December 02, 2024
December 17, 2024 - Announcing Community Days Webinars on Updated NIH Security Best Practices for Users of Genomic Controlled-Access Data. See Notice NOT-OD-25-052.
August 27, 2014 - NIH Genomic Data Sharing Policy. See Notice NOT-OD-14-124
July 25, 2024 - Implementation Update for Data Management and Access Practices Under the Genomic Data Sharing Policy. See Notice NOT-OD-24-157
Office of The Director, National Institutes of Health (OD)
The Implementation Update for Data Management and Access Practices Under the Genomic Data Sharing Policy (NOT-OD-24-157) establishes minimum standard operating procedures for developer oversight. These procedures include the expectation that the Lead Developer(s) (e.g., the Principal Investigator (PI) who is listed as the Project Director (PD) or PI on the funding application), those that they directly supervise, and the Lead Developers institution agree to developer terms of access described in the Terms and Conditions of Award and any additional NIH program or ICO-specific requirements. The purpose of this Guide Notice is to provide the terms of access for developers, which are provided below.
Expectations for Developer Use Statement and Overview of NIH Developer Data Access Committee
The Lead Developer(s) (e.g., the Principal Investigator (PI) who is listed as the Project Director (PD) or PI on the funding application), those that they directly supervise, and the funding NIH Institute, Center, or Office (ICO) agree that to gain access to data in the NIH ICO controlled-access data repository named in the Developer Use Statement (DUS), the Lead Developer will submit a request containing a DUS to the NIH Developer Data Access Committee (NIH Developer DAC) for review. Expectations for the DUS can be found in NIH Guide Notice NOT-OD-24-157.
If a project has multiple Lead Developers, (e.g., for multi-component awards), each Lead Developer must submit a DUS. All Lead Developers must be associated with an institution that is receiving or applying for NIH or other federal support for the developer work with a funding mechanism that has incorporated the developer terms of access.
Once the NIH Developer DAC has approved, repositories may provide access. Access may be granted for two years. At the end of the approval period, the Lead Developer is expected to submit a progress report through either a close-out or renewal request.
To continue access, a renewal request should be submitted to the NIH Developer DAC that contains at least the following:
Once the NIH Developer DAC has reviewed and approved, the repository can provide access for an additional two years.
When access is no longer needed, a close-out should be submitted to the NIH Developer DAC that contains at least the following:
Terms of Access (In Terms and Conditions of Award)
The Lead Developers institution agrees that if access is approved, the Lead Developer and those that they directly supervise, shall become Approved Developers. An Approved Developer is a Lead Developer who has submitted a DUS to the NIH Developer DAC for review and is approved to access data for the purposes described in the approved DUS and agrees to adhere to terms of access described in the Terms and Conditions of Award. Those directly under the supervision of the Lead Developer who are conducting the work described in the approved DUS, are also Approved Developers and must abide by the terms laid out in the terms of access. If the Approved Developers plan to conduct research (e.g., methods research), they must submit a Data Access Request (DAR) for research to the appropriate NIH DAC for review and approval.
New uses of these data outside those described in the DUS will require revisions to the DUS and resubmission to the NIH Developer DAC for review.
If a Lead Developer is managing a repository (e.g., performing activities such as repository maintenance and infrastructure development), they agree that they have reviewed and understand the principles for responsible use and data management of controlled-access data as defined in the NIH Security Best Practices for Controlled-Access Data Repositories.
If a Lead Developer is not managing a repository (e.g., not performing activities such as repository maintenance or infrastructure development), they agree that they have reviewed and understand the principles for responsible use and data management of controlled-access data as defined in the NIH Security Best Practices for Users of Controlled-Access Data.
The Lead Developers institution and the Lead Developer further acknowledge that they are responsible for ensuring that all uses of the data are consistent with applicable law including applicable local, state, Tribal, and federal laws and regulations, as well as relevant institutional policies.
Public Posting of Approved Developer Use
Information about developer activities may be publicly posted. The information may include the name of the Lead Developers institution, intended developer activities, in both a scientific and lay format, and de-identified information about inadvertent data releases, breaches of data security, or other violations.
Non-identification
The Approved Developers agree to make no attempt to identify or contact, either directly or indirectly, individual participants or their families.
Certificate of Confidentiality
A Certificate of Confidentiality (Certificate) protects the privacy of research participants by prohibiting disclosure of protected information for non-research purposes to anyone not connected with the research except in specific situations. Data that are stored in and shared through the NIH controlled-access data repositories are protected by a Certificate. Therefore, Approved Developers, whether or not receiving NIH funding, who are approved to access a copy of information protected by a Certificate, are also subject to the requirements of the Certificate of Confidentiality and subsection 301(d) of the Public Health Service Act.
Under Section 301(d) of the Public Health Service Act and the NIH Policy for Issuing Certificates of Confidentiality, recipients of a Certificate of Confidentiality shall not:
Disclosure is permitted only when:
Developers that obtain a copy of information protected by a Certificate agree to protect participants identifiable, sensitive information from compelled disclosure and support and defend the authority of the Certificate against legal challenges. For more information see: https://grants.nih.gov/grants/guide/notice-files/NOT-OD-17-109.html.
