Standard Language for Developer Terms of Access in the Terms and Conditions of Award
Notice Number:
NOT-OD-25-021

Key Dates

Release Date:

December 02, 2024

Related Announcements

December 17, 2024 - Announcing Community Days Webinars on Updated NIH Security Best Practices for Users of Genomic Controlled-Access Data. See Notice NOT-OD-25-052.

August 27, 2014 - NIH Genomic Data Sharing Policy.  See Notice NOT-OD-14-124 

July 25, 2024 - Implementation Update for Data Management and Access Practices Under the Genomic Data Sharing Policy. See Notice NOT-OD-24-157 

Issued by

Office of The Director, National Institutes of Health (OD)

Purpose

The Implementation Update for Data Management and Access Practices Under the Genomic Data Sharing Policy (NOT-OD-24-157) establishes minimum standard operating procedures for developer oversight. These procedures include the expectation that the Lead Developer(s) (e.g., the Principal Investigator (PI) who is listed as the Project Director (PD) or PI on the funding application), those that they directly supervise, and the Lead Developer’s institution agree to developer terms of access described in the Terms and Conditions of Award and any additional NIH program or ICO-specific requirements. The purpose of this Guide Notice is to provide the terms of access for developers, which are provided below.

Expectations for Developer Use Statement and Overview of NIH Developer Data Access Committee

The Lead Developer(s) (e.g., the Principal Investigator (PI) who is listed as the Project Director (PD) or PI on the funding application), those that they directly supervise, and the funding NIH Institute, Center, or Office (ICO) agree that to gain access to data in the NIH ICO controlled-access data repository named in the Developer Use Statement (DUS), the Lead Developer will submit a request containing a DUS to the NIH Developer Data Access Committee (NIH Developer DAC) for review. Expectations for the DUS can be found in NIH Guide Notice NOT-OD-24-157.

If a project has multiple Lead Developers, (e.g., for multi-component awards), each Lead Developer must submit a DUS. All Lead Developers must be associated with an institution that is receiving or applying for NIH or other federal support for the developer work with a funding mechanism that has incorporated the developer terms of access.

Once the NIH Developer DAC has approved, repositories may provide access. Access may be granted for two years. At the end of the approval period, the Lead Developer is expected to submit a progress report through either a close-out or renewal request.

To continue access, a renewal request should be submitted to the NIH Developer DAC that contains at least the following:

  • Brief description of how access contributed to developer work.
  • Affirmation that the Lead Developer and those they directly supervise adhered to the developer terms of access and any NIH program or ICO-specific requirements for NIH controlled access.
  • Report any data misuse (e.g., violation of the terms of access and any NIH program or ICO specific requirements for NIH controlled access), breach, unauthorized disclosure of data, or security incident.
  • Describe why additional access is needed.

Once the NIH Developer DAC has reviewed and approved, the repository can provide access for an additional two years.

When access is no longer needed, a close-out should be submitted to the NIH Developer DAC that contains at least the following:

  • Brief description of how access contributed to developer work.
  • Affirmation that the Lead Developer and those they directly supervise adhered to the developer terms of access and any NIH program or ICO-specific requirements for NIH controlled access.
  • Report of data misuse (e.g., violation of the terms of access and any additional NIH program or ICO-specific requirements for NIH controlled-access), breach, unauthorized disclosure of data, or security incident.

Terms of Access (In Terms and Conditions of Award)

The Lead Developer’s institution agrees that if access is approved, the Lead Developer and those that they directly supervise, shall become Approved Developers. An Approved Developer is a Lead Developer who has submitted a DUS to the NIH Developer DAC for review and is approved to access data for the purposes described in the approved DUS and agrees to adhere to terms of access described in the Terms and Conditions of Award. Those directly under the supervision of the Lead Developer who are conducting the work described in the approved DUS, are also Approved Developers and must abide by the terms laid out in the terms of access.  If the Approved Developers plan to conduct research (e.g., methods research), they must submit a Data Access Request (DAR) for research to the appropriate NIH DAC for review and approval.

New uses of these data outside those described in the DUS will require revisions to the DUS and resubmission to the NIH Developer DAC for review.

If a Lead Developer is managing a repository (e.g., performing activities such as repository maintenance and infrastructure development), they agree that they have reviewed and understand the principles for responsible use and data management of controlled-access data as defined in the NIH Security Best Practices for Controlled-Access Data Repositories.

If a Lead Developer is not managing a repository (e.g., not performing activities such as repository maintenance or infrastructure development), they agree that they have reviewed and understand the principles for responsible use and data management of controlled-access data as defined in the NIH Security Best Practices for Users of Controlled-Access Data.

The Lead Developer’s institution and the Lead Developer further acknowledge that they are responsible for ensuring that all uses of the data are consistent with applicable law including applicable local, state, Tribal, and federal laws and regulations, as well as relevant institutional policies.

