On 29 October 2020, the National Institutes of Health (NIH) issued its final NIH Policy for Data Management and Sharing (the DMS Policy),1 which updates and replaces the 2003 NIH Data Sharing Policy.2 Although the DMS Policy has been in development for some time, NIH acknowledges that as the policy “is released, the world is in the midst of the COVID-19 pandemic [and t]he recognition that more open sharing can lead to faster advances and treatments has led to an unprecedented worldwide effort to openly share publications and data related to both SARS-CoV-2 (the novel coronavirus that causes COVID-19) and coronaviruses more generally.”3
The DMS Policy sets forth a number of standards for good data management practices and data sharing expectations applicable to research funded by NIH. Most notably:
- Researchers applying for NIH funding must create and submit to the NIH a Data Management and Sharing Plan (a “Plan”) outlining how scientific data and any accompanying metadata used in research will be managed and shared, taking into account any potential restrictions or limitations. A Plan should include a brief summary of:
- The type of data managed, preserved, and shared;
- Related tools, software, and/or code used;
- Standards applied to the data;
- Methods of data preservation, access, and associated timelines;
- Approach for access, distribution, and reuse considerations; and
- Oversight of data management and sharing.
- Researchers should consider how to maximize appropriate sharing of data, while acknowledging existing legal, ethical, or technical factors that may call for justified limitations or exceptions.
- In particular, NIH highlights the importance of informed consent and emphasizes that researchers should clearly communicate with prospective subjects how their scientific data are expected to be used and shared.
Issued roughly a year after initially proposed, the final DMS Policy incorporates a number of key changes stemming from stakeholder feedback, including:
- Clarifying that scientific data does not necessarily need to be published or digitized to be subject to the requirements of an established Plan;
- Explaining that the Plans are not intended to be lengthy or technical in nature, and should generally be no longer than two (2) pages;
- Noting that personnel costs required to perform certain data management and sharing activities may be allowable; and
- Providing a framework for researchers to consider when selecting a suitable data repository for data management and sharing.
While it does not impose any substantive data security requirements or introduce new requirements for human subject research, the DMS Policy will require academic medical centers (AMCs), universities, and other entities conducting NIH-funded research to proactively plan and commit at the time of grant application to their approach for managing, protecting, retaining, and sharing data resulting from their NIH-supported studies.
A full analysis of the DMS Policy including implications for AMCs and other award grantees is set forth below.
Key Components of the DMS Policy
In the DMS Policy, NIH states that requirements and protocols for data sharing must remain flexible to evolve along with scientific and technological advances in the research community. In an effort keep pace with such advancements, the DMS Policy requires researchers applying for NIH funding to submit a Data Management and Sharing Plan (Plan) to the NIH Institute, Center, or Office (ICO) as part of the Budget Justification section of the application for extramural awards. The Plan must describe the research study’s plan for data management, preservation, and sharing of scientific data and accompanying metadata. The NIH ICO will assess Plans for projects in consideration for extramural awards, contracts, intramural research projects, and other funding agreements, with opportunity for peer review solely on budget requests for data management and sharing costs. The awardee must comply with the Plan once approved. The DMS Policy also notes that any NIH ICO-approved Plans from NIH-funded or conducted research may be made publicly available.
The DMS Policy further expects researchers to maximize appropriate sharing of data, while acknowledging certain legal, ethical, or technical factors that may call for justified limitations or exceptions. NIH acknowledges that responsible management and sharing of scientific data derived from human participants is also subject to various federal, state, and local laws and guidance, including, for example, the Common Rule. Researchers are expected to include an outline in their Plans for how privacy, rights, and confidentiality of human research participants will be protected, including an explanation of how data management and sharing will be addressed in the informed consent process. NIH also suggests that researchers consider whether de-identified data that is not otherwise subject to limitations on future use should be further controlled in the Plan, citing widely acknowledged concerns regarding re-identification of otherwise de-identified data that may be associated with technological advances and increasing interoperability among data resources. Lastly, NIH also strongly encourages the use of established, NIH-recognized data repositories for the preservation and sharing of data.
NIH originally requested comments on the proposed policy in November 20194 and explained in the final DMS Policy that it has considered stakeholder feedback, including as follows:
- Clarification of Expectations for Sharing Scientific Data. The NIH declined to create a uniform requirement for data sharing, noting instead that appropriate data sharing is likely to be varied and contextual. However, NIH emphasized the intent of the Plans is to create uniform submission requirements, which NIH hopes will lead researchers to begin integrating appropriate data sharing into routine research protocols.
- Definition of Scientific Data. The NIH has defined “scientific data” as “the recorded factual material commonly accepted in the scientific community as of sufficient quality to validate and replicate research findings, regardless of whether the data are used to support scholarly publications. Scientific data do not include laboratory notebooks, preliminary analyses, completed case report forms, drafts of scientific papers, plans for future research, peer reviews, communications with colleagues, or physical objects, such as laboratory specimens.” In response to stakeholder feedback, the NIH restated its belief that defining scientific data independent of publication is sufficient to cover unpublished, null, or negative findings. The NIH did however heed commenter calls for requiring digitized data by removing this qualifier from the definition and recognizing that digitization of data may be a technical, limiting factor for sharing data.
- NIH ICO Consistency of Data Sharing Expectations. The NIH noted stakeholder concerns surrounding insufficient direction and varying expectations of the NIH ICO in the Plan assessment process. The NIH acknowledged these valid concerns and stated an intention to provide additional guidance intended to promote consistency. Further, the NIH clarified that the DMS Policy is intended to establish the base requirements for Plans, however, NIH ICOs may require additional specificity based on certain scientific, policy, or programmatic goals. Accordingly, NIH has asked for comments on how to organize and communicate NIH ICO expectations and submission guidelines for applicants.
