Managing NIH GDS Data

On January 25th, 2025, the security standards for handling NIH Controlled-Access Data Subject to the NIH Genomic Data Sharing (GDS) Policy were updated. The new requirements are given in the NIST SP (special publication) 800-171 rev3.

The NIH Best Practices for Controlled-Access Data and Repositories is the authoritative document that lists the Controlled-access repositories that fall under the updated requirements as well as the new Data Certification Agreement.

See the NIH Notice NOT-OD-24-157 for details about the change.

What this practically means for HiPerGator users and sponsors is that if the data for a project comes from one of the NIH Controlled-Access Data repositories you must follow the Data Use Certification or similar agreement and establish a HITRUST group on HiPerGator following the Regualted Data on HiPerGator Process documentation. Only that group's storage can be used for storing the data of this type.

If your project is IRB exempt, while you still need to do the risk assessment, you don’t need an IRB. You will have to upload the NIH Data Use Agreement and your data management plan as attachments to the risk assessment. That DUA lists the users that are authorized to access the data and is consulted when adding users to the group.