Part 1: Introduction, highlights of the new policy & writing the DMSP
(28 minutes, Fernando Rios & Jim Martin)
Part 2: Privacy, informed consent, indigenous knowledge, & proprietary data
(20 minutes, Christine Melton-Lopez & John Howard)
Part 3: Campus infrastructure for secure storage & compute
(10 minutes, Jeremy Frumkin & Nirav Merchant)
(11 minutes, Lori Schultz)
These video modules are intended to summarize and supplement the information given on this page.
What's new about the 2023 NIH Data Management and Sharing Policy?
Previously, the NIH only required grants with $500,000 per year or more in direct costs to provide a brief explanation of how and when data resulting from the grant would be shared.
The 2023 policy is entirely new. Beginning in 2023, ALL grant applications or renewals that generate Scientific Data must now include a robust and detailed plan for how you will manage and share data during the entire funded period. This includes information on data storage, access policies/procedures, preservation, metadata standards, distribution approaches, and more. You must provide this information in a data management and sharing plan (DMSP). The DMSP is similar to what other funders call a data management plan (DMP).
The DMSP will be assessed by NIH Program Staff (though peer reviewers will be able to comment on the proposed data management budget). The Institute, Center, or Office (ICO)-approved plan becomes a Term and Condition of the Notice of Award.
What do I need to do?
A DMSP must be submitted as part of the funding application for all new and competing proposals/renewals that generate Scientific Data for January 25, 2023, and subsequent receipt dates. The term Scientific Data is defined in the policy as "The recorded factual material commonly accepted in the scientific community as of sufficient quality to validate and replicate research findings, regardless of whether the data are used to support scholarly publications. Scientific data do not include laboratory notebooks, preliminary analyses, completed case report forms, drafts of scientific papers, plans for future research, peer reviews, communications with colleagues, or physical objects, such as laboratory specimens."
High-level first steps
- Determine your personal timeline. If you have an active NIH award going up for renewal with receipt date of January 2023, or if you are planning to submit an NIH proposal this year, then developing a DMSP should be a high priority, especially if you are working with external collaborators as it may take time to set up appropriate data procedures/agreements.
- Read through this webpage to familiarize yourself with the changes and with the policy itself (including the supplements)
- Familiarize yourself with the FAIR principles (Wilkinson et. al, 2016). The FAIR (findable, accessible, interoperable, reusable) data principles are the guiding principles the NIH has used in creating the new policy.
- Assess your own project and data management practices relative to the policy (see the NIH-provided supplements below), especially around documenting existing practices and developing new ones to address the increased emphasis on data sharing and administrative oversight.
- Review campus data services (e.g., computing, storage, consulting) and assess whether they will meet your needs. Also consider costs you may need to budget for such as labor for data cleaning and documentation (see the NIH-provided supplement on allowable costs).
If your research requires IRB approval, UA's IRB may ask for information contained in your DMSP. Therefore, it is strongly recommended to draft your DMSP prior to seeking IRB approval .
All new proposals must include a DMSP. After your funding is awarded, execute your ICO-approved plan and document that work in your RPPR to comply.
Step 1: Review data management and sharing best practices prior to creating your plan
- Best practices + secure data storage options
- Best practices on data sharing and archiving
- Data repositories. Also note the NIH maintains a list of repositories
- Review the NIH DMSP Guidance from ICO's if applicable (Guide from Hofstra University)
- Sample NIH DMSP Plans are available from NIH.
- Examples of other data management plans. Many federal funders have similar data management plan requirements and the general points of discussion in those plans are transferrable to your DMSP.
(a) Establish what data needs to be managed and by whom (see the definition of Scientific Data above).
(b) Establish what data needs to be shared under the policy (see the definition of Scientific Data above). The rule of thumb is to make the data "as open as possible, as closed as necessary".
(c) Document the following in your DMSP:
Of the data being collected, which datasets would be subject to additional privacy controls? Who will manage such controls? Who will have access? Refer to the Privacy Office and the HIPAA Privacy Program as applicable.
If you have a Data Use Agreement, ensure that the agreement allows for de-identified data sharing and/or sharing of derived datasets, if possible. Contact Sponsored Projects and Contracting.
If your research involves human subjects, ensure that consent forms contain appropriate language that allows de-identified data sharing. Contact the Human Subjects Protection Program (IRB)
If your research involves Indigenous populations, ensure that the appropriate leaders/groups have approved your plan for collection or use. Contact the University of Arizona Native American Advancement, Initiatives, and Research Office
Step 3: Write the DMSP. See the "What do I need to submit as part of my funding proposal" section below. We suggest using the DMPTool (see below) to create your plan. It includes a template with guidance on what to write in each section of the DMSP.
