NIH Data Management and Sharing Policy FAQs

Frequently Asked Questions

This Frequently Asked Questions (FAQs) page includes UO-focused answers based on current NIH guidance. They are intended to help clarify the implementation of the NIH Policy for Data Management and Sharing at the University of Oregon and will be updated on an ongoing basis. For more FAQs, please refer to the FAQ list compiled by NIH.

  1. What is considered "scientific data" for the purposes of this plan?
  2. What are the FAIR Data Principles?
  3. Does this new policy apply to grants already in progress?
  4. How will the plans be assessed?
  5. How do I determine the security classification level of my data?
  6. Where can I store my data?
  7. What is a data or metadata standard? What standards are relevant to my research?
  8. Am I expected to share all data generated during my research?
  9. What data repository should I use?
  10. Can I make my data available only upon request?
  11. When do I need to make my data available?
  12. How long does my data need to remain available?
  13. What data management and sharing costs can I include in my grant proposals?
  14. What amount is expected and reasonable to budget these costs in my upcoming proposal?
  15. How do I request, budget, and justify these DMS costs in my NIH proposal?
  16. What happens if I do not comply with the NIH policy or make my data available as described in the DMSP?
  17. Who owns the research data I produce and what are my responsibilities regarding its management?
  18. Where can I get more help at UO?
  1. What is considered "scientific data" for the purposes of this plan?

The final NIH Policy defines Scientific Data as: “The recorded factual material commonly accepted in the scientific community as of sufficient quality to validate and replicate research findings, regardless of whether the data are used to support scholarly publications. Scientific data do not include laboratory notebooks, preliminary analyses, completed case report forms, drafts of scientific papers, plans for future research, peer reviews, communications with colleagues, or physical objects, such as laboratory specimens.” Even the scientific data that are not used to support a publication are considered scientific data and within the final DMS Policy’s scope.

Back to Top

  1. What are the FAIR Data Principles?

NIH encourages data management and sharing practices to be consistent with the FAIR (Findable, Accessible, Interoperable, and Reusable) data principles and reflective of practices within specific research communities. In 2016, the ‘FAIR Guiding Principles for scientific data management and stewardship’ were published in Scientific Data. The principles emphasize machine-actionability because humans increasingly rely on computational support to deal with data resulting from the increase in volume, complexity, and creation speed of data.

Back to Top

  1. Does this new policy apply to grants already in progress?

No. The policy only applies to new competing grant applications, it does not retroactively apply. The effective date of the DMS Policy is January 25, 2023, including for:

  • Competing grant applications that are submitted to NIH for the January 25, 2023, and subsequent receipt dates
  • Proposals for contracts that are submitted to NIH on or after January 25, 2023
  • NIH Intramural Research Projects conducted on or after January 25, 2023
  • Other funding agreements (e.g., Other Transactions) that are executed on or after January 25, 2023, unless otherwise stipulated by NIH

For guidance on applications for receipt dates BEFORE January 25, 2023, refer to the 2003 NIH Data Sharing Policy.

Back to Top

  1. How will the plans be assessed?

NIH program staff will assess the DMSPs, but peer reviewers may comment on the proposed budget for data management and sharing. “The final DMS Policy maintains NIH Program Staff assessments of Plans’ merits. However, peer reviewers may comment on the proposed budget for data management and sharing, although these comments will not impact the overall score…Over time, and through these reviews, we hope to learn more about what constitutes reasonable costs for various data management and sharing activities across the NIH portfolio of research.” See more under Section VI of the Final NIH Policy.

Back to Top

  1. How do I determine the security classification level of my data?

UO categorizes data classification levels as follows:

  • Low Risk (Green): Data is classified as Low Risk ("green") if the loss of confidentiality, integrity, or availability of the data would have minimal strategic, compliance, operational, financial, or reputational risk to the University.
  • Moderate Risk (Amber): Data is classified as Moderate Risk ("amber") if the loss of confidentiality, integrity, or availability of the data would have moderate strategic, compliance, operational, financial, or reputational risk to the University.
  • High Risk (Red): Data is classified as High Risk ("red" - the most sensitive/critical classification) if the loss of confidentiality, integrity, or availability of the data would have high strategic, compliance, operational, financial, or reputational risk to the University.  

The PI managing the overarching project is responsible for assessing the sensitivity of the data throughout the project's lifecycle and meeting the following internal requirements:

“The PI will consult with the UO Information Security Office to ensure that appropriate measures are in place to prevent unauthorized access to restricted data. During the research process, all files will regularly be backed up in three places: 1) to a HIPAA-compliant OneDrive for Business cloud storage account; 2) to a solid-state flash drive (thumb drive) kept in a locked file in the PI’s office; and 3) to a solid-state flash drive kept in a locked file in the PI’s home office. OneDrive backups will be near-instantaneous, as all files stored on the laptop will be synced to OneDrive. The PI will perform incremental regular backups to the flash drives and will confirm the data integrity of the flash drives quarterly.”

