NIH DMSP Guide – Element 5: Access, Distribution, or Reuse Considerations

This article provides a comprehensive, step-by-step guide to Element 5 of the National Institutes of Health (NIH) Data Management and Sharing (DMS) Policy: Access, Distribution, or Reuse Considerations.

Element 5: Access, Distribution, or Reuse Considerations – Content

Requirement 1  Examples  Fill-in-the-Blank Template  NIH Guidance  
Requirement 2  Examples  Fill-in-the-Blank Template   
Requirement 3  Examples  Fill-in-the-Blank Template   
Additional Resources

Element 5: Requirement 1

The NIH expects that in drafting plans, researchers will maximize the appropriate sharing of scientific data. Describe and justify any applicable factors or data use limitations affecting subsequent access, distribution, or reuse of scientific data related to informed consent; privacy and confidentiality protections; and any other considerations that may limit the extent of data sharing. 

Some data may require extra preparation before they can be shared. In this section, you should describe what legal, ethical, or technical issues will require limiting the sharing of your data. Examples may include existing legal limits such as data licenses or use agreements, issues of proprietary IP development, technical limits relating to the size or structure of the data, or ethical issues concerning human subjects’ privacy. 

Key issues in justification of limitations on sharing human subjects’ data specifically may be informed consent (e.g., disease-specific limitations, particular communities’ concerns) or privacy and confidentiality protections (i.e., de-identification, Certificates of Confidentiality, and other protective measures). Specific steps for the preparation of human subjects’ data can be addressed in the protections for privacy subquestion below.

Element 5: Requirement 1 Examples

Sample Plan Text

To address safety and security concerns related to capturing and distributing pictures or video of vertebrate research animals, access and distribution of behavioral video files generated in our lab during brain inactivation studies of non-human primates will be limited as described and justified in the IACUC protocol governing the project and in compliance with the "Image Recordings of Research Animals" Standard Operating Procedure at our institution. There are no other factors that will impact the access, distribution, and reuse of all other scientific data generated by this study.

Fill-in-the-Blank Template

There are no anticipated factors or limitations that will affect the access, distribution, or reuse of the scientific data generated by the proposal.

OR

Due to _______ [ethical, legal, technical considerations], access/distribution/reuse of the resulting scientific data will be limited and approved/monitored by ________ [describe the approach to limiting access/distribution/reuse].

Element 5: Requirement 1 NIH Guidance 

Any potential limitations on subsequent data use should be communicated to the individuals or entities (for example, data repository managers) that will preserve and share the scientific data. The NIH institutes, centers or offices (ICOs) will assess whether an applicant’s DMS Plan appropriately considers and describes these factors.

Expectations for Human Genomic Data Subject to the GDS Policy

How to access genomic data varies depending on which repository you select. Refer to the Accessing Genomic Data from NIH Repositories page on the NIH sharing site.

Informed Consent Expectations

Data Created or Collected After Implementation of GDS Policy

For research involving the generation of large-scale human genomic data from cell lines or clinical specimens that were created or collected AFTER the effective date of the GDS Policy (Jan. 25, 2015):

NIH expects that informed consent for future research use and broad data sharing will have been obtained. This expectation applies to de-identified cell lines or clinical specimens regardless of whether the data meet technical and/or legal definitions of de-identified (i.e. the research does not meet the definition of “human subjects research” under the Common Rule).

Data Created or Collected Before Implementation of GDS Policy

For research involving the generation of large-scale human genomic data from cell lines or clinical specimens that were created or collected BEFORE the effective date of the GDS Policy:

There may or may not have been consent for research use and broad data sharing. NIH will accept data derived from de-identified cell lines or clinical specimens lacking consent for research use that were created or collected before the effective date of this policy.

Expectations for Institutional Certifications and Data-Sharing Limitations 

1. DMS Plans complying with the GDS Policy should address limitations on sharing by anticipating sharing according to the criteria of the Institutional Certification.
2. In cases where it is anticipated that Institutional Certification criteria cannot be met (i.e., data cannot be shared as expected by the GDS Policy), investigators should state the Institutional Certification criteria in their DMS Plan. They should explain why the element cannot be met and indicate what data, if any, can be shared and how to enable sharing to the greatest extent possible (for example, sharing data in a summary format). In some instances, the funding NIH entity may need to determine whether to grant an exception to the data submission expectation under the GDS Policy.
3. Investigators conducting research subject to the GDS Policy should indicate in their DMS Plan if a study should be designated as “sensitive” for the purposes of access to Genomic Summary Results (GSR), as described in NOT-OD-19-023.

Element 5: Requirement 2

State whether access to the scientific data will be controlled (i.e., made available by a data repository only after approval).

If you are using a controlled-access repository, you must provide information about the restrictions and control mechanisms in place for access to the scientific data. Check the repository you intend to use to find out more about whether and how the repository supports controlled access.

