Ethical and legal issues

Certain types of data require special handling. This may be to prevent or minimise potential harm, to comply with legal requirements, or to protect commercial interests.

Oxford has a number of processes designed to help researchers navigate this area, along with teams who can provide guidance and assistance.

Expand All

As a researcher working with data as part of a University project, it's worth being aware that there are a number of contexts in which you are considered to be acting as a representative of the University, rather than a private individual.

For example:

  • Where personal data is involved, it is the University, and not the individual researcher, that is the Data Controller, or the body with ultimate legal responsibility. This means that if an Oxford researcher were to inadvertently release such data, it would be the University that had to answer to the Information Commissioner's Office.
  • Funding agreements and non-disclosure agreements are usually signed by a representative of the University, not individual researchers, as detailed in the Financial Regulations. Divisions, departments and groups cannot sign agreements or own property except via the University.
  • The Statutes of the University, to which all Oxford researchers and students agree when joining, make many research outputs the intellectual property of the University. This includes most research data. (Note that the precise categories of data this applies to vary depending on whether you are a University employee or a student researcher: see Statute XVI, Part B for more information.)

This means that individual researchers are insulated from many risks associated with regulatory and legal compliance. However, it also means that researchers need to seek to minimise the University’s exposure to the same risks, by asking for support where they feel uncertain about how best to handle their data. Oxford provides various services to help researchers to do this.

If your research project involves human participantspersonal data, and/or regulated material and procedures, it will need to be reviewed and approved by an ethics committee before the research begins. The University's internal ethics review process is overseen by the Central University Research Ethics Committee (CUREC) and its subcommittees. For some types of research, review by an external committee such as the NHS Research Ethics Service may be required. The Research Ethics web pages provide further details of the ethical review process.

Any research data relating to human participants will need to be carefully managed. This may include using suitably secure storage (and transferring data securely when it is moved), and putting in place appropriate restrictions on who can access the data: see the Keeping working data safe section for more on this topic. It is also important to ensure participants have full information about how their data will be used - and, of course, that any assurances made are acted upon.

Thought needs to be given to what will happen to the data at the end of the project. It is best to factor this into plans from the beginning: this means that, for example, research participants can be enabled to make a properly informed decision about whether to take part, and where appropriate, consent for further use of data can be sought. If data is to be retained, a suitable home for it (such as a data archive) will need to be identified. Personal data is often not suitable for open sharing for reuse, but it may be possible to provide restricted access, or to share an anonymised, aggregated, or otherwise redacted version of the data. In cases where data cannot be retained and preserved, secure destruction may be needed. See the Post-project data preservation section for more on this topic.

The UK Data Service offers a Research Data Management guide which covers (among other things) ethical issues, data protection, and anonymisation. Please also see CUREC’s Best Practice Guidance, especially BPG 06 (Internet mediated research), BPG 09 (Data collection, protection and management), and BPG 10 (Conducting research interviews).

Your funding body may also provide guidelines on creating, storing, and working with data in such cases.

Making sure that research information is securely stored is extremely important for a number of reasons. At the simplest level, secure storage and processing ensures that the data remains available for as long as it is needed, and confidentiality and integrity of information are protected.

Information security also underpins other important aspects of good research practice. Complying with personal data regulations requires good information security, to ensure the data is only accessed by authorised people, and remains accurate and uncorrupted. External funders, commercial partners, and collaborating research institutions will also often require an agreed level of information security good practice. Oxford's InfoSec team can advise on this; a good place to start is their page on how to Secure Your Research Information.

The University's Information Classification Policy provides guidance for categorising and dealing safely with data across the University. It states that any data which is not classed as public should, if possible, be stored on an appropriate University system. (Note that many types of research data will fall under the confidential classification, and the guidance for handling that level of data will need to be followed.) University-provided storage is subject to a number of information security checks, which gives a greater degree of assurance that it is a suitable home for the type of data it is intended for. Nevertheless, it is still important to select the right storage solution and to use it appropriately: this topic is covered in more detail in the Keeping working data safe section.

