Skip to Main Content
The HSHSL is a part of the University of Maryland, Baltimore | My UMB The Elm UM Shuttle Blackboard
Library Logo

601 West Lombard Street
Baltimore MD 21201-1512

Reference: 410-706-7996
Circulation: 410-706-7928

NIH 2023 Data Management and Sharing Policy: Sharing Human Participant Data

Protecting the Privacy, Rights, and Confidentiality of Human Research Participants

NIH prioritizes the responsible management and sharing of scientific data derived from human participants. DMS plans involving human participant data should include measures to protect the privacy, rights, and confidentiality of human research participants. 

The NIH guide notice Supplemental Information to the NIH Policy for Data Management and Sharing: Protecting Privacy When Sharing Human Research Participant Data offers guidance on protecting potentially sensitive human participant data that is applicable across a broad range of research contexts. This notice is not intended as a guide for regulatory compliance, but rather as a basic framework for considering how to protect human participants when preserving and sharing the scientific data derived from them. In it, the NIH outlines the following elements involved in protecting participant privacy when preserving and sharing scientific data:

  • Operational principles
  • Best practices 
  • Points to consider when choosing whether to control access to data

Be sure to refer to the guide notice for a detailed discussion of these elements; however, in summary they are as follows:

Operational Principles for Protecting Participant Privacy When Sharing Scientific Data

  1. Proactive assessment of protections. Researchers and institutions should proactively assess the protections needed for sharing scientific data from participants.
  2. Clear communication of data sharing and use in consent forms. Researchers and institutions should develop robust consent processes that prioritize clarity regarding future sharing and use of scientific data, including limitations on future use, and general aspects regarding how data will be managed (see Informed Consent for Secondary Research with Data and Biospecimens: Points to Consider and Sample Language for Future Use and/or Sharing).
  3. Consideration of justifiable limitations to sharing data. The DMS Policy outlines factors that might limit sharing, including when sharing would compromise the privacy or safety of participants and when limitations are explicitly described in informed consent documents.
  4. Institutional review of the conditions for data sharing. Institutions should review the conditions for sharing data, including that proposed limitations on the future use of data are appropriate and that risks have been considered, and communicate this information to repositories and/or users.
  5. Protections for all data used in research. Scientific data used in research warrant privacy considerations regardless of whether the data are collected from non-research settings or settings that may be subject to different privacy standards than traditionally applied to research data, such as from social media and public health surveillance.
  6. Remaining vigilant regarding data misuse. Researchers and institutions should remain vigilant regarding potential misuse and work in concert with NIH to prevent unauthorized use of scientific data from NIH-supported repositories.

Best Practices for Protecting Participant Privacy When Sharing Scientific Data

  1. Apply Appropriate De-identification. NIH recommends scientific data be de-identified to the greatest extent that maintains sufficient scientific utility.
  2. Establish Scientific Data Sharing and Use Agreements. NIH recommends the use of scientific data sharing and/or use agreements, preferably standardized, when sharing data through repositories as proposed in Data Management and Sharing Plans.
  3. Understand and Communicate Legal Protections Against Disclosure and Misuse. A variety of federal, Tribal, state, and local laws impose obligations on the disclosure and use of scientific data from research (including HIPAA and the Common Rule, mentioned above, as well as state laws that may prohibit disclosure of certain types of information). Researchers and their institutions should understand the applicability of relevant laws, regulations, and policies on their research.

Points to Consider for Choosing Whether to Designate Scientific Data for Controlled Access

Researchers should consider sharing participants’ scientific data through controlled-access repositories if data:

  1. Have explicit limitations on subsequent use, such as those imposed by laws, regulations, policies, informed consent, and agreements.
  2.  Could be considered sensitive, such as including information regarding potentially stigmatizing traits, illegal behaviors, or other information that could be perceived as causing group harm or used for discriminatory purposes.
  3. Cannot be de-identified to established standards or for which the possibility of re-identification cannot sufficiently be reduced.
  4. Due to previously unanticipated approaches or technologies that become known, pose risks to participant privacy if released without controls on access.

In certain cases, it may be appropriate to share scientific data without access controls. Factors to consider when choosing whether to share data openly include the following:

  1. Participants explicitly consent to share scientific data openly without restrictions. 
  2. Scientific data are de-identified and institutional review has determined that they pose very low risk when shared and used, including any risks posed by the presence of information that can allow inferences to be made about a participant’s identity when combined with other information.