Element 5: Requirement 2 Examples

Sample Plan Text

Data will be available by controlled access only. To access data arising from this project, users must complete the Vivli data request form and sign the Vivli Data Use Agreement (DUA), which limits subsequent use to the terms of the approved request and requires that users maintain data security and refrain from any attempts to re-identify research participants or engage in unauthorized uses of the data. To get access to the data, the user must submit a valid scientific question, include a statistical analysis plan, and complete all required fields on the Vivli data request form. Vivli will review the data request for completeness.

Fill-in-the-Blank Template

Given the sensitive nature of the dataset, data will be made available in ________ [name of data repository], which restricts access to the data to ______ [describe restriction, e.g. to qualified investigators with an appropriate research question and approved data use agreement]. Data can be accessed by _____ [describe data repository access methods and measures].  

Element 5: Requirement 3

If generating scientific data derived from humans, describe how the privacy, rights, and confidentiality of human research participants will be protected (e.g., through de-identification, Certificates of Confidentiality, and other protective measures).

Certain kinds of data, especially human subjects’ data, require extra preparation before they can be shared to ensure participant privacy. In this section, you will describe your approach to preparing human subjects’ data for sharing and note any additional restrictions or policies that will impact access to your data. If you are working with human subjects, you should also describe how you will address data management and sharing in your informed consent process. You will also need to describe your methods for ensuring privacy and confidentiality, including how you will de-identify your data. 

If you have decided that a controlled-access repository (where researchers must apply to access data) is a better fit for your data than an open repository, you should describe the repository's access procedures. Finally, if there are any other laws, policies, or existing agreements that impact your ability to share your data, you should describe them here.

Element 5: Requirement 3 Examples

Sample Plan Text

The images are fully de-identified by removing all HIPAA-protected direct and indirect identifiers. The original DICOM files are converted to compressed “.nii.gz” / ”.json” using dcm2niix (https://github.com/rordenlab/dcm2niix) with the anonymization option according to BIDS guidelines. The “.json” preserves the technical information from the image header. All the high-resolution T1-WI MPRAGE, the low-resolution T1-WIs, and FLAIR with full head coverage are defaced using FSL (https://surfer.nmr.mgh.harvard.edu/fswiki/mrideface). Another round of visual quality control was performed to secure complete anonymization of possible face recognition by 3D reconstruction. In consultation with the Johns Hopkins Data Services librarians (partners in this project), we removed sensitive information and possible remaining indirect identifiers, making the data compatible with HIPAA “Safe Harbor” regulations. Johns Hopkins IRB and JHM Data Trust committee reviewed and approved the de-identification and sharing plan. Because these data were originally assembled under a waiver of consent, Johns Hopkins policy requires restricted access for approved research. ICSPR will release the data as a restricted-use collection under a Data Use Agreement (DUA). Sharing is for research use, restricted to biomedical research in academic institutions, requiring that the source is cited in future publications. ICPSR’s researcher approval process is described at https://www.icpsr.umich.edu/web/pages/ICPSR/access/restricted/. Researchers from institutions without an ICPSR membership must pay an access fee for the data. This project will assess funding to cover access fees for requests as feasible. ICPSR employs industry-standard security and stringent access requirements. ICPSR will monitor data usage and citations that reference or reuse the collection.

Fill-in-the-Blank Template

In order to ensure participant consent for data sharing, Institutional Review Board paperwork and informed-consent documents will include language describing plans for data management and sharing of data, specifying the motivation for sharing, and explaining that personal identifying information will be removed.

To protect participant privacy and confidentiality, shared data will be de-identified using the ______ methods [describe de-identification methods, noting any other applicable laws or policies such as HIPAA].

Back to top of page

Additional Resources

• DMPTool
• HIPAA Guidance on De-Identification
• LibGuide from LaTrobe University on DeIdentification
• NLM-Scrubber
  NLM-Scrubber is a freely available clinical text de-identification tool designed and developed at the National Library of Medicine. The aim is to enable clinical scientists to access clinical health information that is not associated with the patient by following the Safe Harbor principles as outlined in the HIPAA Privacy Rule.
• Applications to Assist in De-Identification – Johns Hopkins
• Sample Data Usage Agreement

Related Articles

• NIH DMS Policy Overview: This article includes an overview of the NIH DMS Policy and links to all other Element articles.
• Sample NIH Data Management and Sharing Plans: Examples of completed DMS Plans. 

Sources

NIH Template Working Group*. (2023). DMPTool NIH-Default DMSP template, v9. In California Digital Library (Ed.), DMPTool [DMP authoring software]. Retrieved from https://dmptool.org/template_export/118304408.pdf

* More information on the NIH Template Working Group history and membership can be found at https://blog.dmptool.org/2022/08/18/supporting-the-upcoming-nih-data-sharing-requirements-with-the-dmptool/