Skip to main content

Data Protection Requirements in Research

Protecting research data is becoming an increasingly common requirement from sponsored research granting agencies and/or other owners of data sets you are using for your project. They may require that you must abide by specific data use guidelines. All investigators should be proactive in ensuring that any data protection requirements are met. Each PI should review information use agreements to see if such requirements are included. Such guidelines could require storing it in one of several ways including, but not limited to:

  • “The computer where the research data will be stored must be in a locked room and cannot be connected to the internet.”
  • “The computer where the research data will be stored must be encrypted.”
  • “The researchers who will access the research data must use secure authentication.”

Human Subject Research

If you are aware that  data protection requirements will apply to the data you will be using for a human subject research project, answer yes to the following question in WVU+kc when submitting an IRB protocol: “Does this project have data protection requirements?” Information Security will be notified once your protocol has been approved by the IRB and will follow up with you.

Sponsored Research

As part of its review of award terms and conditions, the Office of Sponsored Programs will notify ITS which sponsored projects include data protection requirements. Information Security will then contact the PI to discuss specifics of the requirements.

Other Research Projects

Data protections are not solely associated with human subject research or sponsored research. If you have a privately funded research project that includes proprietary corporate information, it will likely be subject to data protection requirements. If you know that your project will be subject to data protection requirements, contact Information Security ( and your college IT department as early as possible.

Researchers that are working with protected data should allot at least a couple of months in their project timeline for the execution of data protections. It may take a month or even several months for ITS to negotiate terms and conditions with the data owner and for your college IT staff to physically set up the machine that will house the data.