The National Institutes of Health announced on December 18, 2025, in the Federal Register a proposal for a new Controlled-Access Data Policy and revisions to its existing Genomic Data Sharing Policy. This development seeks to harmonize data protection requirements across NIH-supported research involving human participants. It responds to evolving privacy concerns, national security threats, and recommendations from government bodies. By establishing clear criteria for controlled-access data and streamlining genomic sharing rules, NIH aims to facilitate responsible data use while minimizing risks. The proposal invites public comments until March 18, 2026, potentially shaping how researchers handle sensitive information in fields like genomics and clinical trials. This move underscores NIH's role as a steward of research data, addressing directives from recent executive orders and congressional acts to protect American data from foreign exploitation.
Background and Rationale
NIH's proposal emerges from a need to update its data sharing framework amid advancing technologies and heightened risks. The agency has long promoted open data sharing to accelerate scientific discovery, but recent developments highlight vulnerabilities. For instance, Executive Order 14117, issued by President Biden in 2024, and the accompanying Department of Justice rule under 28 CFR part 202 focus on preventing access to bulk sensitive personal data by countries of concern. Additionally, the Consolidated Appropriations Act of 2023 mandated updates to genomic data policies to mitigate national security risks. A Government Accountability Office report from 2025 recommended enhanced monitoring of researcher compliance with data security measures.
These influences build on NIH's 2014 Genomic Data Sharing Policy, which encouraged broad sharing of genomic data with protections like informed consent. Since then, NIH has introduced the 2023 Data Management and Sharing Policy and strengthened controlled-access practices, such as harmonizing repository oversight and prohibiting data access by institutions in certain countries. The new proposals aim to eliminate redundancies, clarify protections for various data types, and respond to privacy threats, including re-identification risks in an era of big data and AI.
Key players include NIH's Office of Science Policy, which drafted the policies, and stakeholders like researchers, institutions, and privacy advocates who can submit comments. The changes reflect broader political forces, such as bipartisan concerns over data security in U.S.-China relations, without endorsing specific geopolitical views.
Key Elements of the Proposed Controlled-Access Data Policy
The proposed policy applies to all NIH-supported research generating or deriving human data from participants, cell lines, or biospecimens, excluding non-human data or mere collection of cell lines. It mandates controlled-access for specific data types to safeguard privacy and security throughout the data lifecycle.
Protected data categories include covered personal identifiers, precise geolocation data, biometric identifiers, genomic data, epigenomic data, proteomic data, transcriptomic data, personal health data, personal financial data, individual-level clinical trial data, and imaging data of the human face or head. These align with definitions from 28 CFR part 202 and extend to NIH-specific research outputs. For example, genomic data encompasses nucleic acid sequences from genetic tests, while personal health data covers medical histories and vital signs.
Data may be shared openly only with explicit informed consent and after institutional review confirms low risk, or if required by federal law. Repositories must meet standards like prospective review of access requests, user authentication, restrictions on sharing with countries of concern, and security protocols equivalent to NIST-SP-800-171. NIH's own Controlled-Access Data Repositories comply fully, but other repositories can qualify if they adopt similar measures.
For data not explicitly listed, institutions must assess needs based on legal limitations, potential sensitivities (e.g., stigmatizing traits), or re-identification risks. This approach promotes maximal sharing while addressing emergent threats, as noted in the Federal Register: 'NIH is proposing a holistic update to its data policy framework to strengthen data protections, clarify requirements, and reduce duplicative burden.'
Proposed Revisions to the Genomic Data Sharing Policy
NIH plans to revise its 2014 Genomic Data Sharing Policy to align with the new controlled-access framework and the broader Data Management and Sharing Policy. Core principles remain, but changes focus on efficiency.
The scope narrows to human genomic data from 100 or more individuals, simplifying 'large-scale' thresholds. Non-human data falls under the general Data Management and Sharing Policy. NIH Institutes can no longer expand the policy's scope individually, reducing complexity.
Data submission timelines shift: human genomic data must go to approved repositories within six months of generation, post-quality control, with release immediate upon processing. Expectations for open sharing now defer to the Controlled-Access Data Policy, including consent requirements.
Modernizations include allowing HIPAA Expert Determination for de-identification, expanding institutional review to bodies like Human Research Protection Programs, and strengthening consent rules. Data from post-2015 biospecimens require consent for sharing, with provisions for legally authorized representatives. The policy also addresses imputation servers, permitting approved users to operate them under strict security if funded by NIH or federal agencies.
These revisions respond to community feedback and build on updates like NOT-OD-25-083, which prohibits access by institutions in countries of concern.
Implications and Perspectives
Short-term implications include increased administrative burdens for researchers, who must classify data and ensure controlled-access compliance, potentially delaying sharing. Long-term, the policies could enhance trust in research by bolstering protections, fostering more participation and international collaboration under secure conditions.
Different perspectives exist: privacy advocates may welcome robust safeguards against re-identification, while researchers might argue that strict controls hinder innovation. National security experts emphasize alignment with directives like Executive Order 14117 to counter foreign threats. Legal precedents, such as the Common Rule (45 CFR 46), underpin consent requirements, ensuring ethical sharing without endorsing any viewpoint.
The proposal's emphasis on public input reflects a balanced approach, allowing stakeholders to influence outcomes on repository capacity, data type definitions, and imputation strategies.
In summary, NIH's proposals represent a strategic evolution in data governance, prioritizing protection amid technological advances. Potential next steps involve incorporating public comments, finalizing policies by late 2026, and developing guidance on low-risk data. Ongoing debates may center on balancing openness with security, repository resources, and adapting to emerging technologies like privacy-enhancing tools. Challenges include ensuring equitable access for global researchers and monitoring compliance without stifling progress.
