Skip to main content
West Virginia University Office of Human Research Protections
WVU Research Office
Transition to WRAP

Research Data Management Life-cycle

Research Data Management Lifecycle

  1. Planning: Data Intake Process and a Data Management Plan
  2. Contracts and Agreements
  3. IRB Review
  4. Access, Storage, Backup, Tracking, Analysis Methods
  5. Project Conclusion: Retention, Disposal\Destruction
  6. Reporting and Publication

Planning

Considering the type of data, origination point and end point for the data involved in the research project and developing a sufficient plan at the beginning of the project will assist with compliance as well as timely approvals.

If you are unsure of the classification and institutional protection requirements for the data required for the research or if a data agreement will be required, complete the Data Intake Form

This form will help facilitate institutional approvals for protection and agreements.  Research conducted under the auspices of WVU have strict protection and agreement requirements for protected data. Consideration should be given to designated a person who will be responsible for making sure that the project adheres to the plan, and carefully documents  updates and amendments as they occur.


Contracts and Agreements

When receiving, sharing, acquiring or generating data, various agreements and contracts may be required. The information below outlines the types of agreements and contracts that could be required for research projects:

Agreements that may apply to confidentiality :

  • Non-Disclosure Agreements (NDA)
  • Confidentiality Agreements
  • Material Transfer Agreements 
  • Clinical Trial Agreements 
  • Certificates of Confidentiality 
  • Agreements that may permit or prevent unspecified future uses of data or unanticipated secondary uses of data: 
  • Data sharing agreements (waivers, consents, etc.) 
  • Clinical Trial Agreements (waivers, consents, etc.) 
  • Data Use Agreements 
  • Business Associate Agreements 
  • Agreements related to third party sources such as an outside vendor, external researcher, or government agency. WVU has policies about what is appropriate to “put in the cloud,” which will require additional approvals for collaborations. Applicable agreements may include:
  • Service Provider or Data Storage Agreements (i.e. Amazon cloud agreements) 
  • Cooperative Research and Development Agreements (CRADAs) 
  • Memoranda of Understanding (MOU) 
  • Consortium Agreement 
  • Agreements that may apply to where and how data is to be retained or archived include: 
  • Lease agreements that provide for return of equipment/media containing research information

WVU Institutional Review Board Approval

If your data involves human subjects or identifiable information about human subjects, the project will require WVU IRB review.   Research data may be identifiable or de-identified. The data collected should include the least possible information that allows you to meet the goals of the research project. 


Common data-related questions that will be asked include: 
  • A list of all research project staff members and a description of their access to the data. 
  • A list of any collaborators with whom you anticipate sharing data as well as those who will be collecting or reporting data, or have access to personally identifiable information about subjects, including individuals or entities to whom you may transfer data for statistical analysis or de-identification. 
  • The source of each of the datasets; the IRB may request information about other approvals associated with the collection and access to research data. 
  • If the data is determined to involve human subjects, the subjects’ authorization and informed consent will be required unless a Waiver of Documentation of Consent is approved. 
  • Ensure that informed consent documents and authorizations permit the types of data sharing anticipated (e.g., sharing outside of the institution, publication, or posting in publicly accessible repositories).

Additional issues to consider: 
  • If using more than one dataset or some public datasets, consider how linking data impacts identifiability and risk.
  • If the design or conduct of your study is changed after collecting initial data, you must submit modifications to the IRB for review and approval. 
  • If data will be made available through a registry, e.g., dbGaP, or if future open access of data is planned or likely, indicate how data will be released. 
  • Ensure that you understand whether any agreements entered into permit or prevent unspecified future uses of data or unanticipated secondary uses, as these also require IRB review and consideration. 
  • Determine if a Certificate of Confidentiality is appropriate for the research project; this allows the researcher and others with access to research records to refuse to disclose identifying information on individual participants in civil, criminal, administrative, legislative, or other proceedings at the federal, state, or local level; the NIH provides the certificates but they have important limits and are not a “magic bullet.”

Data Management

ACCESS
Decisions about who will access the data, where the data will reside, and how it will be backed-up may affect data use and access. By completing the Data Intake form, the institution's Information Technology Service departments will review the information provided about the research project and make and the appropriate recommendations and approvals for data protection.
  • Be prepared to describe with specificity who has access to the data and the manner of access. 
  • Adhere to the minimum necessary principle (also known as least privileges), meaning only those with a legitimate. research, business, or operational need should have access. For example, a research partner who is only reviewing output and co-authoring a paper might not need access. 
Consider the following:
  • The number of people who will collect or work on the data, and whether any are external to your institution. 
  • Whether data must be accessed remotely.
  • Whether a data sharing agreement imposes restrictions related to the use or sharing of the data. 
  • Whether plans are needed to make the data accessible to other users in the future; if so, what measures will be taken to meet assurances of privacy, security and confidentiality (e.g., if data and images will be provided on a website, will the website contain disclaimers, or conditions regarding the use of the data in other publications or products?).
STORAGE
  • The type of access required, and the number of people accessing the data may help determine the manner of storage and the level of security controls. Some data require special management considerations. For example, Protected Health Information (PHI) is subject to several restrictions. Consider the following: How any data sharing will be tracked or documented. Data Agreements are required for external sharing. 
  • Where the data will be stored In the cloud? Accessed from a secure server? Both? Would computers not connected to network be better? - ITS must approved all storage locations. 
  • How the data will be stored and protected (On a secure, password protected, server behind a firewall (e.g., on a P: drive, not a C: drive)? How protected? Password or encryption? How many people will have the password? Who may access?) 
  • If using mobile computing device (laptop, tablet, etc.) or removable media (flash drive, external hard drives) for any part of your study, determine how the data containing PHI will be stored 
  • Whether PHI will be stored by a collaborator or vendor-owned platform (What devices and safeguards will be implemented? How will remote access to the system be secured?) 
  • Determine if it is appropriate to contract with a third-party vendor to store and back-up data; Identify the various considerations, especially if cloud storage will be adopted across institutions.  ITS must approve all third-party vendors.
BACKUP AND TRACKING
  • A procedure for backing up the data (How secure is the backup system? Who has access? How long are back ups kept?). 
  • Estimated size of datasets that will be collected and produced, and whether the amount and/or formats of data will change over time; IT departments may need to be informed of anticipated large data sets in order to support back-up.  
ANALYSIS\PROCESSING OF DATA
  • Seek out institutional resources to create secure research computing environments if your research involves sharing, electronic data transfers, or multi-site analysis of the data with external collaborators.
DATA ANALYSIS
  • Describe the statistical method and analysis plan, including sample size and its scientific rationale. There may be various means of extraction, transformation, and loading of external data sources that will become a part of the research project data.
  • Extracting data from a internal computer/server environment or otherwise transforming the raw data to send to a collaborator at another institution for analysis could significantly change the nature of the data. For example, institution B may require that identifiable data from institution A be de-identified by a reliable third party before being uploaded into institution B’s research enterprise environment. Be sure to consider such changes in the management plan. Data Agreements are required for data sharing, export, or import.
  • Describe how any data sharing will be tracked or documented
  • Determine if local systems can track the data, including audit and monitoring functions; be prepared to explain the file format(s) of the data (i.e. jpeg, .doc, sas, etc.). Consistent naming conventions are key factors in documenting and tracking research data.