Non-Transferability
The Approved Developers agree not to distribute controlled-access data and any data derivates (e.g., imputed datasets and single nucleotide polymorphisms) to any entity or individual not identified in the approved DUS without appropriate written approvals from the NIH. The Approved Developers institution and Approved Developers agree that controlled-access data accessed through the approved DUS and any data derivatives of controlled-access data, in whole or in part, may not be sold to any individual at any point in time for any purpose.
Data Security Training
The Approved Developers agree to have reviewed IT Administrator or Developer role-based training on the NIH Security Awareness Course (https://irtsectraining.nih.gov/publicUser.aspx).
Data Security and Unauthorized Data Release
If a Lead Developer is managing a repository, the Approved Developers acknowledge NIHs expectation that they have reviewed and agree to manage the requested controlled-access data and any data derivatives (e.g., imputed datasets and single nucleotide polymorphisms) of controlled-access data according to NIHs expectations set forth in the NIH Security Best Practices for Controlled-Access Data Repositories.
If a Lead Developer is not managing a repository, the Approved Developers acknowledge NIHs expectation that they have reviewed and agree to manage the requested controlled-access data and any data derivatives (e.g., imputed datasets and single nucleotide polymorphisms) of controlled-access data according to the NIH Security Best Practices for Users of Controlled-Access Data.
The Approved Developers agree to notify the NIH Developer DAC of any unauthorized data access or sharing, breaches of data security, or inadvertent data releases that may compromise data confidentiality within 24 hours of when the incident is identified. As permitted by law, notifications should include any known information regarding the incident and a general description of the activities or process in place to define and remediate the situation fully. Within 3 business days of the NIH Developer DAC notification, the Lead Developers institution agrees to submit to the NIH Developer DAC(s) a detailed written report including the date and nature of the event, actions taken or to be taken to remediate the issue(s), and plans or processes developed to prevent further problems, including specific information on timelines anticipated for action. The Lead Developers institution agrees to provide any additional documentation requested by the NIH Developer DAC on the incident, including verifying that the remediation plans have been implemented. Repeated violations or unresponsiveness to NIH requests may result in further compliance measures.
All notifications and written reports of DMIs should be sent to the NIH Developer DAC ([email protected]) with a copy to the GDS mailbox ([email protected]).
NIH, or another entity designated by NIH, as permitted by law, may also investigate any data security incident or policy violation. The Approved Developers agree to support such investigations and provide any requested information as consistent with applicable law including applicable local, state, Tribal, and federal laws and regulations. In addition, the Lead Developers institution and the Lead Developer agree to work with the NIH to assure that plans and procedures that are developed to address identified problems are mutually acceptable and consistent with applicable law.
Term of Access Violations (e.g., Data Management Incident (DMI))
The Lead Developer acknowledges that the NIH may immediately revoke or suspend access to all controlled-access data at any time if Approved Developers are found to no longer be in compliance with these terms, any additional program or NIH ICO-specific requirements for NIH controlled-access data repositories, or with other policies and procedures of the NIH. Past violations may be taken into consideration for future requests from the Lead Developer to access the data. The Lead Developer agrees to notify the NIH of any actual or suspected violations of these terms, or any additional program or NIH ICO-specific requirements for NIH controlled-access data repositories within 24 hours of when the incident is identified. Repeated violations or unresponsiveness to NIH requests may result in further compliance measures.
All notifications and written reports of DMIs should be sent to the NIH Developer DAC ([email protected]) with a copy to the GDS mailbox ([email protected]).
NIH, or another entity designated by NIH, as permitted by law, may also investigate any DMI. The Lead Developer agrees to collaborate with such investigations and provide information as consistent with applicable law including applicable local, state, Tribal, and federal laws and regulations. In addition, the Lead Developer agrees to work with the NIH to assure that plans and procedures that are developed to address identified problems are mutually acceptable and consistent with applicable laws and policies. The Lead Developer also acknowledges that NIH may revoke access for any reason without cause.
Developer Use Reporting
The Lead Developer who is seeking Renewal or Close-out of a project agrees to complete the appropriate forms and provide an update, report any violations of the terms of access described, and the implemented remediation.
Non-endorsement, Indemnification
Approved Developers acknowledge that although all reasonable efforts have been taken to ensure the accuracy and reliability of controlled-access data, NIH and all contributors to these data disclaim all warranties as to performance or fitness of the data for any particular purpose. No indemnification for any loss, claim, damage, or liability is intended or provided by any party under this agreement. Each party shall be liable for any loss, claim, damage, or liability that said party incurs as a result of its activities under this agreement, except that NIH, as an agency of the United States, may be liable only to the extent provided under the Federal Tort Claims Act, 28 USC 2671 et seq.
Lower Tier Agreements
If the Lead Developer seeks to work with a partner not directly funded by the federal government that will need access to NIH controlled-access data (and is not a third-party IT system or Cloud Service Provider), NIH will only provide the developer partner access to controlled-access data if:
Termination and Data Destruction
Upon close-out, the Approved Developer agrees to destroy all copies, versions, and data derivatives (e.g., imputed datasets and single nucleotide polymorphisms) of the data retrieved from NIH controlled-access data repositories, on both local servers and hardware, and if cloud computing was used, delete the data and cloud images from cloud computing provider storage, virtual and physical machines, databases, and random-access archives.
Developer Code of Conduct
The Developer Code of Conduct sets forth expectations for the responsible management and use of controlled-access data in NIH controlled-access data repositories. Approved Developers agree to:
Please direct all inquiries to:
Office of Science Policy
Email: [email protected]
Telephone: 301-496-9838