Make your data count

Ethical issues and data protection

If your research project involves working with people as participants, then you need to handle all associated data correctly. Ethical guidelines issued by funders and the University cover how you can create and store data. In addition, laws such as the Data Protection Act 2018 (which implements GDPR, or the General Data Protection Regulation) govern the processing of personal data.

Questions to consider

  • My research project involves human participants. Is ethical approval needed?

    • View the CUREC (Central University Research Ethics Committee) pages for information on the University’s policy and guidance on the ethical review of research projects involving human participants.
    • The CUREC FAQ section lists questions around the types of research requiring ethical approval and offers help around the process of applying for ethical approval.
    • Personal data or sensitive data may not be suitable for sharing with other researchers, depending on whether informed consent has been obtained from participants. You may wish to consider anonymisation techniques or data aggregation for numeric data, editing of video or sound recordings, use of pseudonyms in qualitative data etc. The UK Data Archive has a comprehensive guide covering consent, confidentiality and ethics.
  • What do I need to do to get ethical approval?

    See the How to Apply for Ethical Review section of the CUREC (Central University Research Ethics Committee) pages of the University website. You may also wish to look at the CUREC FAQs.

  • Who can I contact for further help around ethics?

    See the Contact Us section of the CUREC pages to find out who can help you from one of the IDRECs (Interdivisional Research Ethics Committee) or OxTREC (Oxford Tropical Research Ethics Committee).

  • What are my obligations under the Data Protection Act?

    The 2018 Data Protection Act (which implements GDPR) affects the processing of personal or sensitive data and the circumstances under which you can share it with others. For more information, see the University’s guidance on data protection.

  • What other practical considerations are there around personal and sensitive data?


    Have you considered appropriate security measures and implemented a policy for handling personal data?

    If you’re working with sensitive data, then in some cases it may be appropriate to consider encryption. This may cover everything stored on a particular machine (some modern operating systems have built-in encryption solutions – for example, BitLocker for Windows or FileVault for MacOS), or may be applied to a specific set of files, or to material being communicated via email.

    The University’s Information Security website offers general advice about keeping data secure.


    If the research team is intending to share access to personal data, then it is required by law to enter into a written agreement with those parties, setting out the conditions on which the data is made available.

    The University has prepared a growing suite of templates which can be adapted for use by research teams collecting and sharing information about individuals. For further details, contact Research Services.

    In many cases, it will be appropriate to anonymise data before making it available for others to use. The UK Data Archive’s advice is an excellent starting point on this subject.

Tools, resources, and training