Research ethics and data protection

When planning for the management of data collected from research participants, it is essential to consider issues of research ethics and data protection from the outset, because how you handle the information and consent processes may affect your ability to share data later on. You also have an ethical and legal responsibility to manage confidential and personal data securely and not to disclose them to unauthorised persons.

In most cases, data collected from human subjects can be made accessible to others, either publicly or (where necessary) on a restricted basis, using an appropriate data repository; but you will need to ensure that you use appropriate consent procedures, and that you plan for safe sharing of data, e.g. by using anonymisation.

Applications to Research Ethics Committees

• REC DMP Template (docx)
• HBS REC DMP Template with Review Form (docx)
• REC DMP Guidance (PDF)
• REC DMP Examples (docx)

The University Research Ethics Commitee and some School Research Ethics Committees (see below) require the submission of a data management plan with applications for ethical approval.

The DMP templates provided here are solely for use as part of an ethical review process. They are not intended as practical tools for data management throughout a research project. A general-purpose data management plan template is better suited for such a purpose. A separate web page provides information about general-purpose tools. We also provide a PGR Data Management Plan Template specifically designed for use by PGRs.  

University Research Ethics Committee (UREC)

Applications for ethical approval submitted to the University Research Ethics Committee must be accompanied by a DMP prepared using the REC DMP Template. Applicants should refer to the guidance document when completing the DMP. The DMP will be reviewed by the Information Management and Policy Services (IMPS) office and the Research Data Manager. Comments on the DMP will be returned to the applicant with the UREC opinion, and any conditions that must be met for a favourable opinion to be granted will be specified.

School Research Ethics Committees (SRECs)

The following Schools require the submission of a DMP as part of an application for ethical approval: Chemistry, Food and Pharmacy, Henley Busines School (currently for some applicants only on a pilot basis), the Institute of Education, and Psychology and Clinical Language Sciences. Applicants must submit the DMP using the REC DMP Template (CFP, IoE, PCLS) or the HBS REC DMP Template with Review Form (HBS). 

SRECs should review the DMP with reference to the DMP Assessment Guide for School RECs. The Checklist  can be used to assist in the review process and the DMP Review Form can be completed and returned to the candidate with any requirements or advice. For HBS reviewers the review form is appended to the HBS REC DMP Template with Review Form. For the benefit of reviewers a DMP Review Standard Text document provides examples of standard text that can be used to address common issues. IMPS and the Research Data Service can be contacted by SRECs for advice on specific questions or concerns raised by an application.

Participant Information Sheets and consent forms

Participant Information Sheets (PIS) should discuss how research data collected from participants will be used, and consent forms should include statements indicating understanding that research data will be preserved and shared in support of research findings, in accordance with the University's Research Data Management Policy.

DO NOT undertake to destroy research data collected from the participants, or not to share such data outside the project, as this will prevent you from sharing data. Research data that have been anonymised are no longer confidential and can be shared; data that are higher-risk or that contain confidential information can be made avaialble to others in a safe and ethical manner under a controlled access procedure. For example, the UK Data Service ReShare repository has a 'safeguarded' option for higher-risk anonymised data, and the University's Research Data Archive offers a restricted dataset option. Data managed on such terms would only be made available in confidence to authorised researchers under a data access agreement.

In the information given to participants, you should clearly distinguish between any personal and confidential information that will be held in confidence and ultimately destroyed, and the (in most cases) anonymised research data that will be retained indefinitely and made available to others. 

The consent form should allow the participant to indicate they have understood the notified intention to presrve and share data, by checking a statement such as this:

'I understand that the data collected from me in this study will be preserved and made available in anonymised form, so that they can be consulted and re-used by others.'

This statement is suitable where anonymised data will be be made available as open data, i.e. without restriction. If access to data will be subject to a controlled-access procedure, a suitable consent formula would be:

'I understand that the data collected from me in this study will be preserved, and subject to safeguards will be made available to other authenticated researchers.’

The statements above are provided in the University's sample consent form, available in the Data Protection and Research guide. This wording can be used as a basis for the information given about how the participant's data will be used in the PIS. 

Data protection

If you will be processing personal data in your research, you are advised to consult University guidance on Data Protection and Research. Here you can find a Data Protection Checklist for researchers, which you should use as part of your planning process. A sample information sheet and consent form are also provided. You should acquaint yourself with the University's Data Protection, Classification, Encryption and Remote Working policies, which can be found on the Information Compliance Policies web page.

Personal data is any information relating to an identified or identifiable natural person. These data enjoy statutory protection under data protection law and must be processed fairly and lawfully and with the data subject's knowledge. For certain kinds of research, for example involving the processing of sensitive data, you may need to complete a Data Protection Impact Assessment.

You must ensure that personal data are kept secure and are not disclosed to unauthorised persons, by using appropriate access-controlled University infrastructure. This especially applies in the case of special category personal data, for example about an individual's race, politics or health. Refer to the University's Classification Policy for guidance. Working procedures should be designed to minimise the risk of disclosure. Data can often be pseudonymised for purposes of processing and analysis, with personally-identifying information and linked IDs stored separately from the working dataset. 

Third-party services such as survey tools that process data on your behalf are defined as data processors in data protection law. These services must be provided under a data processing agreement with the University to ensure there are appropriate protections in place for personal data. Visit the online survey tools web page to find out about approved survey tools available through the University. If you want to use a data collection tool and are not sure whether it is suitable, contact us for advice.

Personal data can be retained as long as they are needed for the purpose notified to data subjects, but they should be destroyed when no longer required. Consent forms should be retained by the University as long as any personal data are retained and otherwise for at least 5 years after the completion of the project, and longer if required. Where personal data are retained, they should be managed under a retention schedule that specifies periodic reviews, so that they can be securely destroyed when no longer needed.

Anonymisation

Most data collected from human subjects can be anonymised for public sharing. This applies to both quantitative and qualitative data. The UK Data Service provides guidance on anonymisation of both quantitative and qualitative data; the MRC also provides information about anonymisation and pseudonymisation. Where anonymisation is not possible (for example, in the case of biometric data), or wherea higher risk of identification and harm is judged to exist, controlled access archiving options may be used.

In order for data to be anonymised, any means of linking them to participant records stored internally would need to be destroyed. If you have used key codes (pseudonymous identifiers) in your dataset which are linked to separately-held internal participant records, the link table would need to be destroyed or the key codes removed from the dataset for it to be anonymised.