- Data Derived from Human Participants. In addition to stakeholder feedback, the NIH also sought comments from the Secretary’s Advisory Committee on Human Research Protections (SACHRP),5 and SACHRP provided a set of recommendations for applying the DMS Policy to research with human participants. The NIH clearly states that the DMS Policy does not introduce new requirements for human subject research and otherwise incorporates certain of SACHRP’s proposals. In particular, the DMS Policy: (1) encourages researchers to carefully consider clear, user-friendly informed consent processes; (2) notes that any limitations on subsequent use of data should be communicated to the individuals preserving and sharing the data; and (3) emphasizes the importance of considering where and how to make data available, as access to human subject data should be controlled even if de-identified. Further, the DMS Policy notes that researchers should require access controls to manage any explicit limitations on subsequent use of data, again, even if the data are de-identified.
- Expectations for When, Where, and How Long to Share Data. In response to stakeholder feedback questioning the ambiguity in the draft policy, the NIH clarified that data should be made accessible as soon as possible, and no later than time of publication or the end of the award/support period, whichever comes first. Further, the NIH refers the extramural community to existing data retention policies and strongly encourages use of established repositories as a best practice of the management, preservation, and sharing of data.
- Elements of an NIH Data Management and Sharing Plan. The NIH responded to a number of technical requirements of the Plans, including that Plans should be generally short–two (2) pages or less. The NIH also clarified that while adherence to the NIH ICO-approved Plan is required, researchers would have the opportunity to update their Plan as needed throughout the course of their awards. Further, the DMS Policy does not require researchers to set forth technical provisions regarding data security, which the NIH believes may be more appropriately addressed by the institutions and repositories preserving and sharing the scientific data, clarifying that the DMS Policy is not intended to set any additional standards for institutional data security practices.
In addition to the DMS Policy, NIH released three supplemental documents, including:
- Elements of an NIH Data Management and Sharing Plan, which outlines specifics of the Plans such as data types, standards, and access and distribution considerations;6
- Allowable Costs for Data Management and Sharing, which outlines certain allowable costs for submitted budget requests relating to these obligations;7 and
- Selecting a Repository for Data Resulting from NIH-Supported Research, which outlines NIH’s practical recommendations for selecting a data repository.8
Timing and Enforcement
The DMS Policy is effective 25 January 2023. In this regard, it will apply to grant applications and proposals for contracts submitted after this date, as well as other NIH funding agreements executed after this date. The timing of the DMS Policy’s release in late October comes on the heels of the Food and Drug Administration (FDA) announcing new guidance in August 2020 regarding the requirements for submission of clinical trial registration and results information to the clinicaltrials.gov data bank, as well as requirements for certain data-related certifications to the FDA.
The announcement from the FDA, in turn, came shortly after the U.S. District for the Southern District of New York, in a decision from earlier this year, invalidated NIH commentary that had exempted certain clinical trials conducted between 2007 and 2017 from reporting requirements otherwise mandated by the Food and Drug Administration Amendments Act of 2007.9 In particular, the recent FDA guidance clarifies that FDA may assess civil monetary penalties for (1) failure to submit required clinical trial registration and/or results information to the clinicaltrials.gov data bank, (2) submitting false or misleading information to the clincialtrials.gov data bank, (3) failing to submit the required certification to the FDA, or (4) knowingly submitting a false certification to the FDA. For more information on this guidance from FDA, please listen to our Triage podcast on the topic.
As noted in the DMS Policy, any Plan approved by the NIH ICO will become an enforceable term and condition of the applicable funding award, and as such, failure to comply with the Plan may result in the NIH placing additional terms and conditions on the award or terminating the award entirely. Further, non-compliance with any approved Plan may be considered in connection with future funding decisions. The emphasis on data management and data sharing information in both the recent FDA guidance and the DMS Policy suggest an enhanced focus on transparency and evidence-based methods in the research and clinical trial context, particularly during the current global pandemic, which may potentially lead to greater federal scrutiny and exposure to penalties for institutions that do not comply with federal requirements.
Implications for AMCs and Other NIH Grantees
Universities, AMCs, and other institutions applying for NIH research funds should begin building processes and lead time into the grants application process to allow for the preparation of Plans and begin thinking about incorporating the data management and sharing principles that will be expected by reviewing NIH ICOs. In the run up to the January 2023 effective date of the DMS Policy, affected stakeholders specifically should consider the following key areas:
- What standards will be applied to identify “scientific data” and associated metadata for which a Plan will apply.
- Methods for data preservation and access (i.e. whether persistent unique identifiers or other indexing tools will be used, how data will be made available for sharing, etc.). Relatedly, institutions will want to think through internal processes for providing guidance to researchers and reviewing Plans such that data preservation and access parameters are consistent with broader institutional policies and goals.
- How researchers will approach informed consent, privacy, and confidentiality protections (i.e. de-identification, Certificates of Confidentiality, etc.). NIH identifies the informed consent process as one of the key concepts that will need to be addressed within a Plan. Thus, researchers will need to be working through these issues and developing an informed consent framework early in the research preparation process so that the framework can be accurately set forth in a Plan at the time of application for funding.
- Whether and how access to human subjects data will be granted, and access to that data controlled even if de-identified.
- How compliance with Plans will be monitored. For example, institutional involvement in Plan development and review can help to ensure consistency in a data management and sharing approach and avoid NIH funding becoming tied to unrealistic or unexpected data sharing obligations.
- Based on the data sharing approach across an institution or for particular research goals, whether specialized tools are needed to share data as outlined in a Plan.
K&L Gates’ health care and FDA practice regularly advises universities and academic medical centers on research compliance and related regulatory matters and is able to assist in this regard.