Designating Scientific Data for Controlled Access

The DMS Policy expects researchers to consider whether access to scientific data from participants should be controlled (i.e., measures such as requiring data requesters to verify their identity and the appropriateness of their proposed research use to access protected data), even if de-identified and lacking explicit limitations on subsequent use. The points below are intended to assist researchers when considering whether controlled-access repositories may be needed to protect participant privacy.

Note that controls may be needed for data at any level of processing (e.g., raw or fully cleaned data) and from any source (e.g., research, clinical, or public health data). In cases where participants explicitly consent to share scientific data without restrictions, it may be appropriate to share data without access controls. Investigators should consider sharing participants’ scientific data through controlled access repositories if data:

  1. Have explicit limitations on subsequent use, such as those imposed by laws, regulations, policies, informed consent, and/or agreements.

  2. Could be considered sensitive, such as including information regarding potentially stigmatizing traits, illegal behaviors, or other information that could be perceived as causing group harm or used for discriminatory purposes. Sensitive data may also include data from individuals, groups, or populations with unique attributes that increase the risk of re-identification.

  3. Cannot be de-identified to established standards or cannot sufficiently reduce the possibility of re-identification. Access controls, among other measures, may be appropriate to further mitigate the risk of re-identification.

Other risk-mitigation measures that repositories can employ are discussed in Selecting a Data Repository. Awardees can also employ strategies found in NIST’s Privacy Framework and tools for de-identification.

  1. Due to previously unanticipated approaches or technologies, pose risks to participant privacy if released without controls on access. When such risks are realized prior to sharing the scientific data and not outlined in original Data Management and Sharing Plans, necessary changes to Data Management and Sharing Plans should be immediately communicated to NIH.

Need help selecting a data repository? Find some options at Repositories for Sharing Scientific Data.