Principles and Best Practices for Protecting Participant Privacy

Operational Principles for Protecting Participant Privacy When Sharing Scientific Data

As outlined in NIH Guide Notice Supplemental Policy Information: Protecting Privacy When Sharing Human Research Participant Data, respect for and protection of participant privacy is the foundation of the biomedical and behavioral research enterprise. NIH and the institutions it funds must protect the privacy and confidentiality of every participant as described in informed consent and in line with all applicable laws, policies, and regulations. The following are core principles investigators should keep in mind when developing Data Management and Sharing Plans and carrying out NIH-funded or supported research.

1. Researchers and institutions should proactively assess the protections needed for sharing scientific data from participants, including determining whether sharing should be restricted through controlled access, regardless of whether the data meet technical and/or legal definitions of “de-identified” and can legally be shared without additional protections (e.g., the research does not meet the definition of “human subjects research” under the Common Rule).

2. Researchers and institutions should develop robust consent processes that prioritize clarity regarding future sharing and use of scientific data, including limitations on future use, and general aspects regarding how data will be managed (see Informed Consent for Secondary Research with Data and Biospecimens: Points to Consider and Sample Language for Future Use and/or Sharing). 

3. There may be justifiable limitations to sharing scientific data under the DMS Policy. The DMS Policy outlines factors that might limit sharing, including when sharing would compromise the privacy or safety of participants and when limitations are explicitly described in informed consent documents. In these instances, researchers should outline these justifications in their Data Management and Sharing Plans. In addition, limitations on sharing and use should be conveyed with the data when they are transferred, such as when sharing through repositories to downstream users (see section below, Establish Scientific Data Sharing and Use Agreements).

4. Institutions should review the conditions for sharing data, including that proposed limitations on the future use of data are appropriate and that risks have been considered, and communicate this information to repositories and/or users (see section below, Establish Scientific Data Sharing and Use Agreements). Such review helps establish the conditions under which future sharing will occur and enables consistent, clear, and appropriate sharing with downstream users. Review can take different forms and be conducted by different offices or components of an institution (such as an Institutional Review Board, Privacy Board, or individuals with appropriate roles and expertise).

5. Scientific data used in research warrant privacy considerations regardless of whether the data are collected from non-research settings or settings that may be subject to different privacy standards than traditionally applied to research data, such as from social media and public health surveillance. Even if researchers cannot set the standards for collecting such data, they should apply protections for sharing scientific data consistent with those outlined in this supplemental information.

6. Responsible data sharing practices require a commitment from the entirety of the biomedical and behavioral research enterprise. Researchers and institutions should remain vigilant regarding potential misuse and work in concert with NIH to prevent unauthorized use of scientific data from NIH-supported platforms and repositories. In addition, NIH is committed to enforcing the terms of its data use agreements.

Best Practices for Protecting Participant Privacy When Sharing Scientific Data

NIH acknowledges there are multiple, effective strategies for achieving privacy protection in the context of the DMS Policy. Building upon the operational principles described above, the following best practices, when implemented together, along with consideration of the Points to Consider for Designating Scientific Data for Controlled-Access (below), provide a robust privacy framework.

Apply Appropriate De-identification

NIH recommends scientific data to be de-identified to the greatest extent that maintains sufficient scientific utility. Unless participants explicitly consent to sharing identifiable data (e.g., under the broad consent provision of the Common Rule), data should generally be shared only in a de-identified format. The guide notice provides strategies for institutions to consider based on their particular research project and scientific data types (see section 1, “Apply Appropriate De-identification” under “Best Practices for Protecting Participant Privacy When Sharing Scientific Data”).

Establish Scientific Data Sharing and Use Agreements

NIH recommends the use of scientific data sharing and/or use agreements, preferably standardized, when sharing data through repositories as proposed in Data Management and Sharing Plans. Agreements for sharing data through repositories are recommended, as they establish the conditions that enable consistent, clear, and appropriate sharing with downstream users. Agreements are also important for users of controlled-access data to promote common understanding of responsibilities and expectations in use of participant data. Agreements should be considered even if scientific data are de-identified. The supplemental information describes three key elements: 1) Oversight, 2) Responsibilities, and 3) Restrictions, which promote the privacy of participants in data sharing use agreements. For more details, see section 2, “Establish Scientific Data Sharing and Use Agreements” under “Best Practices for Protecting Participant Privacy When Sharing Scientific Data”.

As an example of a resource for community developed, standardized templates for data transfer and use agreements, see the Federal Demonstration Partnership. Note that not all templates and agreements may meet all principles outlined.

Understand and Communicate Legal Protections Against Disclosure and Misuse.

A variety of federal, Tribal, state, and local laws impose obligations on the disclosure and use of scientific data from research (including HIPAA and the Common Rule, mentioned above, as well as state laws that may prohibit disclosure of certain types of information). Researchers and their institutions should understand the applicability of relevant laws, regulations, and policies on their research.

Researchers and institutions are particularly encouraged to understand the requirements and legal protections provided by the NIH Certificates of Confidentiality Policy. Recipients of data, including repositories, should be informed when scientific data are covered by a Certificate, and should be reminded that such data and all copies are covered by Certificates in perpetuity. Certificates of Confidentiality protect the privacy of research participants by prohibiting disclosure of protected information for non-research purposes to anyone not connected with the research except in specific situations, such as when there is consent to do so.

For data subject to the Genomic Data Sharing Policy:

Additional considerations may apply when sharing human genomic studies that are subject to NIH’s Genomic Data Sharing (GDS) policy. Please consult Points to Consider for Institutions and Institutional Review Boards in Submission and Secondary Use of Human Genomic Data under the National Institutes of Health Genomic Data Sharing Policy for more details.