Research ethics and data protection
When planning for the management of data collected from research participants, it is essential to consider issues of research ethics and data protection from the outset, because how you handle the information and consent processes may affect your ability to share data later on. You also have an ethical and legal responsibility to ensure that you store and share confidential and personal data securely and do not disclose them to unauthorised persons.
In most cases, data collected from human subjects can be made accessible to others, either publicly or (where necessary) on a restricted basis, but you will need to ensure that you use appropriate consent procedures, and that you plan for anonymisation or minimisation of identifiable data prior to sharing.
Data management plan for participant-based research
- DMP Template for Participant-based Research (docx)
- DMP Guidance for Participant-based Research (PDF)
Applications for ethical approval submitted to the University Research Ethics Committee must be accompanied by a DMP prepared using the above template. The DMP will be reviewed by the Information Management and Policy Services (IMPS) office and the Research Data Manager, and you may be contacted by either of these to discuss aspects of your plan.
The DMP template and guidance provided here can be used by anyone to plan for the management and sharing of participant-based research data in compliance with University research ethics and data protection requirements.
You have an ethical obligation to protect the confidentiality of personal information provided to you by research participants. Any research involving human subjects will need to receive approval from your School's or the University's Research Ethics Committee, and you will be required to obtain documented consent to participation in the research from your participants. Guidance on the process of seeking ethical approval for research projects can be found on the Research ethics web pages.
In your application for ethical approval and in the information your provide to participants you should not undertake at any time to destroy research data collected from the participants, or not to share such data outside the project, as this may prevent you from sharing data in the future. Research data that have been anonymised are no longer confidential and can therefore be shared.
Personal data should be destroyed when no longer required, and it is acceptable to tell your participants this, but you should clearly distinguish between the personal data that will be held in confidence and ultimately destroyed, and the anonymised research data that will be retained indefinitely and made available to others.
It is wise to avoid making a specific commitment to destroy personal data by a set time: under data protection law, personal data can be retained as long as a valid reason for their retention exists, and personal data held for public interest archiving, scientific or historical research, or statistical purposes may be retained indefinitely. For example, you may wish retain details of participants on an internal database to enable you to undertake follow-up studies.
You must comply with data protection law if you collect and process personal data. Where personal data are processed in jurisdictions outside the European Economic Area, they should be handled to the standards prescribed by UK data protection law.
If you will be processing personal data in your research, you are advised to consult University guidance on Data Protection and Research. Here you can find a Data Protection Checklist for researchers, which you should use as part of your planning process. A sample information sheet and consent form are also provided. You should acquaint yourself with the University's Data Protection, Encryption and Remote Working policies, which can be found on the Information Compliance Policies web page.
Personal data is any information relating to an identified or identifiable natural person. These data enjoy statutory protection under the General Data Protection Regulation 2016 and the Data Protection Act 2018. Under this legislation any personal data collected by you must be processed fairly and lawfully. Among other things you will be required to issue a privacy notice to your research participants, which explains the purpose(s) for which the data are being collected, your lawful basis for processing the data, who the data will be disclosed to, and the rights of the individuals in respect of their personal data. For certain kinds of research, for example involving the processing of sensitive data or human genetic data, you will need to complete a Data Protection Impact Assessment under the advice of the University Information Management & Policy Services Officer.
You must ensure that personal data are kept secure and are not disclosed to unauthorised persons. You should use a locked storage container such as a filing cabinet in a locked office for paper-based personal data; for digital data, password-protected or, preferably, encrypted storage. This particularly applies in the case of special category sensitive personal data, which include information about an individual's: race; ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual orientation. Such personal data should be encrypted, and not stored or shared by means of cloud services other than a University OneDrive account, or transferred via unencrypted channels (e.g. via email). You can securely transfer data between individuals and devices using OneDrive; and from off-campus to a location on the University network using VPN, which provides an encrypted channel.
You will need to consider issues related to data protection and secure processing of information when you use instruments to collect data from research participants, including any online software services such as survey tools. Any third-party service provider collecting personal survey data on your behalf is acting in the capacity of a data processor as defined under the Data Protection Act. Whenever a data controller uses a data processor, a written contract must be in place so that both parties understand their responsibilities and liabilities. Among other things the data processor would need to store data in the European Economic Area or under conditions that provide equivalent protections for personal data. Visit the online survey tools web page to find out about approved survey tools available through the University. If you want to use a particular data collection tool and are not sure whether it is suitable, contact us for advice.
Working procedures should be designed to minimise the risk of inappropriate disclosure. Data can often be pseudonymised for purposes of processing and analysis, with the personally-identifying information and their linked IDs stored separately from the working dataset. When the study is complete and if there is no further need to link individuals to data, the linking key can be destroyed, so that the data become fully anonymised.
You can retain personal data indefinitely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. You do not need to commit to destroy personal data at a set time, but they should be managed under a retention schedule that specifies periodic reviews, so that they can be securely destroyed when no longer needed.
Consent and anonymisation
Most data collected from human subjects can be anonymised for public sharing. This applies to both quantitative and qualitative data. A valid reason for restricting access to such data would obtain only if it is not possible to anonymise the data (biometric data, for example) or if the risk of causing harm or distress by disclosure is significant. The UK Data Service provides guidance on anonymisation of both quantitative and qualitative data; the MRC also provides information about anonymisation and pseudonymisation.
Even data containing personal or confidential information may be shared under certain conditions, with appropriate consent and subject to an agreement containing appropriate data protection clauses. Some data repositories, e.g. the UK Data Service ReShare repository and the European Genome-phenome Archive, can manage controlled access to sensitive/confidential data. The University's Research Data Archive can also offer a restricted access option. Contact us if you wish to discuss this.
If data collected from human subjects have been fully anonymised, you do not need consent to share them, but it is good practice to inform your research participants how the data you collect from them will be used. Your information sheet should address this and your consent form should specifically allow the participant to indicate they have understood your intentions and agree to data sharing, by checking a statement such as this:
'I understand that the data collected from me in this study will be preserved and made available in anonymised form, so that they can be consulted and re-used by others.'
Be aware that in order for publicly-disclosed data to be anonymised, any means of linking them to participant records stored internally would need to be destroyed. If you have used key codes (pseudonymous identifiers) in your dataset which are linked to separately-held internal participant records, the key codes would have to be removed for the dataset to be anonymised.
Further guidance on anonymisation is provided in the University's Data Protection and Research guide.