Operational Research Data | WVU Research | West Virginia University

The Research Office provides the following guidance related to the data used, collected, or transmitted during the conduct of research at WVU.

Note that products used for data storage, transmission, collection are approved and provided by the WVU ITS departments. New products must be purchased and approved using the WVU standard process.

WVU Policy

WVU policy related to information security, privacy and data classification. If additional information is needed, contact the WVU Information Security Office.

WVU Classifications for Identifiable Research Data

How identifiable research data is classified at WVU.

For human subjects research use the Research Data Protection Request Form to automatically receive a determination of the classification for your research data BEFORE submitting an INITIAL protocol application or requesting a data agreement from OSP.

Data Collection

A list of approved software for collecting identifiable research data directly from research participants. Identifiable means that the researcher knows the identity of the participant at the time the data was collected. Data can later be de-identified for publication and other purposes, however this is considered as Data Collection- Identifiable. Use of data collected by a secondary source is not considered data collection.

Data Storage

Storage options for data classified as sensitive under WVU policy are listed below. If your research requires storage that is not listed here, please send an email to researchdataprotectionsupport@mail.wvu.edu.

NIST 800-171: WVU will soon have approved cloud-based storage for NIST 800-171 data. Contact ResearchDataProtectionSupport@mail.wvu.edu.
HIPAA Protection Health Information (PHI) - Storage Options are available from WVU Health Sciences ITS. HIPAA Identifiers
Research Personally Identifiable Information (RPII) - Classified as confidential by the University - Storage options are available from WVU ITS. Research PII Identifiers
Anonymous or data received as de-identified (the researcher will never know the identity of a participant)

Data Agreements

Depending on the type of research and the data requirements, a Data Use Agreement may be needed to transmit data in/out of the institution or share PHI (HIPAA) or other types of sensitive or identifiable data with other entities

Data Protection Request Form

Information about the WVU Research Data Protection Form. WVU provides this automated form to assist the researcher with the following steps in safeguarding the data during the conduct of Human Subjects Research and efficiently obtaining required approvals.

The automated form will:

Classify the Identifiable Data According to University Policy
Facilitate approvals for access to medical/dental records/PHI and approved storage
Facilitate approval for storage plans (approved and unapproved)
Facilitate review of international components, unapproved software, new technology
Facilitate the review and approval of Data Use Agreements and other agreements by WVU OSP

You will receive a Data Protection Certificate within minutes for Low and Medium Risk Data or for high-risk data it may take 3-6 days for approvals to be complete to receive the Data Protection Certificate. Approvals for software, international components and data agreements will be completed separately and may take additional time depending on the request. We ask that you plan accordingly when beginning your project. The Data Protection Certificate must be attached to the INITIAL protocol submission for human subjects research. Approvals for software, participant payment methods, data agreements can be uploaded when received.

WVU Data and Information Security Policies

Data Storage

Based on risk, the currently approved storage plans are:

Low Risk - WVU/HSC

The research does not include collecting, using, or transferring identifiable data. You may collect and/or store project data using the following technology solutions:

Approved Storage/Technology

University network drive (HSC or WVU)
University OneDrive or SharePoint
MIX Google Drive
University-owned device
Personal device (Students only)
Use of University Devices is required for employees.
Students may use personal devices provided the device meets the requirements of the Bring Your Own Device Standard.

WVU Qualtrics, RedCAP, or HSC Qualtrics may be used for collection of information

Medium Risk - WVU

The research includes the collection or use of personally identifiable information by a WVU Non-Covered Entity (Defined as Research PII and considered CONFIDENTIAL according to WVU policy)

Approved Storage/Technology:

University network drive (HSC or WVU) o Storage on Personal network drive (e.g., J:, N:, Y:)
University OneDrive or SharePoint o University-owned device
WVU Research Data Depot (minimal charge for use)
Access to files must be limited to research project personnel only, with access regularly reviewed to remove personnel no longer on the project.
Use of University Devices is required for employees.
Students may use personal devices provided the device meets the requirements of the Bring Your Own Device Standard.

