Overview
A 2025 implementation update for the NIH Genomic Data Sharing policy introduced new security requirements for using data available from the NIH Controlled Access repositories. These repositories typically contain data collected from human research participants. NIH has strengthened the security requirements to better protect participant privacy and improve the security and confidentiality of these data.
The updated NIH policy follows a security framework defined in NIST 800-171, which outlines specific requirements for data storage, access, and security. Researchers at UCLA have access to the storage and computing options listed below that comply with NIH guidelines.
Review the list of affected NIH controlled repositories.
Those newly requesting data from an NIH Controlled Access repository, as well as those renewing access or submitting data to those repositories, are affected. The list of repositories is linked above.
Process to gain access and set up storage and compute for data from an NIH Controlled Access Repository
- A researcher submits a data access request via an NIH-controlled access repository and submits a request for contract review to UCLA Technology Development Group (TDG) through the TDG MTA portal.
- TDG reviews the incoming data access request on behalf of the researcher.
- Where no changes to the contractual language are needed, TDG approves the request and sends out notice to the researcher that prior to accessing the data, the researcher must consult with the UCLA Office of the Chief Information Security Officer’s Governance, Risk and Compliance (GRC) team for alignment with the contractual data security requirements.
- Upon GRC verification of compliance, the researcher will be referred to a UCLA IT team, which will be responsible for stewarding their request.
- Additional training may be required before being onboarded onto a compliant service.
Compliant Compute and Storage Options at UCLA
UCLA offers multiple NIH-compliant compute and storage platforms with varying data protection capabilities. The IT team assigned to each researcher’s request will recommend which platform to use based on their individual needs.
The cost of using the platforms varies.
Platform Name | Best for | Highest allowable data protection level* | Cost model |
|---|---|---|---|
Big data workflows that do not contain any personally-identifiable information (PII); on-premises | P2 | Free tier available. PIs may purchase additional compute nodes and storage. | |
Data that needs to be directly analyzed in conjunction with UCLA Health Patient clinical data; cloud-based (Azure) | P4 and UCLA Health Patient Data | Free tier available. Most cases require purchase of compute resources and storage. | |
Modest storage and compute needs for highly sensitive data; on-premises | P4 | Free, with strict limits on storage and compute capacity. | |
Flexible and scalable workflows; cloud-based (AWS) | P4 | Incurs costs | |
Terra (Contact BruinCloud to request a Google Cloud Platform (GCP) Billing Account.) | Flexible and scalable workflows; cloud-based (GCP) | P4 | Incurs costs |
* Data protection levels are defined by the UC Office of the President Classification of Information and IT Resources policy.
Resources
Governance, Risk, and Compliance, a part of the Office of the Chief Information Security Officer
Contact
If you are ready to make a data request, you can do so through your chosen NIH repository (e.g, dbGaP), which will initiate the process described above.
If you have questions, contact UCLA Digital & Technology Solutions.
