FABBS recently submitted comments to the National Institutes of Health (NIH) in response to its request for information (RFI) on “Draft NIH Controlled-Access Data Policy and Proposed Revisions to NIH Genomic Data Sharing Policy.” Our comments focused on the first policy proposal — regarding which data types require controlled-access management and the corresponding security expectations — and the implications for researchers using human participant data.
The Draft Controlled-Access Data Policy applies to nearly all NIH-supported research generating human data, including both intramural and extramural research. Linked to Department of Justice guidance, the Draft Controlled-Access Data Policy identifies 11 data types that are to be protected via controlled-access, including personal health data (e.g., height, weight) and imaging data of the human face or head regions. Further, the draft policy outlines requirements for repositories storing controlled-access human participant data, including security standards for protection of that data as outlined in national security policies.
In our comments, FABBS cautioned NIH that the policy, as currently drafted, is too broad in scope and treats all data types identically, regardless of the privacy risks they pose. This is a consequence of NIH building this policy on existing rules aimed at minimizing national security threats from access to large-scale sensitive datasets. However, few datasets coming out of NIH-funded research reach this level of risk, raising questions about why NIH has applied national security standards in this policy.
Critically, the draft policy does not distinguish between identified and de-identified data, nor does it consider the varying likelihood that de-identified data can be re-identified. As an alternative, FABBS encouraged NIH to develop a tiered controlled-access framework that better aligns the threats from certain data types by considering risk probability, magnitude of harm, and existing security practices, among other important factors.
FABBS also highlighted several potential unintended consequences of the draft policy that could negatively impact research:
- Infrastructure: The current repository infrastructure cannot support the increased number of studies requiring controlled-access security under this policy. Improving existing and developing new data repositories will require significant resources from researchers and their institutions. The ability to do data analysis and share data may be further centralized to a few well-resourced institutions that can afford to upgrade their data security and stay in compliance.
- Secondary Data Analysis: The draft policy could slow secondary data analysis by increasing the barriers to data access for many researchers. For example, lesser-resourced institutions may be unable to develop the necessary infrastructure to house controlled-access data collected by researchers from well-resourced institutions, preventing data sharing between the two.
FABBS urged NIH to conduct a thorough assessment of potential consequences and mitigation plans. We pointed to the recent decision to eliminate Basic Experimental Studies Involving Humans (BESH) from the definition of clinical trials as exemplifying the value of doing a pre-implementation assessment (see previous FABBS reporting).
FABBS will continue to monitor developments regarding NIH’s approach to controlled-access data and their impact on our sciences.
