NIMH Data Archive Data Use Certification

Introduction

This Data Use Certification Agreement outlines the terms and conditions for requesting access to data maintained in the National Institute of Mental Health (NIMH) Data Archive.

Researchers accessing human subjects’ data and their research institution are responsible for maintaining the privacy of those subjects and the confidentiality of their data. By signing and submitting this NIMH Data Archive Data Use Certification (DUC), you and your institution are accepting the terms and conditions for responsibly using human subjects’ data. Read the entire DUC carefully before signing and submitting this agreement. Ensure that all members of your research team who will have access to the data under this DUC (Recipients) have also read the DUC and have agreed to abide by the terms of the DUC. You and your institution are responsible for the way that all listed Recipients use the data. Failure to adhere to the terms and conditions of this DUC could result in denial of further access to NIMH Data Archive data and in other actions.

The NIMH Data Archive

The National Institute of Mental Health (NIMH) Data Archive (NDA) is an NIH-funded collaborative resource that contains harmonized human subjects research data and metadata from multiple research Data Repositories, providing a rare and valuable scientific resource. Access to shared record-level data in NDA is provisioned at the level of a Permission Group. NDA Permission Groups consist of one or multiple NDA Collections that contain data with the same subject data use consents and sponsorship requirements. An NDA Collection generally contains data associated with a single grant award.

See https://nda.nih.gov/about/about-us.html and https://nda.nih.gov/user/dashboard/data_permissions.html for a current list of NDA Data Repositories and NDA Permission Groups. NDA Data Access Request Standard Operating Procedures are maintained at https://nda.nih.gov/about/standard-operating-procedures.html#sop4 and include a description of sponsorship requirements.

Data submitted to NDA have been stripped of all individual identifiers. However, the unique and intrinsically personal nature of clinical data, genomics data, brain imaging data, and other derivative data of which are included in these repositories, combined with new analytical methodologies and decreasing computing and storage costs, has altered the framework through which “identify-ability” can be defined. To protect and assure the confidentiality and privacy of all participants, all Recipients who are granted access to these data are expected to adhere to all terms of use outlined in this DUC.

The NIH and NIMH seek to encourage the use of these resources to achieve rapid scientific progress. Moreover, NIMH has made data sharing a requirement for all clinical research it funds (see NOT-MH-23-100). In order to take full advantage of such resources and maximize their research value, it is important that data are made broadly available, on appropriate terms and conditions, to the largest possible number of qualified investigators in a timely manner.

To submit data to the NIMH Data Archive, the NIMH Data Archive Data Submission Agreement (DSA) must be completed, which is a separate document (https://nda.nih.gov/ndapublicweb/Documents/NDA+Submission+Request.pdf).

Data Use Terms and Conditions

I request access to shared data from the NIMH Data Archive for the purpose of scientific investigation, scholarship or teaching, or other forms of research and research development as described in the following NIMH Data Archive Data Use Certification (DUC). I, and any Other Recipients listed in this DUC, agree to the following terms:

1. Non-transferability of Agreement

The Recipient’s institution and the Recipient agree to retain control of NIH controlled-access data accessed through the request, and further agree not to distribute controlled-access data to any entity or individual not identified in the request without appropriate written approvals from the NIH. Recipients may distribute (share) data from the NIMH Data Archive with authorized researchers (collaborators) who are listed on a non-expired DUC for the same Permission Group and have agreed to the terms in this DUC, for the purpose of collaboration on research projects only. Recipients are responsible for ensuring that collaborators are authorized researchers. Recipients may contact the NIMH Data Archive Help Desk at ndahelp@mail.nih.gov to receive written confirmation that the DUC for collaborators is not currently expired. If the DUC has expired, or will expire within one calendar month, it must be renewed prior to sharing data. Each Recipient will follow all data security practices and other terms of use defined in this Agreement and the Recipient Institution’s IT security requirements and policies.

