Biomedical Research

NIH Policies for Data Management and Sharing

NIH Policies for Data Management and Sharing

This page describes associated IRB requirements related to the NIH Policy for Data Management and Sharing of scientific data generated from NIH funded research. Information is also presented on the NIH Genomic Data Sharing Policy and Institutional Certification processes.

NIH Policy for Data Management and Sharing

The National Institutes of Health (NIH) has issued the final NIH Policy for Data Management and Sharing (DMS Policy) to promote the management and sharing of scientific data generated from NIH-funded or conducted research. This Policy is effective January 25, 2023 and applies to research funded or conducted by NIH that results in the generation of scientific data. The DMS policy establishes the requirements to submit Data Management and Sharing Plans to the NIH. Investigators are responsible for adherence to their plans.

DMS Policy Impact on IRB Submissions


As part of the criteria for IRB approval outlined in the federal regulations, the IRB must confirm that informed consent has been sought from participants and that there are adequate provisions to maintain confidentiality of data. Hence, this policy has impact on confidentiality plans and informed consents submitted to the IRB.

Data Management and Sharing Plans should be submitted to the IRB so that the IRB may review plans for data sharing, along with measures of security, confidentiality, and any limitations to data sharing.

  • Data Management and Sharing Plans should align with the confidentiality plan outlined in HSERA or the standalone protocol.
  • The NIH emphasizes that “access to scientific data derived from humans should be controlled, even if de-identified and lacking explicit limitations on subsequent use.” Additionally, controlled-access repositories should be considered if the data “could be considered sensitive, such as including information regarding potentially stigmatizing traits, illegal behaviors, or other information that could be perceived as causing group harm or used for discriminatory purposes.”
  • Likewise, “privacy protections should be considered regardless of whether the data meet technical and/or legal definitions of “de-identified” and can legally be shared without additional protections.”
  • Questions on NIH requirements for Data Management and Sharing Plans should be directed to Penn’s Office of Research Services or the NIH Grant Manager.
Penn’s Office of Research Services

Data sharing and use should be clearly communicated in consent processes. The NIH encourages researchers to “develop robust consent processes that prioritize clarity regarding future sharing and use of scientific data, including limitations on future use, and general aspects regarding how data will be managed.” Likewise, “scientific data that are collected, shared, or used without informed consent also deserve privacy considerations.”

  • The IRB has updated the Penn Informed Consent templates to align with the NIH Guidance entitled, Informed Consent for Secondary Research with Data and Biospecimens: Points to Consider and Sample Language for Future Use and/or Sharing. Tracked versions with explanation of the changes are available for the biomedical and social behavioral templates. The changes to template language is not significant. The major change to the templates is additional embedded guidance for NIH studies.
  • Investigators should ensure that their Data Management and Sharing Plans align with what is presented as part of the informed consent process. This ensures that participants’ autonomy is respected.
  • NIH recommends that “scientific data be de-identified to the greatest extent that maintains sufficient scientific utility. Unless participants explicitly consent to sharing identifiable data (e.g., under the broad consent provision of the Common Rule), data should generally be shared only in a de-identified format.”
IRB Forms and Templates Explanation of Changes to the biomedical templates NIH Guidance

NIH Genomic Data Sharing (GDS) Policy & Genome-Wide Association Studies (GWAS)


NIH expects researchers to broadly and responsibly share human genomic data generated by NIH funds. The timely sharing of research results can accelerate discoveries that improve our ability to diagnose, treat, and prevent disease. The NIH GDS policy applies to all studies generating large scale genomic data and some smaller scale projects too. Research that uses data obtained from NIH-designated data repositories such as dbGaP is subject to the GDS Policy.


Institutional Certification


To comply with the GDS policy, NIH expects that investigators and institutions:

  • Develop and provide a plan for sharing genomic data as a part of the Data Management and Sharing Plan
  • Provide an Institutional Certification form at Just-in-Time, if working with human data. At Penn, the IRB reviews and approves Institutional Certification. The below guidance document details (i) how to submit requests for Institutional Certification to the IRB, (ii) how the IRB will consider these requests and (iii) how studies can be drafted to ensure that Institutional Certification can be granted.
  • Submit genomic data in a timely manner to an appropriate repository
  • Responsibly use controlled-access data

How to Submit Institutional Certification Requests


Requests for Institutional Certification can be emailed to the IRB PO Box. Questions may be directed to Patrick Stanko.



Want to speak to an IRB staff member?

Get in Touch