In addition, researchers need to be aware of external requirements and limitations that may apply to the management of the data, either per IRB documentation, contractual obligations, sponsor guidelines, or a regulatory mandate. If the research team has any questions pertaining to the applicable classification level, they should speak to an Information Security Officer. If at any point during the project’s period of performance the data is determined to High Risk (Red), the research team should notify UO Information Security.

UO researchers frequently deal with sensitive information that relates to human subjects and other research areas. Examples can include proprietary information, personally identifiable information, and data that is subject to confidentiality requirements or domestic regulations. Others include certain personally identifiable data that could directly impact individuals’ safety or financial standing, as well as certain regulated data (e.g., GDPR, CMMC, NIST 800-171), information with national security or export control implications, and medical information. All of these are usually categorized as High Risk (Red) data. For more extensive information, please see the UO Information Security’s Data Security Classification Table.

Back to Top

  1. Where can I store my data?

UO faculty, staff, and students have access to a HIPAA- and FERPA-compliant OneDrive for Business Cloud Storage account with one terabyte (1TB) of storage, and a FERPA-compliant Dropbox account with unlimited storage. The technical support team in your department should be able to help you sync your hard drive with OneDrive or Dropbox to create automatic backups. Be aware that you cannot sync files to both OneDrive and Dropbox simultaneously. Whether you use OneDrive or Dropbox, we recommend that labs and research groups use storage that is assigned to the team, lab, or group rather than owned by an individual. This ensures that the files remain seamlessly accessible should that individual leave the university or otherwise leave the team. Here are some UO-specific resources for setting up shared storage:

Whatever storage you use, follow 3-2-1 backup rule: keep at least three (3) copies of your data, and store two (2) backup copies on different storage media, with one (1) of them located offsite. Even if using Dropbox or OneDrive, it is recommended to follow this rule and save your data in separate places. Also see more information on the UO Libraries Research Data Management website.

Back to Top

  1. What is a data or metadata standard? What standards are relevant to my research?

Data standards specify how data and related materials should be stored, organized, and described. In the context of research data, the term typically refers to the use of specific and well-defined formats, schemas, vocabularies, and ontologies in the description and organization of data. However, for researchers within a community where more formal standards have not been well established, it can also be interpreted more broadly to refer to the adoption of the same (or similar) data management-related activities, conventions, or strategies by different researchers and across different projects.

Back to Top

  1. Am I expected to share all data generated during my research?

No. Under the DMS Policy, researchers are expected to maximize the appropriate sharing of scientific data, which is defined as data commonly accepted in the scientific community as being of sufficient quality to validate and replicate the research findings. Not all data generated during NIH-supported research will constitute scientific data under the DMS Policy. See the NIH FAQ for more information.

NIH Institutes, Centers, or Offices (ICOs), Notice of Funding Opportunities (NOFOs), funding opportunity announcements (FOAs), and other NIH policies (e.g., the Genomic Data Sharing Policy) may have additional expectations for what data should be shared.

Researchers are expected to maximize appropriate sharing of any new, derived data generated resulting from their research. Note that use of data obtained from repositories or other sources and derived data may be subject to limitations on sharing as a condition of access.

Back to Top

  1. What data repository should I use?

Some programs, types of data, ICOs, or Funding Opportunity Announcements (FOAs) may require data deposition in particular data repositories, and “primary consideration should be given to data repositories that are discipline or data-type specific to support effective data discovery and reuse.” NIH encourages the use of established repositories. To select a repository relevant to your data, consider:

  • Is there a specific NIH repository named in the FOA?
  • Is there a data repository specific to the data type(s) relevant to your research and your scientific discipline?
  • Is there a data repository specified by the journal in which you are publishing or hope to publish?
  • If there are no relevant discipline-specific repositories, is there a generalist data repository you can use?

For data generated from research for which no data repository is specified by NIH, researchers are encouraged to select a data repository that is appropriate for the data generated from the research project and is in accordance with the NIH Desirable Characteristics for All Data Repositories. To learn more, check out the NIH guidance on selecting a data repository.

Back to Top

  1. Can I make my data available only upon request?

NIH expects that researchers will take steps to maximize scientific data sharing, but acknowledges that certain factors (i.e., ethical, legal, or technical) may necessitate limiting sharing, to some extent. Foreseeable limitations (e.g., bounds of consent documentation, substantial risk to privacy of data subjects, restrictions imposed by regulations or contract), the proposed method for disseminating such data, and the rationale must be described in the DMSP for the NIH to assess.

Back to Top

  1. When do I need to make my data available?

NIH encourages scientific data to be shared as soon as possible, and no later than at the time of an associated publication or the end of the performance period, whichever comes first.

The time of an associated publication: Scientific data underlying peer-reviewed journal articles should be made accessible no later than the date on which the article is first made available in print or electronic format.