The Recipient’s institution and Recipient acknowledge responsibility for ensuring the review and agreement to the terms within this Agreement and the appropriate research use of controlled-access data accessed through the request, subject to applicable laws and regulations. The Recipient’s institution and the Recipient agree that controlled-access data obtained through the request, in whole or in part, may not be sold to any individual at any point in time for any purpose.

This DUC is not transferable. The Recipient’s institution must have policies and procedures to ensure that Recipients complete the close-out process as described in Termination and Data Destruction (term 9) before moving to a new institution. Recipients must notify the NIMH Data Archive of changes in institutional affiliation. Recipients who change institutional affiliation will be removed from the DUC and must submit a new request in which the recipient agrees to the DUC and the Genomic Data User Code of Conduct from their new institution in order to retain access. If the Lead Recipient changes institutions, a new DAR can be submitted by the Lead Recipient’s institution or a new Lead Recipient can submit a new DAR. If a Recipient moves to a new institution without completing the close-out process, the Recipient’s institution must immediately notify the NIMH Data Archive.

2. Data for Research Use

Recipients agree to use data for scientific investigation, scholarship or teaching, or other form of research and research development. Data will be used by the Recipient in connection with the purpose indicated and described in the Research Data Use Statement in the Recipient Information and Certifications below.

3. Non-identification

Recipients agree not to use controlled-access data accessed through the request, either alone or in concert with any other information, to identify or contact individual participants from whom data and/or samples were collected. Approved Users also agree not to generate information (e.g., facial images or comparable representations) that could allow the identities of research participants to be readily ascertained. These provisions do not apply to original data submitters operating with specific Institutional Review Board (IRB) or equivalent body approval, pursuant to 45 CFR 46, to contact individuals within datasets or to obtain and use identifying information under an IRB-approved research protocol. All Recipients conducting “human subjects research” within the scope of 45 CFR 46 must comply with the requirements contained therein. 

Recipients agree to not publish or distribute any derived data that could aid in the re-identification of any of the study participants (or their relatives). There may be some judgement concerning whether derived data can aid in the re-identification of a research participant especially for imaging or genomic data that has been reprocessed using data obtained from NDA. Any questions concerning this issue should be directed to the Recipient’s IRB or sent to the NIMH Data Archive Help Desk (ndahelp@mail.nih.gov). Before subject-level derived data are distributed outside of an NDA Study, approval should be sought from the Help Desk. Recipients agree to notify the NIH at NDAHelp@mail.nih.gov as soon as possible if, upon use of NIMH Data Archive data, identifying information is discovered.

4. Certificate of Confidentiality 

Certificates of Confidentiality (Certificate) protect the privacy of research participants by prohibiting disclosure of protected information for non-research purposes to anyone not connected with the research except in specific situations. Data that are stored in and shared through the NIH data repositories are protected by a Certificate. Therefore, recipient(s), whether or not funded by the NIH, who are approved to access a copy of information protected by a Certificate, are also subject to the requirements of the Certificate of Confidentiality and subsection 301(d) of the Public Health Service Act.   

Under Section 301(d) of the Public Health Service Act and the NIH Policy for Issuing Certificates of Confidentiality, recipients of a Certificate of Confidentiality shall not: 

• Disclose or provide, in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding, the name of such individual or any such information, document, or biospecimen that contains identifiable, sensitive information about the individual and that was created or compiled for purposes of the research, unless such disclosure or use is made with the consent of the individual whom the information, document, or biospecimen pertains; or  

• Disclose or provide to any other person not connected with the research the name of such an individual or any information, document, or biospecimen that contains identifiable, sensitive information about such an individual and that was created or compiled for purposes of the research. 

Disclosure is permitted only when:  

• Required by Federal, State, or local laws (e.g., as required by the Federal Food, Drug, and Cosmetic Act, or state laws requiring the reporting of communicable diseases to State and local health departments), excluding instances of disclosure in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding;  

• Necessary for the medical treatment of the individual to whom the information, document, or biospecimen pertains and made with the consent of such individual;  

• Made with the consent of the individual to whom the information, document, or biospecimen pertains; or  

• Made for the purposes of other scientific research that is in compliance with applicable Federal regulations governing the protection of human subjects in research.  