Public Posting of Approved Developer Use

Information about developer activities may be publicly posted. The information may include the name of the Lead Developer’s institution, intended developer activities, in both a scientific and lay format, and de-identified information about inadvertent data releases, breaches of data security, or other violations.

Non-identification

The Approved Developers agree to make no attempt to identify or contact, either directly or indirectly, individual participants or their families.

Certificate of Confidentiality

A Certificate of Confidentiality (Certificate) protects the privacy of research participants by prohibiting disclosure of protected information for non-research purposes to anyone not connected with the research except in specific situations. Data that are stored in and shared through the NIH controlled-access data repositories are protected by a Certificate. Therefore, Approved Developers, whether or not receiving NIH funding, who are approved to access a copy of information protected by a Certificate, are also subject to the requirements of the Certificate of Confidentiality and subsection 301(d) of the Public Health Service Act.  

Under Section 301(d) of the Public Health Service Act and the NIH Policy for Issuing Certificates of Confidentiality, recipients of a Certificate of Confidentiality shall not:

  • Disclose or provide, in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding, the name of such individual or any such information, document, or biospecimen that contains identifiable, sensitive information about the individual and that was created or compiled for purposes of the research, unless such disclosure or use is made with the consent of the individual whom the information, document, or biospecimen pertains; or
  • Disclose or provide to any other person not connected with the research the name of such an individual or any information, document, or biospecimen that contains identifiable, sensitive information about such an individual and that was created or compiled for purposes of the research.

Disclosure is permitted only when:

  • Required by Federal, State, or local laws (e.g., as required by the Federal Food, Drug, and Cosmetic Act, or state laws requiring the reporting of communicable diseases to State and local health departments), excluding instances of disclosure in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding;
  • Necessary for the medical treatment of the individual to whom the information, document, or biospecimen pertains and made with the consent of such individual;
  • Made with the consent of the individual to whom the information, document, or biospecimen pertains; or
  • Made for the purposes of other scientific research that is in compliance with applicable Federal regulations governing the protection of human subjects in research. 

Developers that obtain a copy of information protected by a Certificate agree to protect participants’ identifiable, sensitive information from compelled disclosure and support and defend the authority of the Certificate against legal challenges. For more information see: https://grants.nih.gov/grants/guide/notice-files/NOT-OD-17-109.html. 

Non-Transferability

The Approved Developers agree not to distribute controlled-access data and any data derivates (e.g., imputed datasets and single nucleotide polymorphisms) to any entity or individual not identified in the approved DUS without appropriate written approvals from the NIH. The Approved Developer’s institution and Approved Developers agree that controlled-access data accessed through the approved DUS and any data derivatives of controlled-access data, in whole or in part, may not be sold to any individual at any point in time for any purpose.

Data Security Training

The Approved Developers agree to have reviewed IT Administrator or Developer role-based training on the NIH Security Awareness Course (https://irtsectraining.nih.gov/publicUser.aspx).

Data Security and Unauthorized Data Release

If a Lead Developer is managing a repository, the Approved Developers acknowledge NIH’s expectation that they have reviewed and agree to manage the requested controlled-access data and any data derivatives (e.g., imputed datasets and single nucleotide polymorphisms) of controlled-access data according to NIH’s expectations set forth in the NIH Security Best Practices for Controlled-Access Data Repositories.

If a Lead Developer is not managing a repository, the Approved Developers acknowledge NIH’s expectation that they have reviewed and agree to manage the requested controlled-access data and any data derivatives (e.g., imputed datasets and single nucleotide polymorphisms) of controlled-access data according to the NIH Security Best Practices for Users of Controlled-Access Data.

The Approved Developers agree to notify the NIH Developer DAC of any unauthorized data access or sharing, breaches of data security, or inadvertent data releases that may compromise data confidentiality within 24 hours of when the incident is identified. As permitted by law, notifications should include any known information regarding the incident and a general description of the activities or process in place to define and remediate the situation fully. Within 3 business days of the NIH Developer DAC notification, the Lead Developer’s institution agrees to submit to the NIH Developer DAC(s) a detailed written report including the date and nature of the event, actions taken or to be taken to remediate the issue(s), and plans or processes developed to prevent further problems, including specific information on timelines anticipated for action. The Lead Developer’s institution agrees to provide any additional documentation requested by the NIH Developer DAC on the incident, including verifying that the remediation plans have been implemented. Repeated violations or unresponsiveness to NIH requests may result in further compliance measures.

All notifications and written reports of DMIs should be sent to the NIH Developer DAC ([email protected]) with a copy to the GDS mailbox ([email protected]).

NIH, or another entity designated by NIH, as permitted by law, may also investigate any data security incident or policy violation. The Approved Developers agree to support such investigations and provide any requested information as consistent with applicable law including applicable local, state, Tribal, and federal laws and regulations. In addition, the Lead Developer’s institution and the Lead Developer agree to work with the NIH to assure that plans and procedures that are developed to address identified problems are mutually acceptable and consistent with applicable law.