WVU Qualtrics, RedCAP, or HSC Qualtrics may be used for collection of information

High Risk - Sensitive Data (PHI)

The research includes the use or collection of HIPAA Protected Health Information

HSC ITS Approved Storage/Technology

HSC Plan A - WVU HSC Managed Network Server

Encrypted secure file server location accessible on HSC internal network.
Accessible onsite at HSC, and offsite via HSView to researchers with an HSC managed device offsite with HSC VPN and DLP.
Student access available through Windows Terminal Server onsite or offsite.

Requirements

WVU Login account.
HSC managed encrypted desktop for faculty and staff.
Windows Terminal Server for students.
Additional cost for Data Loss Prevention (DLP) software for faculty and staff - Requirement for sensitive data.

HSC Plan B - HSC VDI

Virtual desktop environment that has security controls in place to protect the movement of confidential, sensitive and/or PHI data.
Isolated, secure network storage/processing environment for analyzing and data collection.
Accessible onsite at HSC, and offsite via website.
Currently offered software: Excel, SAS, JMP, R Studio (Is currently not compatible with SPSS).
Students will use VDI for data collection and analysis.
Faculty can use VDI for data collection and analysis or use Forcepoint Data Loss Protection (DLP) software to access secure network file storage environment. Forcepoint DLP software will permit faculty to utilize software installed on their local PC/Mac with needed controls for sensitive data.

Requirements

WVU HSC Login account with MFA
VDI is the required processing/storage location for any projects that contain DHHR/PEIA/WV Medicaid and Medicare data.
VDI is the required storage location for student data collection and analysis.
Forcepoint DLP software is an option for faculty needing to analyze sensitive data using locally installed PC/Mac software to access shared network file storage . This is accessible to VDI/Forcepoint DLP users. Faculty may be responsible for annual Forcepoint DLP license fee.
Data that needs to be exported from the VDI environment must be de-identified and approved by the HSC Privacy and Security office.

HSC Plan C - WVCTSI RedCap Server

Encrypted secure web and database server accessible on HSC internal network
Survey access available for public collection
Accessible onsite at HSC, and offsite via HSView to researchers with an HSC managed device offsite with HSC VPN and DLP
External PIs and student access available through Windows Terminal Server onsite or offsite.

Requirements

WVU Login account with MFA
HSC managed encrypted desktop for faculty and staff.
Windows Terminal Server for students.
Additional cost for Data Loss Prevention (DLP) software for faculty and staff - Requirement for sensitive data.

HSC Plan D - Oncore / Advarra

Clinical Trial management system

Requirements

Requirements are based on CRU policies.

HSC Plan E - HSC Qualtrics

Qualtrics is Health Information Trust Alliance (HITRUST) certified
Encryption of data in transit and at rest (except for email messages)
Offers survey security and sensitive data controls
Accessible from an HSC managed device or HSView

Requirements

Prior approval is required for each project before the WVU HSC HIPAA Qualtrics Brand may be used to create surveys for the collection of sensitive data. Approval from the Chair of the Department or Administrator of the unit is required.
HIPAA data is only approved for storage in the WVU HSC HIPAA Qualtrics brand, not the WVU Qualtrics brand. Surveys that will collect health information may only be created in the WVU HSC HIPAA Compliant Qualtrics Brand and no other brand of Qualtrics.
WVU Login account with MFA
Users with access to the WVU HSC HIPAA Qualtrics Brand must only login from an HSC managed computer with DLP, or access via the HSC VDI environment (HSView)
Additional cost for Data Loss Prevention (DLP) software for faculty and staff - Requirement for sensitive data

HSC Plan F - Sponsor's Database

Requirements

Requirements are based on Sponsor’s regulations and compliance standards
An agreement signed by the institution

HSC Plan G - HSC SharePoint

HIPAA compliant framework is available for departments storing ePHI
Includes additional controls such as restrictions on downloading data
Data at rest (Bitlocker) and data in transit (TLS) used for encryption
Includes Advanced Threat Protection (ATP) and Data Loss Prevention (DLP)

Requirements

WVU Login Account integration with MFA

Pursuant to the Sensitive Data Protection Standard, Sensitive Data requires strict data protections. The use of unapproved technology solutions such as GoogleDrive, University OneDrive/SharePoint, Dropbox, SurveyMonkey, or Wufoo is not approved and should never be used to interact with study participants.