For more information see: Certificates of Confidentiality (CoC) | Grants & Funding

5. Compliance with Applicable Human Subjects Protection and Institutional Requirements

Recipients agree to comply with all applicable rules for the protection of human subjects, which may include Department of Health and Human Services regulations at 45 C.F.R. Part 46, and other federal and state laws for the use of this data. Recipients are responsible for determining whether their proposed research with data from the NIMH Data Archive necessitates consultation with their Institutional Review Board.

Recipients agree to conform to the principles for ethical conduct of biomedical and behavioral research as outlined in Section B of the Belmont Report (Respect for Persons, Beneficence, and Justice). Recipients must consider any psychological, social, economic, and other potentially harmful impacts their research results could have on individuals, communities, and society, and take steps to minimize them.

Recipients agree to report promptly to the NIH any unanticipated problems involving risks to subjects or others. This DUC is made in addition to, and does not supersede, any of Recipient's institutional policies or any local, State, and/or Federal laws and regulations that provide additional protections for human subjects.

Recipients with Institutional sponsorship acknowledge that access, if provided, is for research that is approved by the institution with which they are affiliated, which must be operating under an active Federal Wide Assurance (FWA) issued by the Department of Health & Human Services, Office for Human Research Protections (OHRP).

6. Additional Human Subjects Research Requirements

The Global Unique Identifier (GUID) is a computer-generated alphanumeric code that is unique to each research participant. The GUID allows the NIMH Data Archive to link together all submitted information on a single participant, giving researchers access to information even if the data were collected at different locations or through different studies. If Recipients access data on individuals for whom they, themselves, have previously submitted data to the NIMH Data Archive, Recipients may gain access to more data about an individual participant than they, themselves, collected. Consequently, these research activities may be considered “human subjects research” within the scope of 45 C.F.R. 46. In this case, recipients must comply with the requirements contained in 45 C.F.R. 46, as applicable, which may require IRB approval of the Research Data Use Statement.

7. Data Security and Unauthorized Data Release

The Recipient’s institution and the Recipient agree that they have reviewed and agree to manage the requested controlled-access dataset(s) and any data derivatives of controlled-access data according to NIH’s expectations set forth in the NIH Security Best Practices for Users of Controlled-Access Data and the Recipient’s institution IT security requirements and policies.

The Recipient’s institution and the Recipient agree to notify the NIH Incident Response Team, the NIMH Data Archive Help Desk, and the NIH Office of Extramural Research Data Sharing Policy Implementation (OER/DSPI) Team of any unauthorized data sharing, breaches of data security, or inadvertent data releases that may compromise data confidentiality within 24 hours of when the incident is identified. For the NIH Incident Response Team, notifications can be made by phone (301) 496-HELP (4357); Toll Free Number: (866) 319-4357or TTY: (301) 496-8294 and can also be sent by email to NIHInfoSec@nih.gov or via the Report an Incident Link: https://irtportal.ocio.nih.gov/.  For the NIMH Data Archive Help Desk, notifications can be sent to ndahelp@mail.nih.gov. For OER/DSPI Team, notifications can be sent to DMI_OER@mail.nih.gov.

As permitted by law, notifications should include any known information regarding the incident and a general description of the activities or process in place to define and remediate the situation fully. Within 3 business days of the notification, the Recipient’s institution agrees to submit to the NIMH Data Archive and the OER/DSPI Team a detailed written report including the date and nature of the event, actions taken or to be taken to remediate the issue(s), and plans or processes developed to prevent future incidents, including specific information on timelines anticipated for action. The Recipient’s institution agrees to provide documentation verifying that the remediation plans have been implemented. Repeated violations or unresponsiveness to NIH requests may result in further compliance measures affecting the Recipient’s institution and the Recipient. 

NIH, or another entity designated by NIH, as permitted by law, may also investigate any data security incident or policy violation. Recipients and their associates agree to support such investigations and provide information, within the limits of applicable local, state, Tribal, and federal laws and regulations. In addition, the Recipient’s institution and the recipient agree to work with the NIH to assure that plans and procedures that are developed to address identified problems are mutually acceptable and consistent with applicable law. 

