- Introduction
- Purpose and Policy Context
- Draft NIH Controlled-Access Data Policy: What’s Being Proposed
- Human Data Types That Require Controlled Access
- Expectations for Controlled-Access Data Repositories
- Assessing the Need for Controls on Other Data
- Proposed Revisions to the Genomic Data Sharing Policy
- Updates to Data Sharing Timelines and Practices
- Imputation Servers and Emerging Practices
- Request for Public Comment
Introduction
The National Institutes of Health (NIH) has issued Notice NOT-OD-26-023, Request for Information on Draft NIH Controlled-Access Data Policy and Proposed Revisions to NIH Genomic Data Sharing Policy, requesting public input on two proposed policy updates aimed at strengthening protections for human participant research data while maintaining NIH’s longstanding commitment to responsible data sharing.
This request for information reflects NIH’s effort to harmonize data protection requirements, reduce duplicative policies, and respond to evolving privacy, security, and national security risks.
Purpose and Policy Context
NIH manages a broad and complex research data ecosystem. While open sharing remains a core priority, NIH is proposing updates to ensure sensitive human participant data are protected consistently throughout the data lifecycle. The goal is to clarify when controlled access is needed and provide uniform expectations across NIH programs, not to limit data sharing.
The proposed policies also respond to recent federal actions. These include Executive Order 14117, requirements in the Consolidated Appropriations Act of 2023, and recommendations from the Government Accountability Office on genomic data security.
Draft NIH Controlled-Access Data Policy: What’s Being Proposed
The Draft NIH Controlled-Access Data Policy would apply to all NIH-supported research that generates human data or data from human sources. This includes NIH intramural research and all funding mechanisms. Studies that involve only non-human data, or only collect and share cell lines or biospecimens, are excluded.
Data shared prior to the policy’s effective date would not be required to be retroactively placed under controlled access, though NIH encourages institutions to assess potential risks associated with previously shared data.
Human Data Types That Require Controlled Access
A key feature of the draft policy is a clearer definition of human data types that generally require controlled access. These data may only be shared openly if informed consent allows it and the institution determines the risk to be very low, or if open sharing is required by law.
NIH identifies the following categories as requiring protection throughout the data lifecycle:
- Covered personal identifiers
- Precise geolocation data
- Biometric identifiers
- Genomic, epigenomic, proteomic, and transcriptomic data
- Personal health data and personal financial data
- Individual-level clinical trial data
- Imaging data of the human face or head regions
Institutions remain responsible for protecting this data, even when it is not deposited in a controlled-access repository.
Expectations for Controlled-Access Data Repositories
Repositories managing controlled-access human data must meet defined security and operational standards. At a minimum, these include:
- Reviewing requests to access controlled data before approval
- Authenticating the identity of data requesters
- Restricting data sharing with institutions in countries of concern
- Implementing appropriate security controls, such as NIST SP 800-171 or equivalent
NIH-controlled repositories that already meet NIH’s security and operational standards are considered compliant. Repositories relying only on user registration or non-binding data use guidance are not considered controlled-access under the proposed policy.
Assessing the Need for Controls on Other Data
For human data types not listed in the policy, the NIH expects institutions to evaluate whether additional access controls are needed. They should consider factors like legal or consent-based restrictions, data sensitivity, and the risk of re-identification.
This approach aims to provide flexibility while still promoting thoughtful, risk-based decision-making.
Proposed Revisions to the Genomic Data Sharing Policy
NIH proposes targeted updates to the Genomic Data Sharing Policy, first issued in 2014. The core principles of broad and responsible data sharing remain unchanged. Updates are intended to clarify and streamline the policy.
Key proposed changes include:
- Refining the scope of the GDS Policy to apply only to human genomic data, with non-human genomic data governed by the NIH Data Management and Sharing Policy.
- Simplifying the definition of large-scale genomic data, setting a clear threshold of data from 100 or more individuals.
- Establishing consistent expectations across NIH, preventing Institutes and Centers from expanding the scope of the GDS Policy through local requirements.
Updates to Data Sharing Timelines and Practices
NIH also proposes to modernize how and when genomic data are shared. Rather than prescribing detailed processing levels, the revised policy focuses on timely submission to approved NIH controlled-access repositories. In general, this means sharing data within six months of data generation, after data cleaning and quality control.
Additional proposed updates include:
- Clarifying that decisions about open versus controlled sharing of genomic and other omics data will be governed by the proposed Controlled-Access Data Policy.
- Allowing the use of HIPAA Expert Determination for de-identification when accepted by the repository.
- Expanding who may review Institutional Certifications beyond IRBs to include other qualified institutional bodies.
- Strengthening informed consent requirements for genomic data collected from biospecimens or cell lines created or collected after 2015.
Imputation Servers and Emerging Practices
NIH is asking whether Approved Users should run their own imputation servers with controlled-access genomic data. Any method must have robust safeguards against disclosure, adhere to NIH security best practices, and be operated by or on behalf of a federal agency.
Request for Public Comment
NIH invites public input on all aspects of the Draft Controlled-Access Data Policy and the proposed revisions to the Genomic Data Sharing Policy. NIH is particularly interested in feedback on:
- Whether existing controlled-access repositories can meet anticipated demand
- The appropriateness of the proposed protected data types
- Approaches to maintaining privacy and security for imputation servers
Comments must be sent in writing by March 18, 2026, using NIH’s online comment form. Submissions are voluntary and may be anonymous. After review, NIH’s Office of Science Policy may post responses publicly.
