[D104.0000] NIH Genome Data Sharing (GDS) Policy Guidance

Compliance with the NIH GDS Policy is a term and condition of the Notice of Award or the Contract Award for applicable grants. Prior to the award, the PI submits an Institutional Certification (IC) signed by the Institutional Signing Official (i.e., Director of OSPA) as part of the Just-in-Time process. NIH provides detailed investigator resources at the GDS Researcher webpage. The following is an overview of investigator responsibilities in data sharing for new, existing, and closed studies.

Jump to: Existing Studies | Closed Studies

New Studies:

The initial IRB review submission includes the PI’s genomic plan, including:

1. Intent to contribute data to the database of Genotypes and Phenotypes (dbGaP) or specified NIH-designated repositories;
   1. Genotypic and phenotypic data that will be provided (as applicable)
   2. Sources of genotypic and/or phenotypic data (e.g., all participants, a subset of individuals). In cases where data submission to an NIH-designated repository is not appropriate, provide a justification for an exception to the data sharing
   3. A written data use limitation statement for any data that should be excluded from sharing based on standard limitations
   4. Assessment of potential harm or risks to the rights and welfare of individual participants, their families, and groups or populations (if applicable), as well as any safeguards to mitigate risks (e.g., Certificate of Confidentiality)
   5. Plan for de-identified datasets per IRB and HIPAA regulations (i.e., all 18 HIPAA identifiers removed, assign a random, unique code which remains at the institution) and
   6. Process for obtaining informed consent for future research use and broad sharing of genomic and phenotypic data generated from the participant’s specimen or cell line. The consent describes whether the data will be submitted via unrestricted- or controlled-access repositories and includes the process for participants to withdraw their data from the repositories should they choose to do so (data that has been distributed for approved research cannot be retrieved). If a participant does not consent to the broad sharing of data, the data may not be shared
   7. Consent guidance and sample language are included in the UK consent templates from the NIH Human Genome Research Institute

Existing Studies:

Submit an IRB modification request to contribute data to dbGaP or a specified NIH-designated repository addressing items (a-f) above.

For archived specimens, include information on the informed consent process and/or ALL versions of the consent form(s) signed by research participants. 

The IRB will determine if the data sharing plan is acceptable relative to the informed consent for future prospective collections, post-2015 collections, and/or pre-2015 collections:

Future prospective enrollment: 

• NIH expects researchers who intend to use research or clinical specimens collected or cell lines created after 1/25/15 to generate human genomic data to obtain participants’ consent for their data to be shared broadly for future research.
• If participant recruitment is continuing and the existing consent form does not address genomic data sharing, it should be revised as outlined in item (g) above and submitted with the modification for IRB review.

POST 1/25/15 EXISTING COLLECTIONS:

• NIH-designated data repositories will not accept human genomic data derived from specimens or cell lines collected or created after the 1/25/15 effective date of the GDS Policy unless informed consent has been provided for future research use and broad sharing.
• The IRB will need to review ALL versions of the consent form(s) signed by research participants to determine whether the informed consent process adequately addressed genomic data sharing.
• For post 1/25/15 collections that lack consent or the consent process/form(s) are not consistent with the proposed sharing plan, the IRB may take one or more of the following actions:
  • Require PI to seek permission to share data by consenting or re-consenting research participants;
  • Require data from specimens collected without adequate consent to be excluded from submission; and/or
  • Determine that the request is not consistent with the NIH GDS Policy, applicable laws (national, tribal, or state), federal regulations, or institutional policies.

PRE 1/25/15 EXISTING COLLECTIONS:

• For data from specimens collected before the 1/25/15 effective date of the GDS Policy, NIH-designated data repositories may accept the submission and subsequent sharing of data if the IRB finds that submission of the data is appropriate and meets the criteria specified within the GDS Policy.
• If consent was obtained for archived collections, the IRB will need to review ALL versions of the consent form(s) signed by research participants to determine whether submission of the data is appropriate.
• For pre 1/25/15 collections that lack consent or the consent process/form(s) are not consistent with the proposed sharing plan, the IRB may take one or more of the following actions:  
  • Require PI to seek permission to share data by consenting or re-consenting research participants;
  • Apply standard informed consent waiver criteria where consent or re-consent is not practicable (e.g., pre-2015 archived leftover clinical or research specimens with no direct or indirect identifiers to allow 
    donor to be contacted);
  • Require data to be excluded from submission for specimens collected without consent or with a consent process/form(s) that prohibited sharing; and/or
  • Determine that the request is not consistent with the NIH GDS Policy, applicable laws (national, tribal, or state), federal regulations, or institutional policies.

Closed Studies: 

Since a modification request is not possible for studies that are closed with the IRB, submit the request to contribute data to dbGaP or a specified NIH-designated repository to ORI with “Genomic Data Submission for Closed Study” in the subject line. 

Address items (a-f) in the “initial submission of new studies” section above. For archived specimens, include information on the informed consent process and/or ALL versions of the consent form(s) signed by research participants. 

The IRB will determine if the data sharing plan is acceptable relative to the informed consent for post- and/or pre-2015 collections:

POST 1/25/15 EXISTING COLLECTIONS:

• NIH-designated data repositories will not accept human genomic data derived from specimens or cell lines collected or created after the 1/25/15 effective date of the GDS Policy unless informed consent has been provided for future research use and broad sharing.
• The IRB will need to review ALL versions of the consent form(s) signed by research participants to determine whether the informed consent process adequately addressed genomic data sharing.
• For post 1/25/15 collections that lack consent or the consent process/form(s) are not consistent with the proposed sharing plan, the IRB may take one or more of the following actions:
  • Require PI to seek permission to share data by consenting or re-consenting research participants;
  • Require data from specimens collected without adequate consent to be excluded from submission; and/or
  • Determine that the request is not consistent with the NIH GDS Policy, applicable laws (national, tribal, or state), federal regulations, or institutional policies.

