Using Genomic Data Responsibly Under the NIH Genomic Data Sharing Policy

Controlled-access data users must protect the privacy of the human participants from whom the datasets were generated. Learn about the responsibilities that come with receiving access to human genomic data from NIH.

NIH expects users of both controlled and unrestricted/open-access human genomic data to manage and secure the data in a way that protects the privacy of human participants.

NIH has issued an Implementation Update for Data Management and Access Practices Under the Genomic Data Sharing Policy (NOT-OD-24-157) for Approved Users and developers accessing, storing, or providing access to human genomic data shared under the NIH Genomic Data Sharing (GDS) Policy.

Read below to learn about the responsibilities that come with receiving access to human genomic data shared under the GDS Policy from NIH.

Expectations for Unrestricted/Open-Access Data Users

Investigators who download unrestricted/open-access data from NIH-designated data repositories should:

  • Not attempt to identify individual human research participants from whom the data were obtained
  • Acknowledge in all oral or written presentations, disclosures, or publications the specific dataset(s) or applicable accession number(s) and the NIH-designated data repositories through which the investigator accessed any data

Expectations for Approved Users of Controlled-Access Data

Investigators approved to access data (i.e., Approved Users) and their institution are responsible for maintaining the confidentiality, integrity, and security of the data accessed from an NIH designated repository according to NIH Security Best Practices for Controlled-Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy. On or after January 25, 2025, Approved Users and their institution will be expected to secure data according to NIH Security Best Practices for Users of Controlled-Access Data.

On or after January 25, 2025, The NIH Security Best Practices for Users of Controlled-Access Data will be included in new or renewed Data Use Certifications or similar agreements stipulating terms of access to controlled-access human genomic data. Users approved prior to January 25, 2025, should secure data according to the NIH Security Best Practices for Controlled-Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy until project close-out or renewal

AnchorGenomic Data User Code of Conduct

Investigators who are approved by NIH to download controlled-access data agree to:

If an investigator plans to use cloud computing systems to store or analyze controlled-access data, NIH expects the cloud systems to meet the same standards as outlined in NIH Security Best Practices for Controlled-Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy until project renewal, at which point they must adopt the updated NIH Security Best Practices for Users of Controlled-Access Data. NIH will hold the institution, not the cloud service provider, responsible for any failure in the oversight of using cloud computing services for controlled-access data.

Data Use Certification Agreement

The Data Use Certification Agreement, co-signed by the investigator requesting the data and their institution as represented by the Institutional Signing Official, and NIH, specifies the terms for appropriate secondary research use of controlled-access data, including:

  • Using the data only for the research use stated in the approved data access request; 
  • Protecting data confidentiality;
  • Following, as appropriate, all applicable national, tribal, and state laws and regulations, as well as relevant institutional policies and procedures for handling genomic data;
  • Not attempting to identify individual participants from whom the data were obtained;
  • Not selling any of the data obtained from NIH-designated data repositories;
  • Not sharing any of the data obtained from controlled-access NIH-designated data repositories with individuals other than those listed in the data access request;
  • Agreeing to the listing of a summary of approved research uses in dbGaP along with the investigator’s name and organizational affiliation;
  • Agreeing to report any violation of the GDS Policy to the appropriate data access committee(s) as soon as it is discovered;
  • Reporting research progress using controlled-access datasets through annual access renewal requests or project close-out reports;
  • Acknowledging in all oral or written presentations, disclosures, or publications the contributing investigator(s) who conducted the original study, the funding organization(s) that supported the work, the specific dataset(s) and applicable accession number(s), and the NIH-designated data repositories through which the investigator accessed any data. 

Patenting NIH-funded Genomic Data

NIH encourages the broad use of NIH-funded genomic data in ways that are consistent with responsible management of any intellectual property that resulted from the data. For that reason, NIH encourages patents that can lead to products that address public needs and that do not hinder research. NIH discourages the use of patents to block the use of, or access to, genomic or genotype/phenotype data developed with NIH support.

In addition, naturally occurring DNA sequences are not patentable in the United States. This means that basic DNA sequence data, and related information such as genotypes, are pre-competitive. When investigators use these types of data from NIH repositories, the data as well as any conclusions that came directly from the data should remain freely accessible, without any licensing requirements.

Minimum Standard Operating Procedures for Developer Oversight

NIH is establishing minimum expectations for developer access to controlled-access data shared under the GDS Policy. Developer activities include testing platforms, pipelines, analysis tools, and user interfaces that store, manage, and interact with human genomic data from NIH controlled-access data repositories as well as provide infrastructure development and repository maintenance, but does not include research (e.g., methods development).

Lead Developer(s) (e.g., for extramural the Principal Investigator (PI) who is listed as the Project Director (PD) or PI on the funding application; for intramural the developer team lead at the managing NIH ICO repository)seeking access should submit a request containing a Data Use Statement (DUS) to the NIH Developer Data Access Committee (NIH Developer DAC) (DeveloperAccessDAC@od.nih.gov). For additional information, see Implementation Update for Data Management and Access Practices Under the Genomic Data Sharing Policy (NOT-OD-24-157).

/faqs#/genomic-data-sharing-policy.htm