Term of Access Violations (e.g., Data Management Incident (DMI))

The Lead Developer acknowledges that the NIH may immediately revoke or suspend access to all controlled-access data at any time if Approved Developers are found to no longer be in compliance with these terms, any additional program or NIH ICO-specific requirements for NIH controlled-access data repositories, or with other policies and procedures of the NIH. Past violations may be taken into consideration for future requests from the Lead Developer to access the data. The Lead Developer agrees to notify the NIH of any actual or suspected violations of these terms, or any additional program or NIH ICO-specific requirements for NIH controlled-access data repositories within 24 hours of when the incident is identified. Repeated violations or unresponsiveness to NIH requests may result in further compliance measures.

All notifications and written reports of DMIs should be sent to the NIH Developer DAC ([email protected]) with a copy to the GDS mailbox ([email protected]).

NIH, or another entity designated by NIH, as permitted by law, may also investigate any DMI. The Lead Developer agrees to collaborate with such investigations and provide information as consistent with applicable law including applicable local, state, Tribal, and federal laws and regulations. In addition, the Lead Developer agrees to work with the NIH to assure that plans and procedures that are developed to address identified problems are mutually acceptable and consistent with applicable laws and policies. The Lead Developer also acknowledges that NIH may revoke access for any reason without cause.

Developer Use Reporting

The Lead Developer who is seeking Renewal or Close-out of a project agrees to complete the appropriate forms and provide an update, report any violations of the terms of access described, and the implemented remediation.

Non-endorsement, Indemnification

Approved Developers acknowledge that although all reasonable efforts have been taken to ensure the accuracy and reliability of controlled-access data, NIH and all contributors to these data disclaim all warranties as to performance or fitness of the data for any particular purpose. No indemnification for any loss, claim, damage, or liability is intended or provided by any party under this agreement. Each party shall be liable for any loss, claim, damage, or liability that said party incurs as a result of its activities under this agreement, except that NIH, as an agency of the United States, may be liable only to the extent provided under the Federal Tort Claims Act, 28 USC 2671 et seq.

Lower Tier Agreements

If the Lead Developer seeks to work with a partner not directly funded by the federal government that will need access to NIH controlled-access data (and is not a third-party IT system or Cloud Service Provider), NIH will only provide the developer partner access to controlled-access data if:

  • Both the Lead Developer and developer partner enter into a contract containing the terms of developer access in the Terms and Conditions of the Award.
  • The Lead Developer identifies the developer partner institution and developer partner program manager in their DUS and submits it to the NIH Developer DAC and is approved. For ongoing developer work, the Lead Developer can revise and resubmit the DUS.
  • The developer partner submits a DUS to the NIH Developer DAC for review that contains information about the developer partner program manager and IT Director and, if approved, the developer partner and their Institutional Signing Official co-sign the Developer Data Use Agreement and any additional NIH program or ICO-specific requirements. 

Termination and Data Destruction

Upon close-out, the Approved Developer agrees to destroy all copies, versions, and data derivatives (e.g., imputed datasets and single nucleotide polymorphisms) of the data retrieved from NIH controlled-access data repositories, on both local servers and hardware, and if cloud computing was used, delete the data and cloud images from cloud computing provider storage, virtual and physical machines, databases, and random-access archives.

Developer Code of Conduct

The Developer Code of Conduct sets forth expectations for the responsible management and use of controlled-access data in NIH controlled-access data repositories. Approved Developers agree to:

  1. Use data for the sole purposes of developing, testing, and implementing the environment and building the infrastructure during both development and production phases of deployment (these functions include software development to enable researchers to access and analyze data);
  2. The Approved Developers agree to make no attempt to identify or contact, either directly or indirectly, individual participants or their families.;
  3. Maintain the confidentiality of the data and not distribute data or derivative data (e.g., imputed datasets and single nucleotide polymorphisms) to any entity or individual without appropriate written approvals from the NIH;
  4. Implement administrative and technical safeguards to prevent unauthorized access to the data and adhere to the NIH Security Best Practices for Controlled-Access Data Repositories, or if applicable, NIH Security Best Practices for Users of Controlled-Access Data;
  5. Ensure that only authenticated and authorized users can gain access to data files, as appropriate;
  6. Report any actual or suspected inadvertent data access or release, breach of data security, or other DMIs in accordance with the terms described herein to the NIH Developer DAC ([email protected]) with a copy to the GDS mailbox ([email protected]) within 24 hours of when the incident is identified;
  7. Allow information about its use of controlled-access data to be publicly posted. The information may include the name of the Lead Developer’s institution, intended developer activities, in both a scientific and lay format, and de-identified information about inadvertent data releases, breaches of data security, or other violations;
  8. Acknowledge that no ownership rights of the datasets (including derived or derivative data) are granted to developers or their affiliates.
  9. Lead Developers who want to perform research must submit a Data Access Request (DAR) to a relevant NIH DAC for review and approval.

Inquiries

Please direct all inquiries to:

Office of Science Policy
Email: [email protected]
Telephone: 301-496-9838

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy