Human Research Data Protection & Determination Process
Overview
PIs are required to complete the RO3 Data Protection & Determination form for human research to obtain a Determination Letter for publication or a Data Protection Certificate for an IRB protocol submission.
NOTE: The R02 Data Protection form has changed. A new form, R03 Data Protection and Determination is available as of 2/17/25.
To find forms submitted before 2/17/25 use this link and select the R02 - Research Data Protection form and then select My Actions or My Documents at the top of screen.
Use the Data Protection and Determination form to determine if an IRB protocol is required.
- Projects that do not meet the federal definition of research. Please visit the WVU OHRP website for more information. A Letter of Determination will be automatically sent to the person submitting the form and the PI. A protocol is not required.
- Projects that meet the federal definition of research but are not considered human subjects research (NHSR). The Data Protection Form will be displayed after the determination section of the form is completed. A Letter of Determination along with the information typically provided on the Data Protection Certificate will automatically be sent to the person submitting the form and the PI. A protocol is not required.
- Projects that meet the federal definition of research and meet the definition of human subjects research. The Data Protection form and Certificate are required. An IRB protocol is required and the Data Protection Certificate must be attached to the protocol. .
Although the primary focus of the process is the protection (privacy and confidentiality) of the data while it is stored and managed at WVU, the process also provides notification to the offices responsible for other research compliance requirements:
- HIPAA Privacy Review/Honest Broker Requirements for WVU Medical Records
- Notification for Data Agreements
- Notification to for unapproved software requests
- Notification to the Export Control Office that the research may have international compliance requirements
- Notification to the Office Innovation and Commercialization for IP concerns
- Notification to the Conflict of Interest Office
Post-Submission
After you submit the form, you may receive:
- Emails indicating subsequent required approvals
- Follow-up emails requesting additional information
After approvals are complete, the submitter and the PI will be emailed a Data Protection Certificate (approval SLAs are 3-5 business days). Some approvals are automatic depending on risk.
How the Process Works
Researchers complete a Data Protection Form, depending on the request and risk related to the data, the submitter and the PI will receive a Data Protection Certificate in email after approvals are complete.
Other approvals may be needed for data agreements, unapproved technology, technology services and non-standard data storage plans. These approvals may take 2 to 3 weeks, please plan accordingly.
The Data Protection Certificate will be sent when the data storage plan is approved to facilitate protocol submission, however, all approvals (data agreements, software, purchases) must be completed BEFORE research can begin. The responsibility for ensuring all needed approvals are provided by the University is the responsibility of the PI.
The process will provide researchers with:
- The classification of risk for the data to be used and stored in support of the research
- The approved storage plan(s) for the data
- The approved technology products for research
- The WVU approved participant payment methods
- HIPAA approval and institutional review of requirements for WVU Health System data (medical records)
The process will automatically notify the correct departments for:
- The Office of Export Control for requirements related to international research components
- The Office of Sponsored Programs to begin the Data Use Agreement process
- Other departments related to the approval of new technology, technology services, or participant payment methods
Changes to Approved Forms
If data requirements change after the DP Certificate is received, a new form must be submitted reflecting the change. Research projects using high-risk data must report all changes in Research Personnel.
Only the submitter can change the form––if the submitter leaves the project, the PI will not be able to modify the form.
Risk Categories
| Low-Risk Data Protection Certificates | |
|---|---|
| Automatically emailed to the submitter within an hour if research is NOT in a WVU HIPAA Covered Entity | Only applies to non-covered entities:
|
| Medium-Risk Data Protection Certificates | |
| Automatically emailed to the submitter within an hour IF standard storage plans can be used and if the research is NOT in a WVU HIPAA Covered Entity | Applies to covered and non-covered entities:
If an approved storage plan cannot be used, additional steps and approvals are required, the Data Protection Certificate will be emailed after approval. Approvals could take 2-4 weeks, depending on the request. |
| High-Risk Data Protection Certificates (HIPAA-PHI/Sensitive Data) | |
| NOT automatically emailed. May take 5-7 days for medical/ dental record access and storage plan review. Please plan accordingly. | Applies to covered and non-covered entities:
|