A wide range of third party online services for gathering and processing research data are also available: activities such as recruiting participants, delivering surveys, and transcribing recordings can often be efficiently undertaken using these. However, before such services are used to work on data for which Oxford is responsible, it is essential to ascertain whether their information security practices are adequate. Once again, the InfoSec team can help: they can provide information on services that have already been deemed to be suitably secure, and where necessary, can help to assess new services through their Third Party Security Assessment process.

When research involves the collection or processing of information that could be used to identify living individuals, data protection rules must be followed.

As a UK-based institution, the University is subject to the UK General Data Protection Regulation (GDPR). When collaborating with institutions in other countries, it may also be necessary to consider other data protection regimes.

It will frequently be obvious that you are gathering personal data. However, there are occasions when you may end up with personal data even when it was not your primary intention to collect it. For example, participants may provide identifiable information in their responses to more general questions. Data like internet IP addresses, genetic information, voice recordings, or certain biological imaging results may also count as personal data, even if not stored with more obvious identifying facts.

This is a complex topic, but fortunately there is plenty of guidance available. The main Research Support website provides a general overview of Data Protection and Research, while a broader treatment of the topic from the University's Information Compliance team is available on the Staff Guidance on Data Protection web pages. This includes resources such as the Data Protection by Design framework (SSO login required): this is a University process that should be worked through for all activities which involve dealing with personal data. If you will be collecting personal data directly from the subjects, there's also a helpful page on Creating Privacy Notices (SSO login required).

The production of a research dataset can lead to the creation of intellectual property such as copyright and database rights. These legal protections recognise the creativity or substantial investment required to generate or compile a collection of data.

As noted above, the University of Oxford's Statutes determine ownership of data created in the course of University research. While there are exceptions (including for some categories of data created by student researchers), the most likely situation is that such data will belong to the University, and not, for example, to the individual researchers who generated it, or to their research group or department. It is important to keep this in mind when thinking about what you will do with your data at the end of the project.

In general, the University is keen to encourage making research data available for reuse where this is appropriate, so the ownership of the data will not normally be a bar to depositing it in an appropriate archive or repository, or to disseminating it via other means such as a project website. See the Sharing data section for more on this topic.

The chief exception to this is in the case of material with the potential for commercial exploitation. This topic is covered in the next section below.

It's worth noting that the University's ownership of much data means that researchers do not have an automatic right to take the data they have generated with them when they leave the University. You should discuss this with your Head of Department in good time, and agree what will happen to your data when you leave. In many cases, there will be no objection to your taking a copy, although you may also be asked to leave a copy in the care of the department. (Note that if it is possible to make a copy of your data available for reuse by depositing it in an archive, this has the additional benefit of ensuring you will always be able to access a copy of it yourself, regardless of whether you are still a member of the University.)

If your research generates a dataset or other intellectual property which is capable of commercial exploitation, the University's Regulations state that this must be reported to your Head of Department and to Research Services. A decision will then be made about how to proceed: this will often involve working with Oxford University Innovation (OUI), the University's technology transfer company.

If your work may lead to a patent application, this must be filed before the first public disclosure of the work. While traditional datasets are relatively unlikely to be key parts of a patent application in themselves, it is possible that they or the protocols attached to them may implicitly embody a patentable process. A well-maintained research notebook can also provide important documentary evidence of who did what (and crucially, when) during the conception and development of an invention. If you are unsure about the implications of sharing data that is related to a potential patent application or other commercial exploitation of research, contact OUI for advice. More information about IP, Patents, and Licences is available from the OUI website.

If you need to share data with specific individuals, such as collaborators at another institution, in a way that limits what they are permitted to do with it (e.g. prohibiting disclosure of commercially sensitive information), you may need to put a formal agreement in place. Research Services can help with drafting a confidentiality or other data sharing agreement.

Research data can also be sensitive for other reasons. For example, it may identify the locations of archaeological sites or the habitats of endangered species, or may provide information about vulnerabilities in national infrastructure which might make them a target for terrorist attack.

In such cases, the researchers working with the data will usually be the people best placed to assess potential risks, and to decide how best to mitigate these. This may be through approaches such as appropriate data security, restriction of access, or redacting data before making it available for reuse. It's also important to establish whether there are any additional relevant legal requirements or professional guidelines, and to make a plan for complying with these.

If you are working with sensitive data and are unsure how to proceed, you can contact Research Data Oxford to talk through the issues involved.