Skip Navigation and Go To Content

NIH Genomic Data Sharing Policy


The NIH Genomic Data Sharing Policy (GDS) policy applies to investigators who are proposing to generate large-scale human or non-human genomic data using NIH funding. This policy applies to data obtained prospectively as well as retrospectively from existing specimens. The role of the IRBs is to review the data sharing plans for consistency with the NIH GDS Policy, as well as the adequacy of the informed consent process and documents used to obtain consent for the generation and secondary research use of the data.

Key Terms

Coded: Coded means that any identifying information (such as name or social security number) that would enable the investigator to readily ascertain the identity of the individual to whom the private information or specimens pertain has been replaced with a number, letter, symbol, or combination thereof (i.e., the code); and a key to decipher the code exists, enabling linkage of the identifying information to the private information or specimens.

De-identified De-identified means that the identities of data subjects cannot be readily ascertained or otherwise associated with the data by the repository staff or secondary data users (45 CFR 46.102(f)), the 18 identifiers enumerated at section 164.514(b)(2) of the HIPAA Privacy Rule are removed and the submitting institution has no actual knowledge that the remaining information could be used alone or in combination with other information to identify the subject of the data.


Investigators proposing to generate large scale genomic data should include a data sharing plan that describes:

  1. How the expectations of the NIH GDS Policy will be met,
  2. Denote the type(s) of data to be submitted
  3. Name of the data repository data that the data will be submitted to,
  4. Appropriate uses of the data (i.e. Data Use Limitation),
  5. Data sharing timeline.

Investigators must also submit an IRB assurance of the data sharing plan, as well as any request for an exception to submission.

Institutional Certification – The Institutional official is responsible for certifying that data submission plans meet the following expectations defined in the GDS policy:

  1. The data submission is consistent with all applicable laws and regulations as well as institutional policies;
  2. The appropriate research uses of the data and the uses that are specifically excluded by the informed consent documents are delineated;
  3. The identities of research participants will not be disclosed to the data repository.

IRB Review: When NIH funded research involves large scale genomic data, the IRB is responsible for reviewing and verifying that:

  1. Data sharing plan is consistent with the informed consent of study participants from whom the data were obtained;
  2. The investigator’s plan for de-identifying datasets is consistent with the standards outlined in the policy;
  3. It has considered the risks to individuals, their families, and groups or populations associated;
  4. The genotype and phenotype data to be submitted were collected in a manner consistent with 45 C.F.R. Part 46.

Informed Consent – In addition to the elements of disclosure for genetic studies, the IRB will ensure that the consent document meets the expectations for future research use and broad sharing under the GDS Policy:

  1. Genomic and phenotypic data, and any other data relevant for the study (such as exposure or disease status) will be generated and may be used for future research on any topic and shared broadly in a manner consistent with the consent and all applicable federal and state laws and regulations.
  2. Prior to submitting the data to an NIH-designated data repository, data will be stripped of identifiers such as name, address, account and other identification numbers and will be deidentified by standards consistent with the Common Rule. Safeguards to protect the data according to Federal standards for information protection will be implemented.
  3. Access to de-identified participant data will be controlled, unless participants explicitly consent to allow unrestricted access to and use of their data for any purpose.
  4. Because it may be possible to re-identify de-identified genomic data, even if access to data is controlled and data security standards are met, confidentiality cannot be guaranteed, and reidentified data could potentially be used to discriminate against or stigmatize participants, their families, or groups. In addition, there may be unknown risks.
  5. No direct benefits to participants are expected from any secondary research that may be conducted.
  6. Participants may withdraw consent for research use of genomic or phenotypic data at any time without penalty or loss of benefits to which the participant is otherwise entitled. In this event, data will be withdrawn from any repository, if possible, but data already distributed for research use will not be retrieved.
  7. The name and contact information of an individual who is affiliated with the institution and familiar with the research and will be available to address participant questions.

Retrospective Studies. For retrospective studies performed using existing genetic materials and previously collected data, the IRB shall review the consent document under which existing genetic materials and data were obtained to determine if the information addresses risks and data sharing of genotypic and phenotypic data.  For studies that propose to use pre-existing data or samples, the IRB may conclude in some cases that the original consent is not adequate for submitting to the registry  and subsequent sharing for research. In these cases, the IRB may decide that it is appropriate and necessary for the investigator to seek explicit consent of the research participants for submission to the data repository and subsequent sharing.

The IRB may determine that re-consent is not feasible or appropriate for a given study or that it cannot verify that the other criteria described above have been met for submission to the NIH data repository. In these cases, the IRB and Institution may disapprove the request for data sharing with NIH data repository.

Once IRB review has been completed, the IRB director or designee will issue the form Institutional Certification letter for Institutional Official signature. Signed certification letters will be sent to the Principal Investigator for onward submission to NIH to satisfy the requirements of NIH GDS policy. 


  1. NIH Guidance on Element of Consent under the GDS Policy – Nov 2018
  2. GDS Points to Consider for Institutions and IRBs - Feb 2019
  3. About Genomic Data Sharing


  1. Initial Review


  1. Institutional Certification

If you find errors in this document, contact 

Document Number:


Document Name:

Genome-wide Association Studies

Reviewed by:

Executive Director, Research Compliance


1 Jan 2009

Revision History:

1 Aug 2011, I Jun 2016, 21 Jan 2019, 1 Jun 2021

CPHS HELPLINE   713-500-7943
iRIS HELPLINE    713-500-7960
UTHealth’s Compliance Hotline (1-888-472-9868)

IRB OFFICE HOURS Thursdays from 1 to 4pm, via the Teams Room at this link

How can we improve this site?

Committee for the Protection of Human Subjects
7000 Fannin St, Suite 1840
Houston, Texas 77030

Phone 713-500-7943
Fax     713-500-7951

IRIS Support 713-500-7960

aahrpp logo