New NIH Genomic Data Sharing Policy Straddles a Fine Line

August 29, 2014

By Aaron Krol 

August 29, 2014 | This week, the NIH issued its long-awaited Genomic Data Sharing (GDS) Policy, an expansion of the 2007 policy governing genome-wide association studies, which takes into account rapid changes in technology and genomic security risks over the past several years. The new GDS Policy, which follows a draft release in September 2013 and a period of public comments, tries to strike a balance between, on the one hand, encouraging data sharing as broadly as possible to spur future research, and on the other hand, addressing concerns that identification of patient donors from genomic data is a real and pressing issue that must be handled with enforceable privacy measures. The requirements for data sharing in the new policy, available through nih.gov, will have a major impact on American genomic research, as they apply to every project collecting data on at least 100 human subjects that receives NIH funding of any kind.

The GDS Policy will retain the two-tiered privacy system established in 2007, by which human genomic data can be submitted to NIH databases in either an "unrestricted access" or "controlled access" designation, depending upon the level of patient consent researchers acquire. Controlled access data can only be used by additional researchers after obtaining NIH approval on a year-by-year basis. However, NIH has now chosen to stress that unrestricted access is the preferred route, stating in the press release announcing the policy that "investigators are encouraged to seek the broadest possible sharing permissions from participants for future research use of their data." The GDS Policy also stipulates that the NIH database of human genotypes and phenotypes, dbGaP, will remain the required data repository for all NIH-funded human genetic studies. For non-human studies, however, NIH will consider a wide array of databases, including non-NIH sites widely used by the scientific community. In both cases, data release is mandated at the time of publication of results or earlier.

The NIH gave a great deal of thought to when broad patient consent for data sharing should be relaxed or waived entirely, due to widely-shared concerns that the re-identification of anonymized genomic data is growing easier and easier, especially in certain vulnerable patient populations like those with rare genetic diseases. In response, the GDS Policy empowers institutional review boards to consider exceptions to the general data sharing requirements, even when working with de-identified data, where there are ethical reasons to keep data confidential. The Policy also adds new requirements that patient consent for data sharing be obtained even when using cell lines or clinical specimens derived from humans, with exceptions considered only for "compelling scientific reasons." 

One proposed measure that was not included in the final GDS Policy was a requirement that NIH-funded genomic researchers make their data sharing plans public. However, in a preamble to the new policy, the NIH states that "further consideration will be given to the suggestion that data sharing plans should be made public." If eventually implemented, this measure could help hold researchers to their data sharing commitments, and encourage more public scrutiny of the degree to which researchers take data sharing seriously as an essential part of their projects.

The new GDS Policy goes into effect on January 25, 2015.