8. Terms of Access Violations 

The Recipient’s institution and the Recipient acknowledge that the NIH may terminate the request, including this Agreement, and immediately revoke or suspend access to all controlled-access data at any time if the Recipient’s institution and/or the Recipient is found to be no longer in agreement with the terms described in this Agreement, the Genomic Data User Code of Conduct , or the policies, principles, and procedures of NIH.

The Recipient’s institution and the Recipient agree to notify the OER/DSPI Team the NIMH Data Archive of any terms of access violations, hereinafter referred to as data management incidents (DMIs), within 24 hours of when the incident is identified. For the NIMH Data Archive, notifications can be sent to the Help Desk, ndahelp@mail.nih.gov. For OER/DSPI Team, notifications can be sent to DMI_OER@mail.nih.gov. As permitted by law, notifications should include any known information regarding the incident and a general description of the activities or process in place to define and remediate the situation fully. Within 3 business days of the notification(s), the Recipient’s institution agrees to submit to the NIMH Data Archive and the OER/DSPI Team a detailed written report including the date and nature of the event, actions taken or to be taken to remediate the issue(s), and plans or processes developed to prevent future incidents, including specific information on timelines anticipated for action. The Recipient’s institution agrees to provide documentation verifying that the remediation plans have been implemented. Repeated violations or unresponsiveness to NIH requests may result in further compliance measures affecting the Recipient’s institution and the Recipient.  

As outlined in Term 7 (Data Security and Unauthorized Data Release), all notifications of unauthorized data sharing, breaches of data security, or inadvertent data releases should also be sent to the NIH Incident Response Team. Notifications can be made by phone: (301) 496-HELP (4357); by Toll Free Number: (866) 319-4357or TTY: (301) 496-8294; by email: NIHInfoSec@nih.gov; or by the Report an Incident Link: https://irtportal.ocio.nih.gov/.

NIH, or another entity designated by NIH, may, as permitted by law, also investigate any data management incident. Recipients and their associates agree to support such investigations and provide information, within the limits of applicable local, state, Tribal, and federal laws and regulations. In addition, the Recipient’s institution and the Recipient agree to work with the NIH to assure that plans and procedures that are developed to address identified problems are mutually acceptable and consistent with applicable law. 

9. Termination and Data Destruction

Upon close-out, the Recipient’s institution and the Recipient agree to destroy all copies, versions, and data derivatives of the data retrieved from NIMH Data Archive, on both local servers and hardware, and if cloud computing was used, delete the data and cloud images from cloud computing provider storage, virtual and physical machines, and databases in accord with the NIH Security Best Practices for Users of Controlled-Access Data..  In instances where NIH decides that data derivatives should be transferred to a NIH repository, it is permissible for the Recipient to retain such data until transfer is complete. Once the transfer is complete it is expected that the Recipient and the Recipient’s institution will destroy the data according to the NIH Security Best Practices for Users of Controlled-Access Data.  

10. Supporting Documentation

Data and Supporting Documentation in the NIMH Data Archive are eligible for access by qualified researchers, pursuant to the terms set forth in this DUC. Recipients agree to review the supporting information, materials, and documentation (“Supporting Documentation”) for the data accessed in the NIMH Data Archive to enable efficient use of the submitted data by Recipients unfamiliar with the data or the research project. Examples of supporting documentation include:

• Research protocol(s)

• Questionnaire(s)Study manuals

11. Sharing Results with a NIMH Data Archive Study

Recipients agree to create and share an NIMH Data Archive Study (https://nda.nih.gov/get/manuscript-preparation.html) for each publication, computational pipeline, or other public disclosure of results from the analysis of data accessed in the NIMH Data Archive, whether reporting positive or negative results, thereby linking it to the underlying data. Recipients agree to create the NIMH Data Archive Study when a manuscript is submitted for review and share the NDA Study when the publication is released. Recipients submitting renewal data access requests or project close-outs agree to report their results and list each related NIMH Data Archive Study in the Progress Report section below.

