Skip to main content

WVU Research - Data Protection Certification

WVU Research Data Protection Process

REQUIRED as of 10/11/21 

To facilitate faster approvals for data agreements and IRB protocols and to strengthen compliance for collecting and using data for research, WVU is introducing a process for Data Protection for projects that will submit a human subjects protocol to the IRB (all protocol types, including NHSR) and for requesting human subjects Data Use Agreements from WVU OSP.  

The Data Protection Request Form replaces the Data Intake Form.

The Data Protection Request Form is required for ALL INITIAL and NEW Protocols - This includes expired protocols that are entered as new.

Submit a WVU Research - Data Protection Request Form

Modify a Submitted Data Protection Form


Question by Question Guidance

Click on the button above to complete the Data Protection Request Form
. Question by Question guidance is provided within the form and via the button above this paragraph. After you submit the form, you will either receive a Low Risk Data Protection Certificate within minutes or emails indicated subsequent required approvals. Click here to view a SAMPLE DATA PROTECTION CERTIFICATE.  After approvals are complete, you will be emailed a Medium or High Risk Data Protection Certificate. 


How the process works:

Researchers complete a Data Protection Request Form (formally the Data Intake Form), depending on the request and risk related to the data, the submitter will receive a Data Protection Certificate within 15 minutes or within 5-7 days.  

Other approvals may be needed for data agreements, unapproved technology, technology services and non-standard data storage plans may take 2-3 weeks to be approved.  

The Data Protection Certificate will be sent when the data storage plan is approved to facilitate protocol submission, however all approvals must be completed BEFORE research can begin. The responsibility for ensuring all needed approvals are provided by the University is the responsibility of the PI.


Risk
Approval Time
Data Description

LOW RISK
DP Certificates 

Automatically emailed to the submitter within 15 minutes.
Applies to:
  • De-identified data where the source is not a WVU HS medical record 
  • Data collected anonymously
  • Data from public sources
  • Data from sources with no identifiers.  
Click here for a list of identifiers.
MEDIUM and HIGH RISK
DP Certificates


Automatically emailed to the submitter within 15 minutes IF standard storage plans can be used.
Applies to:  
  • Data that includes identifiers that are not considered HIPAA-PHI
  • De-identified/Coded data from a WVU Health System Medical Record 
Click here for a list of identifiers

If an approved storage plan can NOT be used, additional steps and approvals are required, the Data Protection Certificate will be emailed after approval. Approvals could take 2-4 weeks depending on the request.

HIGH RISK
DP Certificates
(HIPAA- PHI/Sensitive Data)

NOT Automatically emailed within minutes.  (5-7) Days for medical/dental record access and storage plan review) 
Applies to:
  • Data that includes identifiers from WVU Health System  medical/dental records (including Limited Data Sets)
  • HSC repositories 
  • Sensitive data under WVU University policy.

Approvals may take 5-7  business days depending on the request. The WV CTSI Privacy Review is part of the review for requests for WVU HS medical records. 

If an approved storage plan can NOT be used, additional steps and approvals are required, the Data Protection Certificate will be emailed after approval. Approvals could take 2-4 weeks depending on the request.

 
The process will provide researchers with:
  • The classification of risk for the data to be used and stored in support of the research
  • The WVU ITS/WVU-HSC ITS approved storage plan(s) for the data
  • The WVU ITS/WVU-HSC ITS approved technology products for research
  • The WVU approved participant payment methods
  • HIPAA approval and institutional review of requirements for WVU Health System data (medical records)
The process will automatically notify the correct departments for:
  • The Office of Export Control for requirements related to international research components
  • The Office of Sponsored Programs to begin the Data Use Agreement process
  • Other departments related to the approval of new technology, technology services, or participant payment methods

Changes to Approved Forms:

If data requirements change after the DP Certificate is received, a new form must be submitted reflecting the change (research project personnel, data source, data variables). Research projects using High Risk data must report all changes in Research Personnel.  Click on the link above for instructions on how to easily submit a change.