Principles and Best Practices for Protecting Participant Privacy

Operational Principles for Protecting Participant Privacy When Sharing Scientific Data

As outlined in NIH Guide Notice Supplemental Policy Information: Protecting Privacy When Sharing Human Research Participant Data, respect for and protection of participant privacy is the foundation of the biomedical and behavioral research enterprise. The following are core principles investigators should keep in mind.

1. NIH and the institutions it funds are obligated and required to protect the privacy and confidentiality of every participant as described in informed consent and in line with all applicable laws, policies, and regulations. It is important that researchers and institutions do the same when conduction research and sharing research results.

2. Researchers and institutions should proactively assess appropriate protections for sharing scientific data from participants, including determining whether sharing should be restricted through controlled access, regardless of whether the data meet technical and/or legal definitions of “de-identified” and can legally be shared without additional protections (e.g., the research does not meet the definition of “human subjects research” under the Common Rule).

3. Investigators and institutions should develop robust consent processes that prioritize clarity regarding future sharing and use of scientific data, including limitations on future use, and general aspects regarding how data will be managed (see Informed Consent for Secondary Research with Data and Biospecimens: Points to Consider and Sample Language for Future Use and/or Sharing). Importantly, when a study offers the possibility of a direct benefit for research participants, the DMS Policy does not require sharing of data in order to participate.

4. Institutional review of the conditions for data sharing, including that proposed limitations on the future use of data are appropriate and that risks have been considered. Limitations should be conveyed with the data when they are transferred, such as when sharing through repositories to secondary users.

5. Collection of data from non-traditional research settings, such as mobile health devices, social media, consumer reports, and public health surveillance also warrant strict privacy considerations.

6. There may be justifiable exceptions to sharing scientific data, regardless of the sufficiency of access controls and de-identification techniques. In these rare instances, researchers should outline these justifications in their Data Management and Sharing Plans.

7. Responsible data sharing practices require a commitment from the entirety of the biomedical and behavioral research enterprise. Researchers and institutions should remain vigilant regarding potential misuse and work in concert with NIH to prevent unauthorized use of scientific data from NIH-supported platforms and repositories. In addition, NIH is committed to enforcing the terms of its data use agreements.

Best Practices for Protecting Participant Privacy When Sharing Scientific Data

NIH acknowledges there are multiple, effective strategies for achieving privacy protection in the context of the DMS Policy. Building upon the operational principles described above, the following best practices, when implemented together, along with consideration of the Points to Consider for Designating Scientific Data for Controlled-Access (below), provide a robust privacy framework.

Ensure Appropriate De-identification

NIH recommends scientific data to be de-identified to the greatest extent possible in a manner that maintains sufficient scientific utility. Researchers and institutions should consider the following strategies and their appropriateness given their particular research and scientific data:

• Relying on the standards for identifiability outlined in the Common Rule (participant identity cannot “readily be ascertained”) and in the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (i.e., Expert Determination or Safe Harbor), regardless of whether these rules apply to the sharing, disclosure, or subsequent use of data.

• As methods for re-identifying individuals continue to become increasingly sophisticated and available for use, employing advanced statistical or computational methods to de-identify data and maintain privacy whenever feasible and appropriate.

• In some cases, scientific utility may be lost if shared data are de-identified. It may consequently be justifiable in certain cases to share scientific data under the DMS Policy that meet a legal or regulatory standard for identifiability. In those cases, data sharing may be subject to particular rules, and researchers should also consider whether other relevant protections should be employed.

Establish Scientific Data Sharing and Use Agreements

NIH recommends the use of scientific data sharing and/or use agreements, preferably standardized, when sharing data from participants with and from repositories. These agreements should be considered even if scientific data are de-identified and should be negotiated among researchers, institutions, and repositories. Key elements that promote the privacy of research participants in such agreements include:

• Oversight. Agreements should clearly include certification from an institutional official that, at a minimum, scientific data have been appropriately de-identified (and to which standard), that an institutional oversight body has reviewed and considered the risks of data sharing, and that sharing is consistent with informed consent (as applicable).
• Responsibilities. Agreements should delineate responsibilities of all parties having access to the data and clearly inform parties on data use limitations as well as responsibilities regarding privacy and confidentiality, including those required by Certificates of Confidentiality, as applicable.
• Restrictions. Agreements should explicitly outline sharing limitations and explicitly prohibit attempts to re-identify and/or recontact participants or their family members unless there is explicit agreement to do so. Such restrictions should travel with the data.

As an example of a resource for community developed, standardized templates for data transfer and use agreements, see the Federal Demonstration Partnership. Note that not all templates and agreements may meet all principles outlined.

Understand Legal Protections Against Disclosure and Misuse.

Per the NIH Certificates of Confidentiality Policy, data subject to the Policy are deemed issued a Certificate of Confidentiality, including some data that have been de-identified (e.g., human genomic data). Certificates of Confidentiality protect the privacy of research participants by prohibiting disclosure of protected information for non-research purposes to anyone not connected with the research except in specific situations. Protections afforded by Certificates apply to all copies of a dataset in perpetuity.

For data subject to the Genomic Data Sharing Policy:

Additional considerations may apply when sharing human genomic studies that are subject to NIH’s Genomic Data Sharing (GDS) policy. Please consult Points to Consider for Institutions and Institutional Review Boards in Submission and Secondary Use of Human Genomic Data under the National Institutes of Health Genomic Data Sharing Policy for more details.