12. Acknowledgements

Recipients agree to acknowledge the appropriate NIMH Data Archive data repository and the relevant Digital Object Identifier(s) (DOI), which will be minted upon NIMH Data Archive Study creation, in any and all oral and written presentations, disclosures, and publications (including abstracts, as space allows) resulting from any and all analyses of data. Acknowledgements specific to each NDA data repository are maintained at https://nda.nih.gov/get/manuscript-preparation.html. Oral or written presentations, disclosures, or publications should include the appropriate acknowledgement statement(s).

13. Data Disclaimers

Recipients acknowledge that the NIH does not and cannot warrant the results that may be obtained by using any data or data analysis tools included in the NIMH Data Archive. The NIH disclaims all warranties as to the accuracy of the data in the NIMH Data Archive or the performance or fitness of the data or data analysis tools for any particular purpose.

14. Non-Governmental Endorsement; Liability

Recipients agree not to claim, infer, or imply endorsement of the research project described in the Research Data Use Statement, the entity, or personnel conducting the research project or any resulting commercial product(s) by the United States Government, the Department of Health & Human Services, the National Institutes of Health, or the National Institute of Mental Health. The United States Government assumes no liability except to the extent provided under the Federal Tort Claims Act (28 U.S.C. § 2671-2680).

15. Recipient’s Permission to Post Information Publicly

Recipient agrees to permit the NIMH Data Archive to publicly summarize the Recipient’s research use of data along with the Recipient’s name and organizational/institutional affiliation, as listed in this DUC.

16. Privacy Act Notification

Recipients agree that information collected by the NIH from a Recipient, as part of the DUC, may be made public in part or in whole for tracking and reporting purposes. This Privacy Act Notification is provided pursuant to Public Law 93-579, Privacy Act of 1974, 5 U.S.C. Section 552a. Authority for the collection of the information requested below from Recipients comes from the authorities regarding the establishment of the National Institutes of Health, its general authority to conduct and fund research and to provide training assistance, and its general authority to maintain records in connection with these and its other functions (42 U.S.C. 203, 241, 289l-1 and 44 U.S.C. 3101), and Sections 301 and 493 of the Public Health Service Act. These records will be maintained in accordance with the Privacy Act System of Record Notice 09-25-0156 (https://oma.od.nih.gov/forms/Privacy%20Documents/Documents/Privacy%20Act%20Systems%20of%2 0Records%20Notices%20(SORNs)%205-1-15.pdf) covering “Records of Participants in Programs and Respondents in Surveys Used to Evaluate Programs of the Public Health Service, HHS/PHS/NIH/OD.” The primary uses of this information are to document, track, monitor, and evaluate the use of NIMH Data Archive datasets, as well as to notify interested Recipients of updates, corrections or other changes to the database.

The Federal Privacy Act protects the confidentiality of some NIH records. The NIH will use the information collected for the purposes described above. In addition, the Act allows the release of some information in the Recipient’s records without the Recipient’s permission; for example, if it is requested by members of Congress or other authorized individuals. The information requested in this DUC is voluntary, but necessary for obtaining access to data in the NIMH Data Archive..

17. Term and Access Period

Recipients are granted permission to access requested and approved data from the NIMH Data Archive for a period of one year and this DUC will automatically terminate at that time. Through submission of the request, the recipient and Requester agree to submit a Project Renewal prior to the expiration date of the one (1) year data access period or submit an NDA Close-Out report. Recipients submitting renewal data access requests or project close-outs agree to report their results and list each related NIMH Data Archive Study in the Progress Report section below. Data access renewal requests will be reviewed for compliance with the terms and conditions of this DUC.

18. Accurate Representations

Recipients expressly certify that the contents of any statements made or reflected in this document are truthful and accurate.

Burden Disclosure Statement

Public reporting burden for this collection of information is estimated to vary from 15 min to 1.5 hours per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to: NIH, Project Clearance Branch, 6705 Rockledge Drive, MSC 7974, Bethesda, MD 20892-7974, ATTN: PRA (0925-0667). Do not return the completed form to this address.

