Approved July 21, 2022 Background On October 29, 2020, the National Institutes of Health (NIH) issued the Final NIH Policy for Data Management and Sharing. This policy, which will become effective January 25, 2023, is summarized by the NIH as follows: This policy establishes the requirements of submission of Data Management and Sharing Plans and compliance with NIH Institute, Center, or Office (ICO)-approved Plans. It also emphasizes the importance of good data management practices and establishes the expectation for maximizing the appropriate sharing of scientific data generated from NIH-funded or conducted research, with justified limitations or exceptions. This Policy applies to research funded or conducted by NIH that results in the generation of scientific data. A DRAFT Supplemental Information to the NIH Policy for Data Management and Sharing: Protecting Privacy When Sharing Human Research Participant Data was issued on May 12, 2022. The NIH has indicated that this document is not regulatory guidance. Rather, the intention of NIH was to create a document consisting of a set of principles, best practices, and points to consider for researchers who wish to share data subject to the NIH Policy for Data Management and Sharing. Discussion SACHRP agrees that protecting the privacy of research participants is a paramount concern when sharing data within the research community, and that researchers would benefit from additional insights on adherence to the NIH policy. In this document, SACHRP offers its commentary and recommendations for NIH’s consideration. General Observations SACHRP observes that there is inconsistency within the document as to how items are classified as principles, best practices, or points to consider or just statements. There is also confusion in the document between what is considered “required” or an “obligation” versus “best practice” or a “think about.” Throughout the document there are references to actions at the institutional level – assessments, reviews, making determinations – that are ambiguous or vague regarding which components within an institution would take these actions. SACHRP would like to emphasize that institutions perform various regulatory, compliance, or administrative functions through different institutional components (e.g., departmental units that monitor and audit ongoing research, services to assist researchers with preparing regulatory submissions, or institutional approval requirements for research). Within the document NIH should be clear that institutions have a responsibility to identify and charge the appropriate institutional component or components that will perform the required activities. The draft supplement includes certain statements that are concerning such as the one describing Certificates of Confidentiality. They are not a principle or a best practice. In addition, the document describes an institutional certification—an action that should be only raised as a requirement not as an aspirational goal. As a result, when taken together the document becomes confusing and does not provide clear direction. The document makes numerous references to the use of standardized templates for data sharing agreements. SACHRP recommends that the NIH develop template agreements for multiple data sharing scenarios that include the requirements of the policy and incorporates the principles, best practices, and points to consider that the NIH has identified in this supplemental document. Finally, SACHRP notes that the Common Rule has a definition of “identifiable private information” and a requirement that OHRP reexamine the definition on a 4-year cycle (§46.102(e)(7)). Given that changes to the Common Rule definition of identifiable private information may influence the NIH Policy for Data Management and Sharing and this supplemental document, SACHRP recommends that OHRP initiate the review process. Operational Principles SACHRP generally agrees with the seven operational principles in the document. However, SACHRP makes the following observations. Principle 2: Researchers and institutions should proactively assess appropriate protections for sharing scientific data from participants, including determining whether sharing should be restricted through controlled access, regardless of whether the data meet technical and/or legal definitions of “de-identified” and can legally be shared without additional protections (e.g., the research does not meet the definition of “human subjects research” under the Common Rule). The second operational principle appears to be a best practice, as it describes actions to be taken by researchers and the institution. However, even as a best practice it is not clear on what basis the protections would be deemed appropriate Principle 3: Investigators and institutions should develop robust consent processes that prioritize clarity regarding future sharing and use of scientific data, including limitations on future use, and general aspects regarding how data will be managed (see Informed Consent for Secondary Research with Data and Biospecimens: Points to Consider and Sample Language for Future Use and/or Sharing). Importantly, when a study offers the possibility of a direct benefit for research participants, the DMS Policy does not require sharing of data in order to participate. The third principle states “when a study offers the possibility of a direct benefit for research participants, the DMS Policy does not require sharing of data in order to participate.” NIH should clarify that the DMS Policy also does not prohibit required sharing of de-identified data in order to participate and that there may be valuable reasons and other policies and/or regulatory requirements for data to be shared. Principle 4: Institutional review of the conditions for data sharing, including that proposed limitations on the future use of data are appropriate and that risks have been considered. Limitations should be conveyed with the data when they are transferred, such as when sharing through repositories to secondary users. The fourth principle requires “institutional review” however it is not clear which institutional component conducts this review. Changing “institutional review” to “review by appropriate institutional components” would provide more clarity. In addition, NIH may want to provide model language for the secondary use limitations in this principle. Principle 5: Collection of data from non-traditional research settings, such as mobile health devices, social media, consumer reports, and public health surveillance