UVM Libraries Research Guides: NIH 2023 Data Management and Sharing (DMS) Policy: Working with Data from Human Subjects

UVM Policy and Protocol for Biological Specimens

While the materials provided by the NIH can provide some helpful guidance, be mindful that those materials are created for a very wide audience and do not consider local UVM/UVMHN institutional policies. All DMS plans submitted to the NIH must comply with University of Vermont policy:

Does the DMS Policy expect that when consent is obtained for research involving human participants, it must be for sharing and the future use of data?

No. Informed consent for participation in research remains the cornerstone of trust between researchers and research participants and thus the DMS Policy does not dictate how this process is achieved. Rather, researchers’ intention for scientific data management and sharing, as proactively described in Plans, is strongly encouraged to be part of the informed consent process. The DMS Policy does not expect that informed consent given by participants will be obtained in any particular way. For example, a study may plan to utilize consent for broad sharing of identifiable private information (e.g., the broad consent provision of the Common Rule at 45.CFR.46.116(d))) but it is not required by the DMS Policy.

***UVM/UVMHN is not implementing the broad consent provision as this would require prospective consent for all leftover specimens from clinical care. This would have required the hospital to create systems to track the consent data on an institutional level.***

Researchers also should be aware that they may be subject to other requirements or particular expectations, for consent, such as the NIH Genomic Data Sharing Policy.

(NIH; updated 7/26/22)

What steps does the DMS Policy take to ensure institutions and researchers protect research participants?

Award recipients must comply with any applicable laws, regulations, statutes, guidance, or institutional policies related to research with human participants and that protect participants’ privacy. The DMS Policy encourages respect for participants by encouraging researchers and award recipients to:

Address data management and sharing plans during the informed consent process to ensure prospective participants understand how their data will be managed and shared;
Outline steps they will take for protecting the privacy, rights, and confidentiality of prospective participants (i.e., through de-identification, Certificates of Confidentiality, and other protective measures);
Assess limitations on subsequent use of data and communicate these limitations to the individuals or entities (e.g., repositories) preserving and sharing the data; and
Consider whether access to shared scientific data derived from humans should be controlled, even if de-identified and lacking explicit limitations on subsequent use. Sharing via controlled access may be specified by certain funding opportunity announcements (FOAs) or the funding NIH ICO(s).

(NIH; updated 1/25/22)

Resources for Developing Consent Language

Informed Consent for Secondary Research with Data and Biospecimens (NIH)
General Points to Consider and Sample Language for Future Use and/or Sharing from the NIH ***Note that UVM does not support the broad consent provision***
UVM IRB Medical Consent Template with Guidance
This UVM-specific template provides guidance and examples of text to be used within each section. Please customize each section in accordance with your protocol. (Form updated 4/3/23)
UVM IRB Specimen or Data Collection Consent Template with Guidance
This UVM-specific template can be used whether the specimens or data obtained are for a single research protocol or multiple. Please customize each section in accordance with your protocol. (Form updated 6/13/23)

Additional Repository Considerations for Human Data

When working with human participant data, including de-identified human data, here are some additional characteristics to look for:

Fidelity to Consent: Uses documented procedures to restrict dataset access and use to those that are consistent with participant consent and changes in consent.
Restricted Use Compliant: Uses documented procedures to communicate and enforce data use restrictions, such as preventing reidentification or redistribution to unauthorized users.
Privacy: Implements and provides documentation of measures (for example, tiered access, credentialing of data users, security safeguards against potential breaches) to protect human subjects’ data from inappropriate access.
Plan for Breach: Has security measures that include a response plan for detected data breaches.
Download Control: Controls and audits access to and download of datasets (if download is permitted).
Violations: Has procedures for addressing violations of terms-of-use by users and data mismanagement by the repository.
Request Review: Makes use of an established and transparent process for reviewing data access requests.

NIH 2023 Data Management and Sharing (DMS) Policy

UVM Policy and Protocol for Biological Specimens

NIH Guidance

Resources for Developing Consent Language

Additional Repository Considerations for Human Data

Links to Guidance