Skip to main content

Data Protection Form Guidance

This guidance supports the research community in completing the Data Protection Request Form.

DP Form Section
Question
Question Guidance
General Information   This section is always displayed.

All The questions in this section are considered self explanatory, further guidance is not needed here.
Data Information
Data Source
This section is always displayed.

Does your project require two data sources where one includes
identifiable data from a WVU medical/dental record?
If you will use multiple data sources for your project, the University's concern is for how high risk data (e.g., medical/dental records) will be stored, even if the other source also includes identifiers

If the second data source is the collection data from participants, you will have the opportunity to select a collection method in the Data Storage Plan section.  If the second data source is not data collection, use the high risk data storage plan you will select later in the form to store all of the data.  

Select Yes:
If multiple data sources will be used and one of them is IDENTIFIABLE data from a WVU medical or dental record.  If you will requested fully-deidentified data, select NO.

In the next field displayed, enter information about the other data source(s).  Then continue to the Data Source list and select Medical/Dental Records.  

Select No:
If medical/dental records are not one your data sources or if multiple data sources will not be used. 

If you will use multiple data sources, select the source with identifiers if applicable and continue on.

If none of the data sources have identifiers, select a source and continue on. 

     Indicate the source of the data. Click here for a summary table of for data sources.

Source = WVU Medical/Dental Record
The following options are displayed:
Fully De-identified Data Set
Limited Data Set
Data Set with Identifiers
 Use the definitions on the form to select the appropriate option.  NOTES:
  • A medical record number (MRN) IS considered one of the 18 HIPAA Identifiers
  • HIPAA Waivers are required for Limited Data Sets and Data Sets with any of the 18 HIPAA Identifiers.
  • HIPAA applies to all WVU departments regardless of covered entity status when accessing medical and dental records.

Source = WVU HSC Approved Data/Biospecimen Repository
The following options are displayed:
Fully De-identified Data Set
Limited Data Set
Data Set with Identifiers
Use the definitions on the form to select the appropriate option.  NOTES:
  • HIPAA Waivers are required for Limited Data Sets and Data Sets with any of the 18 HIPAA Identifiers.
  • HIPAA applies to all WVU departments regardless of  covered entity status when using the HSC repositories.

Source = Other WVU Data Source Use this option for any other data source where the data originated at WVU. The data can include identifiers or not include them. (excludes medical/dental records, HSC repositories)

Source = External Data Source Use this option when the data is provided by an external sources. The source data can include identifiers or not include them. This source should be used for identifiable healthcare data from external entities.

Source = Public Data Set Use this source for data sets provide by the WVU Library and all public data sets.  The data can include identifiers or not include identifiers such as phone books.  Identifiers included in public data sets do not warrant additional data protection. 

Source = Data Collection (Anonymous)     Use this source if you will not collect identifiers from participants. Click here to review the list of identifiers.

Source = Data Collection (Identifiable) Use this source if you WILL collect identifiers from participants. Click  here to review the list of identifiers.

Select the WVU Entity to which your department belongs    This question is related to the WVU departments that are considered HIPAA covered entities. 

If your department is not on this list, it is not considered as a HIPAA covered entity, therefore collecting variables that are on the PHI list does not require compliance with HIPAA.  

Is Data Transfer/Sharing required for your project?   If you will receive data OR if you will transmit data to other entities as part of the project select the applicable option. 

Are there international components or involvement in the research? Select YES if you know you have international components that will require WVU Export Control review or if you are unsure.

Enter a brief description of the international activities. 

        The WVU Export Control office will receive a notification and will contact you with any requirements within 1-2 business days. 

Will you be using software, services, communications products to collect data, samples, distribute surveys, or communicate with participants. The list is specific to:

Collecting and storing data and directly communicating with participants remotely. 

The list linked in this question not mean to be an inclusive list of all research-related software.

 If you answer NO, notification will be sent to the appropriate staff and you will be contacted regarding next steps. 

Upload the email or approval document as an attachment to your protocol submission. 


Will participants be compensated? The University's product for research participant payment is Vincent. There are situations where this solution cannot be used. 

If you answer NO, you will be prompted with anther list oif products that have been pre-approved by the University.

If none of of the approved options will work for your project, a notification will be sent to staff who can assist you.

Note that approvals for other products will cause delays in protocol approval. 

Upload the email or approval document as an attachment to your protocol submission.

Do you plan to request the procurement of a new (not currently owned or approved by WVU) product or service for data storage and analysis? If you answer YES, the Data Protection Certificate you receive upon approval of your request, will include a link to the University's procurement form.

This form is the starting point for the purchase of all unapproved technology products and services. 

Note that approvals may cause delays in protocol approvals. 

Upload the email or approval document as an attachment to your protocol submission.
Research Information  This section is displayed when identifiers are selected from the variable list in the form.

Describe how the data will be used in your research/project?     Provide sufficient detail regarding how the data will be used.

WVU Protocol Number (if available)   The protocol number may not exist, however if you started the submission and have the number, enter it.

This form is required to be attached to the protocol for approval or acknowledgement.  .

Does the project have a funding source? Provides information needed for agreements and to assess risk. Answer YES or NO.  If YES, answer the subsequent questions that are displayed.
Data Use and Storage   This section is only displayed if identifiers were selected from the variable list. The questions in this section are self-explanatory on the form and do not warrant further explanation.
HSC ITS Data Protection Plan Selection This section is  displayed when the source data is considered HIPAA-PHI or the department is a HIPAA covered entity. Multiple options are displayed for approved data storage for HIPAA and non-HIPAA data.

Review the plans and select multiple options as applicable.  For questions contact Contact the HSC IT Service Desk at (304) 293-3631 or hsc_helpdesk@hsc.wvu.edu .
WVU ITS Plan Selection   This section is displayed when the identifiers selected from the variable list are either Research PII or Sensitive PII AND when the department is NOT a HIPAA covered entity. If the data source includes identifiers from the variable list that are considered to be sensitive data as classified by the University, high-risk data storage options are displayed. This includes biometrics data.

If the data source includes identifiers from the variable list that are considered research personally identifiable information (RPII), medium-risk data storage options are displayed.

If the approved plans do not meet the needs of the project, multiple reviews and approvals will be required.  Follow the prompts to explain the solution that is required and to attach approvals from the Academic IT Support staff and an approved purchase request. 

*The Data Protection Request From cannot be approved until the approvals and approvals for the new product or service are complete.  
Data Agreements   This section is displayed when the answer to the Data Sharing question above is NOT N/A.

Are any of the following in place or pending? If the answer is "Other" or "No Data Use Agreements in place or pending, or unsure"    WVU OSP will receive a notification with the contents of the  form and contact you within 1-3 business days to determine requirements for data agreements. 

Answer the next set of questions displayed regarding any known policies and restrictions for the data and the IRB of Record.

Other agreements in place such as CTAs and BAAs do not need to be provided or uploaded with the protocol.
 Data Transfer This section is displayed if there are No Agreements in place, pending are unsure is selected. The questions in this section are either considered self explanatory or sufficient guidance is provided on the form.