Topics Map > Research Policy and Compliance > Human Research Protection Program (HRPP) > HRPP Resources for Researchers

NIH Genomic Data Sharing Policy for Human Data Guidance

Version Date: March 4, 2015

The National Institutes of Health (NIH) issued a Genomic Data Sharing Policy (hereafter NIH Policy) in effect as of January 25, 2015 that requires the submission of large-scale genomic data as well as relevant associated data to an NIH-designated data repository. This NIH Policy applies to all NIH-funded research that generates large-scale human or non-human genomic data as well as the use of these data for subsequent research. The policy defines large-scale data as including genome-wide association studies (GWAS), single nucleotide polymorphisms (SNP) arrays, and genome sequence, transcriptomic, metagenomic, epigenomic, and gene expression data. Further, the policy clarifies that its requirements apply irrespective of NIH funding level or funding mechanism (e.g., grant, contract, cooperative agreement, or intramural support).

NIH requires institutions for which researchers will submit genotype or phenotype information to the central NIH repository to assure through a certification, signed by the Institutional Official, that:

  • The data submission is consistent with all applicable laws and regulations, as well as institutional policies;
  • The appropriate research uses of the data and the uses that are specifically excluded by the informed consent documents are delineated;
  • The identities of research participants will not be disclosed to the NIH data repository; and
  • An IRB reviewed and verified:
    • The protocol for the collection of genomic and phenotypic data is consistent with 45 CFR Part 46;
    • Data submission and subsequent data sharing for research purposes are consistent with the informed consent of study participants from whom the data were obtained;
    • Consideration was given to risks to individual participants and their families associated with data submitted to NIH-designated data repositories and subsequent sharing; and
    • To the extent relevant and possible, consideration was given to risks to groups or populations associated with submitting data to NIH-designated data repositories and subsequent sharing; and
    • The investigator’s plan for de-identifying datasets is consistent with the standards outlined in the NIH Genomic Data Sharing Policy.

If you are an investigator who is required or voluntarily wishes to submit data to an NIH repository, in order to obtain the required institutional certification the following must be submitted to the IRB that has approved or will approve the research from which the information was or will be derived:

  1. A cover letter, signed by the study’s Principal Investigator (PI), that:
    1. Identifies the IRB number assigned to the protocol, the study title, and the PI on the study.
    2. Outlines the request for certification for submission of data to the NIH Data Repository, including a description of what genotype/phenotype data will be submitted.
    3. Identifies the NIH funding that supported the large scale genomic data analyses, if applicable.
    4. Describes any information that would not be shared with NIH due to expected limitations on the consent (e.g., samples would not be sent if participants explicitly declined to allow them to be banked for future research).
    5. Describes how the data will be de-identified and, if applicable, coded (e.g. removal of 18 specified identifiers under the HIPAA Privacy Rule) before being submitted to NIH and how the link, if any, will be maintained.
    6. Includes written confirmation that the link will never be shared with the NIH.
    7. Indicates whether a Certificate of Confidentiality (COC) will be or has been obtained.1

  2. A copy of the IRB-approved consent form(s) used to collect the initial data/samples.

The IRB will review the request to determine whether the consent documents:

  1. Permit the retention of samples for future research
  2. Limit the use of the samples in any way (e.g., samples were banked for a particular type of research) – any limitation on sample use must be communicated to the NIH Repository and will be outlined in the certification letter
  3. Require additional action before the samples can be sent to the NIH repository (e.g., contacting participants for their permission)

Please note that any investigator conducting prospective research involving large-scale human genomic data should ensure the consent form informs participants of the intention to share genotype and phenotype information derived from their samples with the NIH repository; describes the information that will be shared; and describes the protections in place to protect their confidentiality. Participants are still expected to be able to decline providing consent to include their information in the NIH repository.

If the IRB determines that the initial consent forms are not consistent with submission of data to the NIH Repository the data cannot be submitted. This will be communicated to the investigator making the request by the IRB Office reviewing the request. In some cases, participants may need to be re-contacted in order to obtain their consent for the submission of their data to the NIH Repository. This would require the investigator to submit a Change of Protocol to the IRB and the IRB would evaluate whether re-contacting participants to obtain additional consent for the use of their samples is possible and appropriate.

For assistance or further information, please contact the IRB office that you are working with. Contact information for the IRB offices is located on their websites.




1Although the data in the NIH database of Genotypes and Phenotypes (dbGaP) are de-identified by both the Common Rule (45 CFR 46) and HIPAA Privacy Rule standards, NIH has obtained a Certificate of Confidentiality for dbGaP as an additional precaution because genomic data can be re-identified. NIH encourages investigators and institutions submitting large-scale human genomic datasets to NIH-designated data repositories to seek a Certificate of Confidentiality as an additional safeguard to prevent compelled disclosure of any personally identifiable information they may hold.