dbGaP Data Management Process and Compliance Requirements

Overview  

This document outlines the steps and requirements for obtaining and managing data from dbGaP, as well as the associated security protocols mandated by NIH.

Key Updates:  

• New security requirements effective January 25, 2025 mandate that Approved Users of NIH controlled-access data utilize institutional IT systems and compliant third-party computing infrastructures, adhering to the cybersecurity standards specified in NIST SP 800-171 .

Compliance and Security  

Granite System  

• Granite: This secure computing environment at Dartmouth College, Hanover, NH, supports projects requiring compliance with the controls in NIST 800-171 and NIST 800-53 Moderate, making it the appropriate platform for dbGaP data management.
• Information on Granite Services: Detailed services and fees for Granite can be found here .

Process for Accessing dbGaP Data  

Step 1 - Project Creation and Application Submission  

1. Create a Project: The investigator must create a project and complete the online application through the dbGaP Authorized Access System as a “Principal Investigator” using their eRA Commons account.

   • Investigators without an eRA Commons account should coordinate with the Office of Sponsored Projects (OSP) to set up an account.

2. Application Routing: Once submitted, the application will be routed to the Dartmouth Institutional Signing Official in the Office of Sponsored Projects for approval after completion of necessary steps.

Step 2 - Data Use Agreement (DUA) Request  

1. DUA Submission:
   • The investigator or representative must request a Data Use Agreement (DUA) in eRA.
   • Specify either Stephanie Morgan or Jill Mortali as the contact, avoiding your assigned Pre-award or Post-Award contact.
2. Required Information for DUA: Include the following in your ERA submission:
   • Dataset being requested (including version numbers)
   • dbGaP project number
   • Storage location: Indicate Granite, as administered by Research Computing.
   • Institutional Official for IT Security Oversight : Sam Fielder, Sam.Fielder@dartmouth.edu
3. OSP Review:
   • The OSP will review for completeness and either approve or coordinate with the investigator for additional information or requirements.
   • The investigator must confirm an internal consultation with Research Computing and assure that the data will be housed in Granite.

Project Renewals and Closeouts  

For Project Renewals  

• Follow the same access request process outlined above.
• Instead of submitting a new DUA request, submit an amendment to the original DUA.

For Project Closeouts  

1. Initiate Closeout Process: Complete the closeout procedure in the dbGaP system.
2. Amend DUA Submission: Submit an amendment to the original DUA in eRA, including documentation that confirms the data has been permanently destroyed.

---

Links and Resources  

• NIH Notice on dbGaP Security Requirements
• Granite Services and Fees

Note: All stakeholders involved in managing dbGaP data are encouraged to stay updated on NIH policy changes and security requirements to ensure ongoing compliance.