NIH NOT-OD-22-213
Protection Privacy when Sharing Human Research Data
This is a summary of the notice, please click above for the full text.
Operational Principles
- Proactive Assessment of Privacy and Protections - Consider during DMS Plan development, consult with CTSI, and the Research Office
- Clear communication in consent forms - Consider CoC, Waivers, Consent Form Text, NHSR data source considerations
- Consideration of justifiable limitations on sharing data - Will an agreement be needed, consult with OSP?
- Institutional review of the conditions for sharing data – Including future use of data (IRB, WVCTSI, OHRP, RO)
- Protections for all data used in research – Data not collected from research settings or settings subject to different privacy standards (social media, public health surveillance) - Should be considered as human data when determining requirements for protecting data for sharing results.
Best Practices
- Apply Appropriate De-identification - De-identify to the greatest extent that maintains scientific utility unless explicit consent is obtained, .i.e. broad consent, data should be shared only in a de-identified format. Consult with WV CTSI.
- Rely on standards for identifiability outlined in the Common Rule, HIPAA Privacy Rule – Expert Determination, Safe Harbor. Consult with WV CTSI
- Be aware of privacy risks associated with sharing information that is not considered identifiable. In certain cases, some information may be present in data even de-identified to standards. Consult with WV CTSI
- Document the method used to de-identify the scientific data for communication to downstream users.
- In some cases, scientific utility may be lost if shared data are de-identified. It may consequently be justifiable in certain cases to share scientific data under the DMS Policy that meet a legal or regulatory standard for identifiability. It is generally acceptable to share identifiable data when participants provide their explicit consent to do so (in addition to meeting other applicable legal or regulatory requirements for sharing identifiable data).
Establish Scientific Data Sharing and Use Agreements
NIH recommends the use of scientific data sharing and/or use agreements, preferably standardized, when sharing data through repositories as proposed in Data Management and Sharing Plans. Agreements for sharing data through repositories are recommended, as they establish the conditions that enable consistent, clear, and appropriate sharing with downstream users. Agreements are also important for users of controlled-access data to promote common understanding of responsibilities and expectations in use of participant data. Agreements should be considered even if scientific data are de-identified.
Key elements that promote the privacy of participants in such agreements include:
- Institutional Oversight
- Responsibilities
- Restrictions
Understand and Communicate Legal Protections Against Disclosure and Misuse
Federal, Tribal, state, and local laws impose obligations on the disclosure and use of scientific data from research (including HIPAA and the Common Rule. In addition there may be state laws that may prohibit disclosure of certain types of information.
- NIH Certificates of Confidentiality - Recipients of data, including repositories, should be informed when scientific data are covered by a Certificate, and should be reminded that such data and all copies are covered by Certificates in perpetuity. Certificates of Confidentiality protect the privacy of research participants by prohibiting disclosure of protected information for non-research purposes to anyone not connected with the research except in specific situations, such as when there is consent to do so.
Considerations for choosing Controlled Access
The DMS Policy expects researchers to consider whether access to scientific data from participants should be controlled (i.e., measures such as requiring data requesters to verify their identity and the appropriateness of their proposed research use to access protected data), even if de-identified and lacking explicit limitations on subsequent use.
Controls may be needed for data at any level of processing (e.g., raw or fully cleaned data), from any source (e.g., research, clinical, or public health data), and for all types of research data (e.g., quantitative, qualitative, imaging, sensor-based).
Consult with WV CTSI and the Research Office
Consider sharing through controlled access if data:- Have explicit limitations on subsequent use, such as those imposed by laws, regulations, policies, informed consent, and agreements.
- Could be considered sensitive, such as including information regarding potentially stigmatizing traits, illegal behaviors, or other information that could be perceived as causing group harm or used for discriminatory purposes. Sensitive data may also include data from individuals, groups, or populations with unique attributes that increase the risk of re-identification. Even if data are sensitive, it may be possible to de-identify the data in ways that would allow appropriate sharing. When possible, researchers are encouraged to engage with communities affected by sharing sensitive data to discuss approaches for appropriate use and risk mitigation.
- Cannot be de-identified to established standards or for which the possibility of re-identification cannot sufficiently be reduced. For example, datasets de-identified to regulatory standards that nonetheless pose risks due to information that can still allow inferences to be made about participants (discussed above in the Best Practice on De-identification) may not be able to be shared openly. Access controls, among other measures, may be appropriate to further mitigate the risk of re-identification.[20]
- Due to previously unanticipated approaches or technologies that become known, pose risks to participant privacy if released without controls on access. When such risks are identified prior to sharing the scientific data and not outlined in original Data Management and Sharing Plans, any changes to Data Management and Sharing Plans should be communicated to NIH consistent with the DMS Policy.
In certain cases, it may be appropriate to share scientific data without access controls. Factors to consider when choosing whether to share data openly include the following:
- Participants explicitly consent to share scientific data openly without restrictions.
- Scientific data are de-identified and institutional review has determined that they pose very low risk when shared and used, including any risks posed by the presence of information that can allow inferences to be made about a participant’s identity when combined with other information.