PRE 1/25/15 EXISTING COLLECTIONS:

• For data from specimens collected before the 1/25/15 effective date of the GDS Policy, NIH-designated data repositories may accept the submission and subsequent sharing of data if the IRB finds that submission of the data is appropriate and meets the criteria specified within the GDS Policy.
• If consent was obtained for archived collections, the IRB will need to review ALL versions of the consent form(s) signed by research participants to determine whether submission of the data is appropriate.
• For pre 1/25/15 collections that lack consent or the consent process/form(s) are not consistent with the proposed sharing plan, the IRB may take one or more of the following actions:
  • Require PI to seek permission to share data by consenting or re-consenting research participants;
  • Apply standard informed consent waiver criteria where consent or re-consent is not practicable (e.g., pre-2015 archived leftover clinical or research specimens with no direct or indirect identifiers to allow 
    donor to be contacted);
  • Require data to be excluded from submission for specimens collected without consent or with a consent process/form(s) that prohibited sharing; and/or
  • Determine that the request is not consistent with the NIH GDS Policy, applicable laws (national, tribal, or state), federal regulations, or institutional policies.

The UK IRB reviews protocols and consent materials subject to the GDS policy to determine whether it is appropriate for data to be shared and whether data submission is consistent with informed consent provided by the participant at the time of collection. 

In general, the IRB:  

• Verifies the protocol for the collection of genomic and phenotypic data is consistent with Department of Health and Human Services (DHHS) regulations on protection of human subjects (i.e., study had IRB review)
• Determines if data submission described in the investigator’s data sharing plan is consistent with informed consent of study participants from whom data was or will be obtained
• The consent should inform participants about large-scale genomic data sharing and explain whether the data will be shared via unrestricted- or controlled-access databases, or both (template language provided in the UK consent templates)
• In cases where consent is lacking or is not consistent with the data sharing plan, take one or more of the actions as previously described in Investigator Responsibilities for future prospective enrollment; post 1/25/15 existing collections and/or pre 1/25/15 existing collections
• Considers the need for data use limitations necessary to minimize the potential for harm to individuals and their families, groups, or populations from disclosure of secondary research results and
• Ensures the investigator’s plan for de-identifying datasets is consistent with the standards outlined in IRB and HIPAA regulations.

Case examples and options are provided in the NIH Guidance, “Points to Consider for Institutions and IRBs in Submission and Secondary Use of Human Genomic Data under the NIH GDS Policy."

The Executive Director of the Office of Sponsored Projects Administration (OSPA) serves as the Institutional Signing Official.

The Institutional Certification provides verification that: 

• The data submission is consistent with all applicable laws (national, tribal, or state), regulations, and institutional policies;
• The IRB has conducted protocol review as outlined above: and
• The appropriate research uses of the data, as well as any secondary research uses that are specifically excluded by the IRB or based on the informed consent documents, are delineated in a Data Use Limitation statement. 

NOTE: For NIH-funded multi-site studies, certification must be provided for all collaborating sites submitting genomic data. In some cases, the lead site may submit one institutional certification on behalf of all collaborating sites. Alternatively, each site providing data may provide its own institutional certification.

The NIH limits access to qualified investigators (e.g., permanent employee at a level equal to tenure-track professor or senior scientist). Detailed resources are available on the GDS webpage to discover what data is available. 

• How to access the data: see credential requirements and submit a Data Access Request (DAR), which includes a Research Use Statement and a formal Information Security Plan in order to download or use controlled-access data.
• What you must do to protect the data you download:
  
  NIH Security Best Practices for Users of Controlled-Access Data” require that data managed on institutional IT systems and third-party computing infrastructures that meet certain standards in accordance with NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”
  
  Effective on January 25, 2025, adherence to this standard will be included in new or renewed Data Use Certifications or similar agreements stipulating terms of access to controlled-access human genomic data, regardless of whether the Approved User is supported by NIH or not.
  
  This new ruling currently applies to 20 controlled-access data repositories associated with the following access systems: dbGaP, NDA, NDA & Synapse, NIAGADS, AMP PD, PDBP DMR, PEGS, NRGR, and FaceBase. If your research involves data from one or more of these repositories, you are impacted by these new policies and must follow the provided instructions.
  
  View the list of repositories
  
  Fill out the Controlled-Access Data Repositories Assessment REDCap survey. A consultant will contact you to discuss a remediation plan and documentation that you must maintain for NIH review. In addition, you will be provided with technical assistance to migrate your data to a compliant facility as needed.
   
• PIs approved to access data agree to a Data Use Certification (DUC) Agreement, cosigned by their Institutional Signing Official, agree to abide by the terms of the DUC and  Genomic Data User Code of Conduct
• Approved users of controlled-access data are encouraged to consider obtaining a Certificate of Confidentiality as an additional safeguard
• PIs wishing to expand the scope of a project or access additional datasets after approval must submit a revised Research Use Statement for approval
• Conducting research not described in the DAR is a violation of the Data Use Agreement and may result in penalties or termination of data access (see violation data)
• Once approved, investigators will be able to access the data for one year. Prior to the expiration of the one-year access period, investigators must submit a project renewal or close-out report, describing the progress made on the approved research project. Failure to submit a renewal or to complete the close-out process, including confirmation of data destruction by the Institutional Signing Official, may result in suspension of the PI and all associated personnel and collaborators from submitting new access requests for a period of time.

IRB approval is rarely required for genomic data access. However, some datasets require IRB approval for use (see the dbGaP study page). For instance, approved users who have access to personal identifying information for participants from their own institution may be required to have IRB approval.