also warrant strict privacy considerations. The fifth principle’s wording is vague and does not provide clear direction. SACHRP recommends that elements of the fifth principle move to the introduction of the document to provide context on the evolving nature of sources of data that may be identifiable and to promote appropriate privacy protections regardless of the source. SACHRP notes that the issue is the collection of data from any source and that some of the sources cited are not appropriately categorized as “non-traditional.” If NIH wishes to keep this principle, then the NIH should clarify who is responsible for assessing the “strict privacy considerations” and provide examples of such considerations. SACHRP also notes that previous recommendations by the Committee identified challenges researchers face when attempting to modify terms of service/end user agreements for social media, mobile health devices, and other personal consumer devices that may be the source of identifiable private data. In addition, SACHRP does not believe that public health surveillance data should be included in a category describing non-traditional sources of data collection. Principle 6: There may be justifiable exceptions to sharing scientific data, regardless of the sufficiency of access controls and de-identification techniques. In these rare instances, researchers should outline these justifications in their Data Management and Sharing Plans. SACHRP accepts the sixth principle’s point that there can be justifiable exceptions to sharing scientific data, regardless of the sufficiency of access controls and de-identification techniques. However, the document does not provide examples of justifiable exceptions and no meaningful way of assessing the merits of the proposed exception. Principle 7: Responsible data sharing practices require a commitment from the entirety of the biomedical and behavioral research enterprise. Researchers and institutions should remain vigilant regarding potential misuse and work in concert with NIH to prevent unauthorized use of scientific data from NIH-supported platforms and repositories. In addition, NIH is committed to enforcing the terms of its data use agreements. SACHRP recommends moving the seventh principle to the introductory section of the document. The statements in this principle are all affirmations and/or statements of fact. Best Practices SACHRP understands that the best practices are intended by NIH to be viewed as a bundled set of practices and not considered separate, standalone points. However, SACHRP makes the following comments on each of the practices. Best Practice: Ensure Appropriate De-identification The first best practice identifies the standards for identifiability from the Common Rule and HIPAA. OHRP’s required review of the definition of “identifiable private information” may impact this best practice. SACHRP also notes that there are significant differences among the two standards cited here, and it is not clear whether NIH expects the both to be followed regardless of applicability. Regarding the re-identification of individuals, it would be helpful to identify current best practices or link to relevant resources for the research community. NIH should also provide criteria for evaluating the adequacy of the methods employed by the data holders as standards for de-identification are evolving. SACHRP notes that if reidentification is possible any information regarding data sharing that is provided to research participants should include information about the possibility of re-identification. SACHRP recommends deleting the sentence “In those cases, data sharing may be subject to particular rules, and researchers should also consider whether other relevant protections should be employed.” from this best practice. Best Practice: Establish Scientific Data Sharing and Use Agreements The second best practice recommends the use of standardized data sharing agreements. As recommended earlier, NIH should develop a standardized scientific data sharing and data use agreements and be clear as to their position regarding the use of agreements. This best practice also indicates that agreements “should clearly include certification from an institutional official.” A certification is a significant responsibility and should not be included as an aspirational activity. SACHRP recommends that if the NIH will require certification that it be included in a template agreement and that an appropriate “institutional official” can be determined at the institutional level. Best Practice: Understand Legal Protections Against Disclosure and Misuse The third best practice refers only to Certificates of Confidentiality, which is not the only law with which researchers (and institutions) need to comply. In addition to other relevant federal laws (e.g., HIPAA), there are numerous state laws that may apply and impose different obligations on researchers. If the NIH intends for this part of the document to identify what an agreement should include, then SACHRP recommends that the best practice be revised to rename this section “Communicate the Confidentiality Protections Afforded by a Certificate of Confidentiality” or similar and reframe the other sentences to explain why that’s important. SACHRP agrees that it is important to communicate to secondary researchers when there is a Certificate that protects the data, which will be most of the time for NIH funded research because of the automatic issue policy the current section references AND secondary researchers may not know that. Points to Consider SACHRP recommends that NIH include examples of access control measures that would be acceptable to the NIH and clarify how compliance with any limitations/prohibitions will be monitored. In the fourth point SACHRP recommends adding the phrase “that become known” after “previously unanticipated approaches or technologies”. It is also not clear who is expected to communicate necessary changes to Data Management and Sharing Plans to the NIH or how the new information should be communicated. Conclusion SACHRP continues to support the goals of the NIH Policy for Data Management and Sharing and recognizes the importance of having appropriate protections to ensure the privacy of research participants. SACHRP therefore recommends that the NIH’s Draft Supplemental Information provide more explicit direction to researchers and institutions, use more consistent and clearly defined language, and provide models or template agreements that meet all NIH requirements and expectations.