Data Sharing in large data repositories is increasingly common and may be required for funded research (e.g., NIH) or for publication purposes. The information below outlines common sharing formats, possible consent scenarios, and considerations researchers should be aware of when developing plans for grant applications for data sharing in data repositories when the data to be shared is from human research participants. Investigator’s should describe their data sharing plans, including discussion of the considerations noted on this page, in their protocol (IRB templates: HRP-503 – Biomedical Protocol and HRP-503a – Registries and Repositories Protocol) and application. Template consent language for open access and controlled access data sharing can be found in HRP-502. UW Research Data Services has information and resources regarding data sharing related to the NIH Data Management & Sharing Policy.

Note: The UW IRBs may consider exceptions to these guidelines on a case-by-case basis.

Repository Controls: Examples of controls include conditional access that is moderated by the repository, and may include the requirement to sign a Data Use Agreement, the requirement to demonstrate IRB approval of a project requesting data, or use of a virtual enclave where researchers can only work within the repository’s infrastructure.

Open Access: Open access data sharing allows anyone to access and use the dataset. For
the data to be made publicly available, all information, both direct and indirect, that could lead to a person being identified must be removed. (For health information this is called de- identification when the 18 direct and indirect identifiers outlined in HIPAA are removed). Datasets from rare disease communities may require the removal of more information than for more common disease communities to safely protect a person’s identity. Although necessary, this level of de- identification of data can limit the usefulness of the dataset.

Controlled Access: Controlled access data sharing requires a request for access to the dataset to be approved. The requirements vary, but usually limit data sharing to researchers with a specific, relevant research question. Additional data sharing restrictions may be determined by the owner of the data prior to collection of the data and, for consented studies, should be described in the informed consent (e.g., data may only be used for research on a specific disease or condition). A Data Sharing Agreement and/or Data Use Agreement are often used in controlled access data sharing. Although the information that may directly identify a person must be removed, the amount of information to be removed may vary based on risk and level of controls. A “limited data set” (i.e., may include indirect identifiers like dates and city/state/zip) may only be shared under a Data Use Agreement that complies with HIPAA.

Restricted Access: Data cannot be shared or released directly to the public research community due to possible risk(s) to study participants as well as to protect the data confidentiality promised to them.

Minimal Risk: Minimal risk means that the probability and magnitude of harm or discomfort anticipated in the research are not greater in and of themselves than those ordinarily encountered in daily life of the general population or during the performance of routine physical or psychological examinations or tests.