Categories, Statistics, and Summary Information on Policy Violations
Compliance Statistics for Policies that Govern Data Submission, Access, and Use of Genomic Data
Under the NIH Genomic Data Sharing (GDS) Policy (NOT-OD-14-124) and its predecessor, the Policy for Sharing of Data Obtained in NIH Supported or Conducted Genome-Wide Association Studies (GWAS) (NOT-OD-07-088), investigators and their institutions seeking to access data from the database of Genotypes and Phenotypes (dbGaP) must agree to the Data Use Certification (DUC) Agreement, which describes the terms associated with data use. Failure to adhere to terms of the DUC constitutes a compliance violation. As of July 1, 2018, NIH has approved 42,292 Data Access Requests and, of these Requests, has identified and managed 38 policy compliance violations. The number of compliance violations represents 0.1% of the approved Data Access Requests and are categorized as being related to data submission, research use or data access, data security, and the publication embargo period.
- Data Submission: These violations resulted from errors made by submitting investigators while the data were being prepared for submission to dbGaP.
- Research or Data Access: These violations occurred when dbGaP data were used in an inappropriate manner by approved users or when a dbGaP study configuration error caused the wrong data to be distributed to approved users.
- Data Security: These violations resulted from a computer software error or misconfiguration that allowed or had the potential to allow unapproved individuals to access dbGaP data.
- Publication Embargo: These violations have no impact on research participant protections. They occurred when dbGaP users, who were not part of the submitting investigator’s team or collaborators, published or presented secondary research findings prior to the embargo date set by the original submitting investigator. Publication embargos apply only to datasets accessed under the GWAS Policy.
As described in the DUC, investigators and their institutions agree to notify the appropriate DAC(s) of any violation of or departure from the terms of the DUC within 24 hours of when the incident is identified. When a violation is reported, the appropriate DAC Chair is responsible for corresponding with the users and institution involved in the incident to gain an understanding of the full scope of the violation, to take immediate action to protect dbGaP data, and implement remediations as necessary.
For a summary of dgGaP Compliance Violation between 2007 and 2018, please click here.