ETHICS and Research Data Management
Most research data – even sensitive data – can be shared ethically and legally if researchers employ strategies of informed consent, anonymisation and controlling access to data. Researchers obtaining data from people are expected to maintain high ethical standards and comply with the relevant legislation.
Researchers must adhere to data protection requirements when managing or sharing personal data. However, not all research data obtained from people count as personal data. If data are anonymised then the Act will not apply as they no longer constitute ‘personal data’.
The Data Protection Act 1998 (DPA) provides some exceptions for research data and applies only to personal or sensitive personal data, and not to all research data in general, nor to anonymised data. The new EU General Data Protection Regulation will come into effect in 2018 and will also play a key role in managing and sharing research data.
The DPA defines 8 principles that deal with the processing of personal data relating to identifiable living people. All such data must be:
- Processed fairly and lawfully
- Obtained and processed for a specified purpose
- Adequate, relevant and not excessive for the purpose
- Not kept longer than necessary
- Processed in accordance with the rights of data subjects, for example, the right to be informed about how data will be used, stored, processed, transferred, destroyed; and the right to access information and data held
- Kept secure
- Not transferred abroad without adequate protection
The DPA and sharing data
- Do you really need to collect personal data? Often information such as participants’ names and addresses are collected for administrative purposes only and have no research value. Not collecting personal data in the first place may make it easier to manage and share your data. Alternatively if they do need to be collected, for example, for follow-up interviews, they should be stored separately from research data.
- Inform your participants about use of personal data. All researchers must inform research participants about how any personal data collected about them will be used, stored, processed, transferred and destroyed. Personal data can only be disclosed if explicit consent has been given to do so, although there may be exceptions for legal reasons.
Personal data are records or other information that on its own, or linked with other data or information in the possession of the data controller, can reveal the identity of an actual living person.
Sensitive personal data
Sensitive personal data are data on a person’s race, ethnic origin, political opinion, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life, commission or alleged commission of an offence, proceedings for an offence (alleged to have been) committed, disposal of such proceedings or the sentence of any court in such proceedings.
- Research should aim to maximise benefit for individuals and society and minimise risk and harm
- The rights and dignity of individuals and groups should be respected wherever possible, participation should be voluntary and appropriately informed
- Research should be conducted with integrity and transparency, lines of responsibility and accountability should be clearly defined
- Independence of research should be maintained and where conflicts of interest cannot be avoided they should be made explicit.
Consent for data sharing
- Informed consent is an ethical requirement for most research and must be considered and implemented throughout the research lifecycle, from planning to publication to sharing.
- Failure to properly address issues of consent may restrict the opportunities for initial use of data, the publishing of your results and the sharing of the data.
- In order to make sure that research data can be made available for future reuse, it is important that consent for future reuse of the data by other researchers is sought from participants. Participants should be informed how research data will be stored, preserved and used in the long-term, and how confidentiality can be protected when needed.
Language to avoid
- Consent forms should not preclude data sharing. So promises to destroy the data or promises that the data will only be seen or accessed by the research team should be avoided.
- Terms such as ‘fully anonymous’ or ‘strictly confidential’ should be avoided, as they are often impossible to define. It would be better to indicate how data will be anonymised (e.g. by removing all personal information that could directly identify an individual) and that whilst data will be made available to other researchers, confidentiality will be protected.
How to seek consent for data sharing
- Consent procedures must be tailored for the specific research context, methods and sample, the nature of the data (personal, sensitive, level of detail), the format of the data (surveys, written, recordings) and the planned data uses and handling. This will influence the type of consent and consent process used.
- It is important to note that researchers are not obliged to obtain consent. They are obliged to seek consent and to impartially advise participants about risks and benefits of research participation and data sharing. Participants then decide what they will consent to.
Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – e.g., an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – e.g., key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
EXPECTATIONS – DATA MANAGEMENT
- Published research papers should include a short statement describing how and on what terms any supporting research data may be accessed.(e.g., “The research data associated with this paper which was funded by EPSRC is available at: [URL or DOI].”
- Publicly-funded research data that is not generated in digital format will be stored in a manner to facilitate it being shared in the event of a valid request for access to the data being received (this expectation could be satisfied by converting and storing such data in digital format in a timely manner). (minimum of 10 years, or 10 years from when last accessed).
- Appropriately structured metadata describing the research data is published (normally within 12 months of the data being generated) and made freely accessible on the internet; in each case the metadata must be sufficient to allow others to understand what research data exists, why, when and how it was generated, and how to access it. Where the research data referred to in the metadata is a digital object it is expected that the metadata will include use of a robust digital object identifier.
- Where access to the data is restricted the published metadata should also give the reason and summarise the conditions which must be satisfied for access to be granted. For example ‘commercially confidential’ data, in which a business organisation has a legitimate interest, might be made available to others subject to a suitable legally enforceable non-disclosure agreement.
- Research data is to be securely preserved for a minimum of 10 years from the date that any researcher ‘privileged access’ period expires or, if others have accessed the data, from last date on which access to the data was requested by a third party; all reasonable steps will be taken to ensure that publicly-funded data is not held in any jurisdiction where the available legal safeguards provide lower levels of protection than are available in the UK.
Data Management Plan
Prior to submitting your Research Proposal, or applying for funding, ensure that you have a robust data management plan in place, it is worth noting that this should be seen as a living document, that can be updated and amended as required throughout the lifecycle of your research project.
You can create a Data Management Plan (DMP) using https://dmponline.dcc.ac.uk/, using your university login details.
All data management plans should address the following as a minimum:
Plan Name: Research Project Title Data Management Plan
Plan ID: –
Principal Investigator / Researcher: Student Name
Plan Data Contact: firstname.lastname@example.org
Plan Description: Data Management Plan for PhD Research Proposal
Institution: University of Northampton
Your ORCID: 1234 1234 1234 1234
What data will you collect or create?
How will the data be collected or created?
Documentation and Metadata
What documentation and metadata will accompany the data?
Ethics and Legal Compliance
How will you manage any ethical issues?
How will you manage copyright and Intellectual Property Rights (IPR) issues?
Storage and Backup
How will the data be stored and backed up during the research?
How will you manage access and security?
Selection and Preservation
Which data are of long-term value and should be retained, shared, and/or preserved?
What is the long-term preservation plan for the dataset?
How will you share the data?
Are any restrictions on data sharing required?
Responsibilities and Resources
Who will be responsible for data management?
What resources will you require to deliver your plan?
If you require further information please email email@example.com
Information obtained and adapted from
Posted on October 19, 2017, in Doctoral journey, Early Career Researcher, Faculties, Research, Research Institutes and Centres, Researcher development, Support and tagged data, DPA, Ethics, GPDR, RDM, research data management, save. Bookmark the permalink. Leave a comment.