Research data should only be shared as ethically appropriate for the dataset. NIH expects investigators to choose the most appropriate methods for data sharing that are consistent with UW-Madison, state, and federal requirements related to that data.
Best practice is to select both repositories and access mechanisms are that the best fit for your data sensitivity, data types, or other factors like size and volume. Due to this you may share some of your data in one repository and some of it in another – that’s okay too!
Depending on the data, you may:
- Share data in an open access repository
- Share through a repository with controlled or restricted-access mechanisms
- In the case that part, or all, of the data is truly too sensitive, choose not to share at all
A good rule of thumb is the phrase ‘as open as possible, as closed as necessary’.
- Considerations for Your Data
- Is My Data Controlled Access
- Is My Data Open Access
- De-identifying data
- Ensure your NIH DMS plan language matches your informed consent language.
- Use this template to develop language that can be used in both your informed consent and NIH DMS plan
- Choose a repository that has appropriate security, risk, and access mechanisms. See NIH’s repository considerations for human data.
- Leverage repositories with functions like moderated requests, data use agreements, virtual enclaves, or other restricted-access mechanisms!
- Review IRB’s guidance on sharing data in repositories.
- Ensure your data is de-identified.
- Determining whether data is fully de-identified or how it can be made fully de-identified is a complex area that requires expertise from an honest broker for researchers in the Health Care Component (HCC) or by UW-Madison HIPAA Privacy and Security Officers for researchers outside the HCC.
- Include data sharing costs for de-identification or repository/controlled access fees in the budget for your NIH DMS plan.
- You must have review and approval from IRB.
- Sharing via controlled access must be consistent with any applicable laws, local approvals and governing agreements
- Sharing must not pose greater than minimal risk to individual participants or communities/groups
- The level of controls required may vary based on the sensitivity of the data and likelihood of re-identification
- Only de-identified datasets may be shared
Read IRB’s guidance here. If your data was consented prior to the policy change or data was obtained under a waiver of consent, be sure to read their guidance for details.
- You must have review and approval from IRB.
- You must also have explicit consent for data sharing through open access means and the consent must specify the type of data and identifiability of the data to be shared.
- Sharing the data openly must be consistent with applicable laws, local approvals and governing agreements (funding, MTAs, DUAs, etc.)
- Sharing must not pose greater than minimal risk to individual participants or communities/groups
- Only de-identified datasets may be shared
UW-Madison’s Policy for De-identification of Protected Health Care Information Under the HIPAA Privacy Rule
UW-Madison’s Office of Research Compliance definition of a de-identified data set