of scientific data derived from human participants.
[3] NIH’s proposed approach for applying the DMS Policy for responsible sharing of American Indiana/Alaska Native data can be found in the Request for Public Comments on DRAFT Supplemental Information to the NIH Policy for Data Management and Sharing: Responsible Management and Sharing of American Indian/ Alaska Native Participant Data. https://grants.nih.gov/grants/guide/notice-files/NOT-OD-22-064.html
[4] “Controlled access” and “access controls” refer to measures such as requiring data requesters to verify their identity and the appropriateness of their proposed research use to access protected data.
[5] See Informed Consent for Secondary Research with Data and Biospecimens: Points to Consider and Sample Language for Future Use and/or Sharing. https://osp.od.nih.gov/wp-content/uploads/Informed-Consent-Resource-for-Secondary-Research-with-Data-and-Biospecimens.pdf
[6] See FAQ on justifiable reasons for limiting sharing of data under the DMS Policy: https://sharing.nih.gov/faqs#/data-sharing.htm.
[7] 45 CFR 46.102(e)(5)
[8] 45 CFR 164.514(b)(1)
[9] 45 CFR 164.514(b)(2)
[10] Final NIH Policy for Data Management and Sharing. https://grants.nih.gov/grants/guide/notice-files/NOT-OD-21-013.html
[11] As an example of a resource for community developed, standardized templates for data transfer and use agreements, see the Federal Demonstration Partnership. https://thefdp.org/default/committees/research-compliance/data-stewardship/. Note that not all templates and agreements may meet all principles outlined in this supplemental information, and that other templates and agreements may be developed in the future.
[12] Certificates of Confidentiality. https://grants.nih.gov/policy/humansubjects/coc.htm
[13] Certificates of Confidentiality. https://grants.nih.gov/policy/humansubjects/coc.htm
[14] See the Supplemental Information to the NIH Policy for Data Management and Sharing: Selecting a Repository for Data Resulting from NIH-Supported Research. https://grants.nih.gov/grants/guide/notice-files/NOT-OD-21-016.html
[15] Preferred repositories may be specified in Funding Opportunity Announcements or through NIH Institute and Center policy expectations.
[16] Other risk-mitigation measures that repositories can employ are listed in Section II of the Supplemental Information to the NIH Policy for Data Management and Sharing: Selecting a Repository for Data Resulting from NIH-Supported Research. https://grants.nih.gov/grants/guide/notice-files/NOT-OD-21-016.html. Awardees can also employ strategies found in NIST’s Privacy Framework (https://www.nist.gov/privacy-framework/resource-repository/browse/guidelines-and-tools) and tools for de-identification (https://www.nist.gov/itl/applied-cybersecurity/privacy-engineering/collaboration-space/focus-areas/de-id).
NIH Office of Science Policy
[email protected]
and Human Services (HHS)
