If your research project involves working with people as participants, then you need to handle all associated data correctly. Ethical guidelines issued by funders and the University cover how you can create and store data. In addition, laws such as the Data Protection Act 2018 (which implements UK GDPR, or the General Data Protection Regulation) govern the processing of personal data.
Questions to consider
My research project involves human participants. Is ethical approval needed?
- View the Research Ethics pages on the Research Support website for information on the University’s policy and guidance on the ethical review of research projects involving human participants.
- The Research Ethics FAQ section lists questions around the types of research requiring ethical approval and offers help around the process of applying for ethical approval.
- Personal data or sensitive data may not be suitable for sharing with other researchers, depending on whether informed consent has been obtained from participants. You may wish to consider anonymisation techniques or data aggregation for numeric data, editing of video or sound recordings, use of pseudonyms in qualitative data etc. The UK Data Service provides a useful guide covering consent, confidentiality, and ethics.
What do I need to do to get ethical approval?
Who can I contact for further help around ethics?
See the Research Ethics Contacts section of the Research Ethics pages to find out who can help you from one of the IDRECs (Interdivisional Research Ethics Committee) or OxTREC (Oxford Tropical Research Ethics Committee).
What are my obligations under the Data Protection Act?
The 2018 Data Protection Act (which implements UK GDPR) affects the processing of personal or sensitive data and the circumstances under which you can share it with others. A guide to Data Protection and Research is available on the Research Support website; further information can be found in the Staff Guidance on Data Protection section of the Compliance website.
If you will be working with personal data, you will need to work through the University’s Data Protection by Design framework (SSO required): this involves completing a screening questionnaire, and then one of two further assessments depending on the outcome of the screening questionnaire. You may be prompted to do this as part of the process of ethical review.
What other practical considerations are there around personal and sensitive data?
Have you considered appropriate security measures and implemented a policy for handling personal data?
If you’re working with sensitive data, then in some cases it may be appropriate to consider encryption. This may cover everything stored on a particular machine (some modern operating systems have built-in encryption solutions – for example, BitLocker for Windows or FileVault for MacOS), or may be applied to a specific set of files, or to material being communicated via email.
The University’s Information Security website offers general advice about keeping data secure.
If the research team is intending to share access to personal data, then it is required by law to enter into a written agreement with those parties, setting out the conditions on which the data is made available.
The University has prepared a growing suite of templates which can be adapted for use by research teams collecting and sharing information about individuals. For further details, contact Research Services.
In many cases, it will be appropriate to anonymise data before making it available for others to use. The UK Data Service’s advice is an excellent starting point on this subject.