The end of the performance period: Scientific data underlying findings not disseminated through peer-reviewed journal articles should be shared by the end of the performance period unless the grant enters a no-cost extension. If a no-cost extension is permitted, then the recipient should share the data by the end of the extended performance period. These scientific data may underlie unpublished key findings, developments, and conclusions; or findings documented within preprints, conference proceedings, or book chapters. For example, scientific data underlying null and negative findings are important to share even though these key findings are not always published. Researchers should be aware that some preprint servers may require the sharing of data upon preprint posting, and repositories storing data may similarly require public release of data upon preprint posting.

Back to Top

  1. How long does my data need to remain available?

Most data repositories are committed to holding data indefinitely. When selecting a repository, the following should be considered, per NIH's guidance on selecting a data repository:

  • Unique Persistent Identifiers: Assigns datasets a citable, unique persistent identifier, such as a digital object identifier (DOI) or accession number, to support data discovery, reporting, and research assessment. The identifier points to a persistent landing page that remains accessible even if the dataset is de-accessioned or no longer available.
  • Long-Term Sustainability: Has a plan for long-term management of data, including maintaining integrity, authenticity, and availability of datasets; building on a stable technical infrastructure and funding plans; and having contingency plans to ensure data are available and maintained during and after unforeseen events.

Back to Top

  1. What data management and sharing costs can I include in my grant proposals?

Allowable costs can include those for:

  • Data curation and developing documentation (i.e., formatting data, de-identifying data, preparing metadata, curating data for a data repository)
  • Data management systems (e.g., unique and specialized information infrastructure necessary to provide local management and preservation before depositing data in a repository)
  • Preserving data in data repositories (i.e., data deposit fees)

Read the NIH Supplemental Information on Allowable Costs for Data Management and Sharing for more information.

Back to Top

  1. What amount is expected and reasonable to budget these costs in my upcoming proposal?

In general, if all the data can be deposited in an NIH repository, or if data that cannot go to an NIH repository, is less than 1TB, and does not contain personally identifiable information and can be publicly shared, then costs for data deposit will vary between $0-$1,000 USD, depending on the repository. On the higher end, the ICPSR data repository, which provides higher than average levels of data curation for social science topics, can cost upwards of $3,000-8,000 USD per deposit. 

Costs for labor/time to have a lab manager, lab data manager, or lab programmer keep the data organized during research and organize and document the data for sharing should be considered, at an estimated 20-100 hours, depending on dataset size(s).

Back to Top

  1. How do I request, budget, and justify these DMS costs in my NIH proposal?

To request funds toward DMS costs, investigators should include:

  • A line item in the budget form
  • A brief summary of the DMS Plan and a description of the requested DMS costs in the budget justification

Requesting Costs:

Request any direct costs to support the activities proposed in the DMS Plan. These costs must be labeled as “Data Management and Sharing Costs” as follows (see Application Instructions for details):

  • R&R Detailed Budget Form: Include the “Data Management and Sharing Costs” line item under F. Other Direct Costs “8-17 Other” on the R&R Budget Form.
  • PHS 398 Modular Budget Form: Use the Additional Narrative Justification attachment of the PHS 398 Modular Budget Form

Justifying Costs:

Include a brief justification of the proposed activities proposed in the DMS Plan that will incur costs. Be sure to include a brief summary of type and amount of scientific data to be preserved and shared, the name of the established repository(ies) to be used, and general cost categories. The recommended length of the justification should be no more than half a page (see Application Instructions for details). This justification must be labeled as "Data Management and Sharing Justification" and should be included as follows:

Back to Top

  1. What happens if I do not comply with the NIH policy or make my data available as described in the DMSP?

NIH Program Staff will be monitoring compliance with the policy during the funding period. “Noncompliance with Plans may result in the NIH ICO adding special Terms and Conditions of Award or terminating the award. If award recipients are not compliant with Plans at the end of the award, noncompliance may be factored into future funding decisions.” See more under Section VIII of the Final NIH Policy.

Back to Top

  1. Who owns the research data I produce and what are my responsibilities regarding its management?

The University of Oregon asserts ownership over research data for all projects conducted at the University, under the auspices of the University, or with University resources. This enables the University to respond to inquiries from funders and third parties, as well as appropriately protect the data, data subjects, and researchers. Principal Investigators (PIs) and other researchers are stewards and custodians of research data. Therefore, the PI’s responsibilities with respect to research data include:

  • Ensuring proper management and retention of research data in accordance with the University of Oregon Records Retention Schedule (UO RRS)
  • Establishing and maintaining appropriate procedures for the protection of research data
  • Ensuring compliance with program requirements
  • Maintaining confidentiality of research data
  • Maintaining appropriate data use agreements for the sharing of research data
  • Complying with applicable federal, state, and local laws and regulations

Permanent retention or archiving refers to the ongoing migration of electronic formats and storage costs, as well as care, maintenance, and access services for the records in perpetuity.

Back to Top

  1. Where can I get more help at UO?

The UO Libraries Research Data Management group is happy to help with selecting a repository, choosing a metadata standard, or answering questions about the policy. We can also refer you to other relevant groups on campus. Sponsored Projects Services is also a great resource for questions related to NIH policy and requirements.

Back to Top