Notice Number: NOT-OD-15-086

Key Dates
Release Date: March 27, 2015

Issued by
National Institutes of Health (NIH)

Purpose

Summary

The purpose of this Notice is to inform the research community that the National Institutes of Health (NIH) is now allowing investigators to request permission to transfer controlled-access genomic and associated phenotypic data obtained from NIH-designated data repositories1 that are under the auspices of the NIH Genomic Data Sharing (GDS) Policy to public or private cloud systems for data storage and analysis. This change is being made in light of the advances made in security protocols for cloud computing2 in the past several years and given the expansion in the volume and complexity of genomic data generated by the research community.

Provisions for the Use of Cloud Computing Services for Storage and Analysis of Controlled-Access Data Subject to the NIH GDS Policy

NIH expects cloud computing systems to meet the data use and security standards outlined in NIH Security Best Practices for Controlled-Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy as well as the institution’s own IT security requirements and policies.

Investigators who wish to use cloud computing for storage and analysis will need to indicate in their Data Access Request (DAR) that they are requesting permission to use cloud computing and identify the cloud service provider or providers that will be employed. They also will need to describe how the cloud computing service will be used to carry out their proposed research.

As with data stored in institutional systems, the institution’s signing official, Program Director/Principal Investigator, IT Director, and any other personnel approved by NIH to access the data are responsible for ensuring the protection of the data. The institution, not the cloud service provider, assumes responsibility for any failure in the oversight of using cloud computing services for controlled-access data.

The NIH Security Best Practices for Controlled Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy, which have been updated to include best practices for cloud computing, are available at http://www.ncbi.nlm.nih.gov/projects/gap/pdf/dbgap_2b_security_procedures.pdf. The Model Data Use Certification has also been updated and is available at http://gds.nih.gov/pdf/Model_DUC.pdf . More information on NIH Genomic Data Sharing may be found at http://gds.nih.gov

References

1. Current NIH-designated genomic data repositories are the National Center for Biotechnology Information’s (NCBI’s) database of Genotypes and Phenotypes (dbGaP) and the Sequence Read Archive, and repositories that have been established by NIH as trusted partnerships for the storage of NIH controlled-access data.
2. The National Institute of Standards and Technology (NIST) defines cloud computing as "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." It defines a cloud service provider as an organization that offers some component of cloud computing to other businesses or individuals, typically Infrastructure as a Service (IaaS), Software as a Service (SaaS) or Platform as a Service (PaaS). See: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf.

Inquiries

Please direct all inquiries to:

Genomic Data Sharing Policy Team
Office of Science Policy
Telephone: 301-496-9838
Email: GDS@nih.gov