The NIH will be releasing further guidance on what they expect to see in plans and how to address specific circumstances.
Step 1: If you have a grant already underway, review this webpage and compare your existing data practices to the new requirements as soon as possible.
Step 2: Identify gaps in your existing plans and practices. The new policy requires much more robust data management and sharing plans. Your updated plan must address data sharing, which may not be a component of your existing work plan. Other areas that may need attention are: data use agreements, carving out time for data preparation (eg., de-identification), documentation, and upload into a data repository.
Step 3: To draft the plan, review the Guidance for New Proposals above.
What do I need to submit as a part of my funding proposal?
If you plan to generate scientific data, you must submit a Data Management and Sharing Plan to the funding NIH ICO as part of the Budget Justification section of your application for extramural awards.
Your plan should be two pages or fewer and must include:
- Data Type
- Related Tools, Software and/or Code
- Data Preservation, Access, and Associated Timelines
- Access, Distribution, or Reuse Considerations
- Oversight of Data Management and Sharing.
See Supplemental Information to the NIH Policy for Data Management and Sharing: Elements of an NIH Data Management and Sharing Plan for a detailed description of these Elements. For additional resources, refer to How to Get Started Writing a DMP.
See a UA-specific example on the examples page. NIH has provided several examples. Note that these samples are not intended to be used as templates and their use does not guarantee approval by NIH.
NIH has also developed an optional DMS Plan format page that aligns with the recommended elements of a DMS Plan. Important: Do not include hypertext (e.g., hyperlinks and URLs) in the DMS Plan attachment.
||To draft the plan itself, we recommend the DMPTool (log in with NetID) using the NIH template. Additional guidance for completing each section of the template will be added to the DMPTool on a rolling basis. A self-paced DMPTool training is also available.|
Costs to execute the DMSP can be included in the budget as a line item and a brief summary of the DMSP must be provided in the budget justification. Allowable costs include labor for data curation, preservation, de-identification, and more. The NIH has a provided a list of allowable and unallowable costs and has extensive information on the NIH DMSP FAQ page under "F. Budget/Costs".
Any costs related to complying with the policy must be paid for up-front during the performance period. For example, costs for long-term data preservation must be budgeted for in the proposal and paid before the end of the grant. You may find the NIHM Data Archive (NDA) cost estimation worksheet or the publication Forecasting Costs for Preserving, Archiving, and Promoting Access to Biomedical Data useful.
Some services provided by the University are free of charge while others are not. While free services do not need to be included in the budget, please consider contact the managing office prior to including them in your DMSP (e.g., repositories). See the following section for what kinds of services and tools are available to you.
What institutional tools and services are available to me for compliance during my grant?
General purpose storage
Refer to Storage, Backups, and Security
- HPC High Performance Storage (for HPC use only)
- UA Libraries Data Repository (archival storage for data publication -- meets NIH requirements for data sharing)
- RedCAP (HIPAA compliant)
- HPC cluster
- HIPAA Research Computing environment
- Controlled Unclassified Information (CUI) environment
- UA Soteria (secure compute for HIPAA/ePHI -- currently in a pilot phase)
- UA Libraries
- Data Cooperative (research data management, data science, geospatial consulting)
- Copyright, open access
- Health Sciences Library (research assistance, finding data, systematic reviews)
- CB2 (statistical analysis, de-identification, bioinformatics)
- RII research support (proposal development, HSPP, HIPAA office, core facilities compliance, etc.)
- CALS CCT data science services
- Data Science Institute
Unlike NIH's prior policies, the new policy requires a plan for maximizing the sharing of Scientific Data while acknowledging factors (legal, ethical, or technical) that may affect the extent to which it can be shared. See the definition of Scientific Data above for what is in scope for sharing.
If you are conducting research with human subjects, you must incorporate consent during the data management and sharing process, even if data will be de-identified. If you are conducting research with American Indian, Alaska Native, or Indigenous populations, you must secure appropriate agreements with tribal authorities before using and sharing that information. See the NIH's guidance on privacy protections and AI/AN populations
NIH recommends sharing datasets through established data repositories to improve the FAIRness (Findable, Accessible, Interoperable, and Re-usable) of the data.
While NIH supports many data repositories, your data may or may not be appropriate for an NIH repository. You should also consider data repositories supported by other organizations, both public and private.
