Comment on Protecting Privacy When Sharing Research Participant Data

NIH requests input on draft supplemental information to the NIH Policy for Data Management and Sharing (DMS Policy). The draft is intended to help stakeholders achieve effective data stewardship and protection of human research participant privacy by establishing 1) Operational Principles, 2) Best Practices, and 3) Points To Consider for Designating Scientific Data for Controlled Access.

We provide brief details here; for complete information, read the May 12, 2022 Guide notice, Request for Public Comments on DRAFT Supplemental Information to the NIH Policy for Data Management and Sharing: Protecting Privacy When Sharing Human Research Participant Data.

Operational Principles for Protecting Participant Privacy When Sharing Scientific Data

In developing their DMS Plan and throughout their research project, researchers must uphold several principles, such as:

• Protecting the privacy and confidentiality of every participant as described in informed consent and in line with all applicable laws, policies, and regulations; institutional review of the conditions for data sharing, including that proposed limitations on the future use of data are appropriate and that risks have been considered. Limitations should be conveyed with the data when they are transferred, such as when sharing through repositories to secondary users.
• Collecting data from non-traditional research settings, such as mobile health devices, social media, consumer reports, and public health surveillance also warrant strict privacy considerations.

Best Practices for Protecting Participant Privacy When Sharing Scientific Data

The following best practices, when implemented together, along with Points To Consider for Designating Scientific Data for Controlled-Access (below), provide a robust privacy framework.

• Ensure Appropriate De-Identification: NIH recommends scientific data to be de-identified to the greatest extent possible in a manner that maintains sufficient scientific utility. Strategies include employing advanced statistical or computational methods to de-identify data and maintain privacy whenever feasible and appropriate.
• Establish Scientific Data Sharing and Use Agreements: NIH recommends using scientific data sharing and/or use agreements, preferably standardized, when sharing data from participants with and from repositories. These agreements should be considered even if scientific data are de-identified and should be negotiated among researchers, institutions, and repositories. Key elements include oversight, responsibilities, and restrictions.

Points To Consider for Designating Scientific Data for Controlled Access

The DMS Policy expects researchers to consider whether access to scientific data from participants should be controlled (i.e., measures such as requiring data requesters to verify their identity and the appropriateness of their proposed research use to access protected data), even if de-identified and lacking explicit limitations on subsequent use.

In cases where participants explicitly consent to share scientific data without restrictions, it may be appropriate to share data without access controls. Investigators should consider sharing participants’ scientific data through controlled access repositories if data:

1. Have explicit limitations on subsequent use, such as those imposed by laws, regulations, policies, informed consent, and/or agreements.
2. Could be considered sensitive, such as including information regarding potentially stigmatizing traits, illegal behaviors, or other information that could be perceived as causing group harm or used for discriminatory purposes. Sensitive data may also include data from individuals, groups, or populations with unique attributes that increase the risk of re-identification.
3. Cannot be de-identified to established standards or cannot sufficiently reduce the possibility of re-identification. Access controls, among other measures, may be appropriate to further mitigate the risk of re-identification.
4. Due to previously unanticipated approaches or technologies, pose risks to participant privacy if released without controls on access. When such risks are realized prior to sharing the scientific data and not outlined in original Data Management and Sharing Plans, necessary changes to Data Management and Sharing Plans should be immediately communicated to NIH.

Requested Information

Provide comments on any of the Draft topics above. If you are commenting on a particular element or section (e.g., the Operational Principles), identify the element or section on which you are commenting.

Submit comments at Request for Public Comments on DRAFT Supplemental Information to the NIH Policy for Data Management and Sharing: Protecting Privacy When Sharing Human Research Participant Data by June 27, 2022.