NIMH Data Archive Recipient Information and Certifications

DAR ID: _______________

1. Access Request

Access to shared record-level data in NDA is provisioned at the level of a Permission Group. See https://nda.nih.gov/about/about-us.html and https://nda.nih.gov/user/dashboard/data_permissions.html for a current list of Permission Groups and their specific data access requirements.

Request Type: New ___ ___ Renewal: ______

NDA Permission Group: _________________________________________________________________

Permission Group Description: ___________________________________________________________

_____________________________________________________________________________________

Data Use Limitations: ___________________________________________________________________

_____________________________________________________________________________________

Requires IRB Approval: Yes ______ No _______

Requires Institutional Sponsorship*: Yes ______ No _______

*Institutional sponsorship requires the signature of an Institutional Signing Official and an active Federal Wide Assurance (FWA) number in the Signatures section below.

Requesting access to sensitive data*: Yes ______ No _______

* Requests for sensitive data such as geolocation data from personal tracking devices would require additional documentation confirming IRB awareness of additional security concerns. Consult NDA Help Desk if sensitivity of requested data is unclear.

2. Progress Report (For Renewal Requests Only):

Recipients requesting a renewal of an expiring Data Use Certification should provide a Progress Report on research conducted with data from the NIMH Data Archive. The Progress Report should also describe any updates to the original Research Data Use Statement and changes to the Other Recipient list on the Data Use Certification. Recipients who conduct a secondary analysis on data shared through NIMH Data Archive are expected as part of the DUC Terms of Use to report their results using the NDA Study feature (https://nda.nih.gov/get/manuscript-preparation.html). Data Access Requesters should also indicate any violations of the terms of access (e.g., data misuse, breaches, security incidents) and the implemented remediation, and information on any downstream intellectual property generated from the data.

Progress Report Statement:

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

Has a publication, computational pipeline, or other public disclosure of results from the analysis of data accessed in the NIMH Data Archive resulted from a Recipient’s previous access period? Yes: ___ No: ___

If Yes, list the PubMed ID(s) or citation(s): __________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

Has an NDA Study been created? Yes: ___ No: ___

If Yes, list the NDA Study number(s): ______________________________________________________

3. Research Data Use Statement

Both new and renewal access requests should complete this section.

Describe the purpose of the scientific investigation, scholarship or teaching, or other form of research and research development for which you are requesting access to the NIMH Data Archive. Describe how NDA data will be accessed by all recipients on this DUC. If data will be downloaded, describe how the data will be managed throughout the course of the proposed research, including the plan for data deletion.

If you are requesting access to controlled access data, this statement must demonstrate adherence to the consent-based data use limitations described in the NDA Permissions Dashboard.

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

____________________________________________________________________________________

4. Attestation of Compliance with NIH Security Best Practices for Users of Controlled-Access Data

IMPORTANT: NIH expects that Approved Users of NIH controlled-access data under the GDS Policy systems comply with NIH Security Best Practices for Users of Controlled-Access Data and maintain such data on institutional IT systems, cloud service providers (CSPs), and/or third-party IT systems with security standards that meet or exceed NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”.

• By checking this box, I, as the PI requesting access to this data, attest that data will be secured, at a minimum, in accordance with NIST SP 800-171 or the equivalent ISO/IEC 27001/27002 standards as stipulated by the NIH Security Best Practices for Users of Controlled-Access Data.

Please indicate the standard that will be used to secure the data (check one):

• NIST SP 800-53, latest revision, Moderate Baseline or above

• FedRamp Moderate Baseline or above

• FISMA Moderate Baseline or above

• NIST SP 800-171, latest revision

• ISO/IEC 27001/27002

• Other, including prior revisions of the above standards [Include Text Box with 500 word limit]

• By checking this box, I attest that all previously accessed NDA datasets with the exception of datasets from active DARs were deleted from all local and cloud-based platforms as committed to in previous NDA Data Access Requests.

5. Use of a third-party IT system and/or cloud service provider (CSP)