For more information, see Supplemental Information to the NIH Policy for Data Management and Sharing: Selecting a Repository for Data Resulting from NIH-Supported Research and the University of Arizona Libraries guide to Data Repositories. The UA's ReDATA repository is a compliant repository for de-identified data.
You will need to share your data when you publish your work or before your performance period ends, whichever comes first.
In general, you should make your data accessible as soon as possible. You can also use relevant requirements and expectations such as data repository policies, award record retention requirements, or journal policies, to decide when to share your data sets.
The policy does not state specific requirements for how you share your data. When you share your data, you should address the NIH’s goal of making data as accessible as possible. The NIH expects all shareable data to be made available, whether it is associated with a publication or not.
All data used or generated as part of a grant must be managed, but not all data should be shared. You should not share data if doing so would violate privacy protections or applicable laws.
You may share data related to human subjects, but your plan should address how data sharing will be communicated in the informed consent process (e.g., consent forms, waivers of consent). See the University of Arizona Research Data Repository (ReDATA) policies ("De-identified Data Associated With Human Subjects Research", p. 5) for sample consent language that allows for data sharing. For additional guidance on consent, see item C in the NIH FAQ.
Before submitting your data to your chosen repository, you will need to:
- Bundle your data together in logical "chunks" for citation and reuse. Appropriate bundling makes it easy to assign a persistent identifier(s) (e.g., DOI) to the dataset. NIH strongly encourages the use of persistent identifiers for datasets. These identifiers, usually assigned by data repositories, make it easier for others to cite your data and for the NIH to track compliance.
- De-identify your data, if appropriate
- Convert your data to an open, machine-readable file format such as .csv when possible
- Use data and metadata standards appropriate to your field (if any). Refer to fairsharing.org for a searchable database of standards.
- Document the dataset thoroughly in a separate readme.txt file, and/or create metadata according to the format required by your chosen repository or discipline
Refer to Data Management Best Practices for help in fleshing out these steps.
Compliance and Institutional Oversight
NIH Compliance Monitoring
You must comply with the ICO-approved plan and document that compliance in the annual Research Performance Progress Report (RPPR). Non-compliance may result in enforcement action from the NIH such as
- Addition of special terms and conditions to the award
- Termination of the award
Non-compliance may also affect future funding decisions. To avoid possible issues when reporting progress, ensure that your submitted plan contains enough detail for the program officer to be able to evaluate compliance.
If you make changes to your submitted plan, your new plan must be re-approved by NIH. the process varies depending on if the change is made pre-award or post-award
Institutional Oversight New
The NIH policy is flexible on who is responsible for overseeing the implementation of DMSPs. While the specifics may vary depending on the project, generally speaking
- PIs are ultimately responsible for ensuring the DMSP is executed.
- HSPP/IRB is responsible for ensuring that the sharing of data pertaining to human subjects is consistent between the DMSP and informed consent.
- PIs and Sponsored Projects and Contracting are responsible for ensuring appropriate data use agreements are in place before sharing sensitive data.
- If a PI choses to deposit data into UA's ReDATA repository to comply with the data sharing aspects of the DMSP, prior to making the data public, the repository is responsible for ensuring the data can be shared. The repository will collect an attestation from the PI that data has been deidentified (where applicable), and that proper consents and permissions have been obtained to share the data. Additionally, the repository will coordinate with the HSPP/IRB, Native Peoples Technical Assistance Office, or other offices as appropriate.
Where can I get help?
|Contact||For Questions About|
|Research Data Management Services||
|Human Subjects Protection Program||
|Ryan Duitman - UITS||
|Scott Pryor - Research Compliance Services||
|Mariette Marsh - Regulatory Affairs & Safety||
|Your departmental grants administrators||
|Jerry Perry - UA Health Sciences Library||
- Final NIH Policy for Data Management and Sharing (2023)
- FAQs for the NIH Policy for Data Management and Sharing (DMS Policy)
- Supplemental Information: Elements of an NIH Data Management and Sharing Plan (2023)
- Supplemental Information: Allowable Costs for Data Management and Sharing (2023)
- Supplemental Information: Selecting a Repository for Data Resulting from NIH-Supported Research
- Supplemental Information: Protecting Privacy When Sharing Human Research Participant Data
- Supplemental Information: Responsible Management and Sharing of American Indian/Alaska Native Participant Data
- Informed Consent for Secondary Research with Data and Biospecimens Guidance and sample language.
For more information from the UA Libraries, see Data Management Resources