Genomic Data User Code of Conduct

Genomic Data User Code of Conduct

Below are NIH's Genomic Data User Code of Conduct required for all investigators and institutions approved to access data. Users approved to access data prior to January 25, 2025 are required to follow the updated code of conduct.

For Users Accessing Data On or After January 25, 2025

Under the National Institutes of Health (NIH) Genomic Data Sharing Policy, the Genomic Data User Code of Conduct sets forth principles for responsible management and use of large-scale genomic data and associated phenotypic data accessed through controlled-access to NIH-designated data repositories (e.g., the database of Genotypes and Phenotypes (dbGaP), repositories established as NIH Trusted Partners).  Failure to abide by any term within this Code of Conduct may result in revocation of approved access to datasets obtained through these repositories. Investigators who are approved by NIH to access data agree to: 

1. Use datasets solely in connection with the research project described in the approved Data Access Request; for each dataset;

2. Make no attempt to identify or contact individual participants or groups from whom data were collected, or generate information that could allow participants’ identities to be readily ascertained, without appropriate approvals from the submitting institutions; 

3. Maintain the confidentiality of the data and not distribute them to any entity or individual beyond those specified in the approved Data Access Request; 

4. Adhere to the NIH Security Best Practices for Users of Controlled-Access Data and ensure that only Approved Users can gain access to data files;

5. Acknowledge the Intellectual Property terms as specified in the Data Use Certification Agreement; 

6. Provide appropriate acknowledgement in any dissemination of research findings including the investigator(s) who generated the data, the funding source, accession numbers of the dataset, and the data repository from which the data were accessed; and,
7. Report any inadvertent data release, breach of data security, or other data management incidents in accordance with the terms specified in the Data Use Certification Agreement.

*(Updated 01/25/2025)

For Users Accessing Data On or Before January 24, 2025

Under the National Institutes of Health (NIH) Genomic Data Sharing Policy, the Genomic Data User Code of Conduct sets forth principles for responsible management and use of large-scale genomic data and associated phenotypic data accessed through controlled-access to NIH designated data repositories (e.g., the database of Genotypes and Phenotypes (dbGaP), repositories established as NIH Trusted Partners).  Failure to abide by any term within this Code of Conduct may result in revocation of approved access to datasets obtained through these repositories. Investigators who are approved by NIH to access data agree to:

1. Use datasets only for the research project described in the approved Data Access Request for each dataset;
2. Make no attempt to identify or contact individual participants or groups from whom data were collected, or generate information that could allow participants’ identities to be discovered, without appropriate approvals from the institution that submitted the dataset to dbGaP;
3. Maintain the confidentiality of the data and not distribute them to anyone outside of those specified in the approved Data Access Request;
4. Adhere to the NIH Security Best Practices for Controlled-Access Data Subject to the NIH Genomic Data Sharing Policy and ensure that only approved users can gain access to data files (Note: If approved before January 25, 2025, Approved Users may continue adhering to the NIH Security Best Practices for Controlled-Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy until project renewal, at which point they will adopt the updated NIH Security Best Practices for Users of Controlled-Access Data);
5. Acknowledge the Intellectual Property terms as specified in the Data Use Certification Agreement;
6. Provide appropriate acknowledgement in any dissemination of research findings including the investigator(s) who generated the data, the funding source, accession numbers of the dataset, and the data repository from which the data were accessed; and,
7. Report any inadvertent data release, breach of data security, or other data management incidents in accordance with the terms specified in the Data Use Certification Agreement.

*(Updated 06/11/2019)