NIH Grants and Funding
Controlled-access data users must protect the privacy of the human participants from whom the datasets were generated. Learn about the responsibilities that come with receiving access to human genomic data from NIH.
The National Institutes of Health (NIH) Genomic Data Sharing (GDS) Policy expects investigators generating large-scale genomic data as well as relevant associated data to submit these data to a NIH-designated data repository.
NIH expects users of human genomic data maintained in controlled-access and unrestricted/open-access data repositories to manage and secure the data in a way that protects the privacy of human participants.
NIH has issued an Implementation Update for Data Management and Access Practices Under the Genomic Data Sharing Policy (NOT-OD-24-157) for Approved Users and developers accessing, storing, or providing access to human genomic data shared under the NIH Genomic Data Sharing (GDS) Policy.
Read below to learn about the responsibilities that come with receiving access to human genomic data shared under the GDS Policy from NIH.
Expectations for Unrestricted/Open-Access Data Users
Investigators who download unrestricted/open-access data from NIH-designated data repositories should:
- Not attempt to identify individual human research participants from whom the data were obtained
- Acknowledge in all oral or written presentations, disclosures, or publications the specific dataset(s) or applicable accession number(s) and the NIH-designated data repositories through which the investigator accessed any data
Expectations for Approved Users of Controlled-Access Data
Investigators approved to access data (i.e., Approved Users) and their institution are responsible for maintaining the confidentiality, integrity, and security of data accessed from a NIH-designated repository in accordance with the NIH Security Best Practices included in Data Use Certifications (DUCs), or similar data use agreements, stipulating terms of access and the requirements of the Genomic Data User Code of Conduct. Violating these terms and requirements is considered a data management incident.
Effective January 25, 2025, investigators approved to access controlled-access data and their institution are expected to secure data according to the NIH Security Best Practices for Users of Controlled-Access Data in new or renewed DUCs or similar data use agreements. Investigators approved prior to January 25, 2025, should secure data according to the NIH Security Best Practices for Controlled-Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy until project close-out or renewal.
If an investigator plans to use a Cloud Service Provider (CSP) and/or third-party IT system to store or analyze controlled-access data, NIH expects the CSP and/or third-party IT system to meet the same standards as outlined in NIH Security Best Practices for Users of Controlled-Access Data. NIH will hold the institution, not the CSP and/or third-party IT system responsible for any failure in the oversight for controlled-access data.
Data Use Certification Agreement
Respect for, and protection of the interests of, research participants are key tenets of the GDS Policy and fundamental to NIH’s stewardship of human genomic data. The Data Use Certification (DUC) Agreement delineates the terms of appropriate secondary research use of requested controlled-access datasets maintained in NIH-designated data repositories under the NIH Genomic Data Sharing Policy. Access to controlled-access human genomic data will be provided only to research investigators who, along with their institutions, agree to meet the expectations and terms of access described in the DUC Agreement and to use the data according to participant informed consent.
Genomic Data User Code of Conduct
The Genomic Data User Code of Conduct delineates key responsibilities of Approved Users and their institutions for appropriate use of controlled-access data, including responsibility for maintaining the security and confidentiality of data and privacy of research participants, reporting possible data management incidents and for properly acknowledging data source and funding.
The Genomic Data User Code of Conduct is available here.
Patenting NIH-funded Genomic Data
NIH encourages the broad use of NIH-funded genomic data in ways that are consistent with responsible management of any intellectual property that resulted from the data. For that reason, NIH encourages patents that can lead to products that address public needs and that do not hinder research. NIH discourages the use of patents to block the use of, or access to, genomic or genotype/phenotype data developed with NIH support.
In addition, naturally occurring DNA sequences are not patentable in the United States. This means that basic DNA sequence data, and related information such as genotypes, are pre-competitive. When investigators use these types of data from NIH repositories, the data as well as any conclusions that came directly from the data should remain freely accessible, without any licensing requirements.
Minimum Standard Operating Procedures for Developer Oversight
NIH is establishing minimum expectations for developer access to controlled-access data shared under the GDS Policy. Developer activities include testing platforms, pipelines, analysis tools, and user interfaces that store, manage, and interact with human genomic data from NIH controlled-access data repositories as well as provide infrastructure development and repository maintenance, but does not include research (e.g., methods development).
Lead Developer(s) (e.g., for extramural the Principal Investigator (PI) who is listed as the Project Director (PD) or PI on the funding application; for intramural the developer team lead at the managing NIH ICO repository) seeking access should submit a request containing a Data Use Statement (DUS) to the NIH Developer Data Access Committee (NIH Developer DAC). All Lead Developers must be associated with an institution that is receiving or applying for NIH or other federal support for the developer work under a funding mechanism that has incorporated the developer terms of access. For additional information, see Implementation Update for Data Management and Access Practices Under the Genomic Data Sharing Policy (NOT-OD-24-157).