Ethics and Research Data Management

Most research data – even sensitive data – can be shared ethically and legally if researchers employ strategies of informed consent, anonymisation and controlling access to data. Researchers obtaining data from people are expected to maintain high ethical standards and comply with the relevant legislation.

Researchers must adhere to data protection requirements when managing or sharing personal data. However, not all research data obtained from people count as personal data. If data are anonymised then the Act will not apply as they no longer constitute ‘personal data’. The Data Protection Act 1998 (DPA) provides some exceptions for research data and applies only to personal or sensitive personal data, and not to all research data in general, nor to anonymised data. The new EU General Data Protection Regulation will come into effect in 2018 and plays a key role in managing and sharing research data.

8 principles

The DPA defines 8 principles that deal with the processing of personal data relating to identifiable living people. All such data must be:

  • Processed fairly and lawfully
  • Obtained and processed for a specified purpose
  • Adequate, relevant and not excessive for the purpose
  • Accurate
  • Not kept longer than necessary
  • Processed in accordance with the rights of data subjects, for example, the right to be informed about how data will be used, stored, processed, transferred, destroyed; and the right to access information and data held
  • Kept secure
  • Not transferred abroad without adequate protection

The DPA and sharing data

Consider:

  • Do you really need to collect personal data? Often information such as participants’ names and addresses are collected for administrative purposes only and have no research value. Not collecting personal data in the first place may make it easier to manage and share your data. Alternatively if they do need to be collected, for example, for follow-up interviews, they should be stored separately from research data.
  • Inform your participants about use of personal data. All researchers must inform research participants about how any personal data collected about them will be used, stored, processed, transferred and destroyed. Personal data can only be disclosed if explicit consent has been given to do so, although there may be exceptions for legal reasons.

Definitions

  • Personal data: Personal data are records or other information that on its own, or linked with other data or information in the possession of the data controller, can reveal the identity of an actual living person.
  • Sensitive personal data: Sensitive personal data are data on a person’s race, ethnic origin, political opinion, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life, commission or alleged commission of an offence, proceedings for an offence (alleged to have been) committed, disposal of such proceedings or the sentence of any court in such proceedings.

Ethical Guidelines

  1. Research should aim to maximise benefit for individuals and society and minimise risk and harm
  2. The rights and dignity of individuals and groups should be respected wherever possible, participation should be voluntary and appropriately informed
  3. Research should be conducted with integrity and transparency, lines of responsibility and accountability should be clearly defined
  4. Independence of research should be maintained and where conflicts of interest cannot be avoided they should be made explicit.

Consent for data sharing

  • Informed consent is an ethical requirement for most research and must be considered and implemented throughout the research lifecycle, from planning to publication to sharing.
  • Failure to properly address issues of consent may restrict the opportunities for initial use of data, the publishing of your results and the sharing of the data.
  • In order to make sure that research data can be made available for future reuse, it is important that consent for future reuse of the data by other researchers is sought from participants.
  • Participants should be informed how research data will be stored, preserved and used in the long-term, and how confidentiality can be protected when needed.

Language to avoid

  • Consent forms should not preclude data sharing. So promises to destroy the data or promises that the data will only be seen or accessed by the research team should be avoided.
  • Terms such as ‘fully anonymous’ or ‘strictly confidential’ should be avoided, as they are often impossible to define. It would be better to indicate how data will be anonymised (e.g. by removing all personal information that could directly identify an individual) and that whilst data will be made available to other researchers, confidentiality will be protected.

How to seek consent for data sharing

  • Consent procedures must be tailored for the specific research context, methods   sample, the nature of the data (personal, sensitive, level of detail), the format of the data (surveys, written, recordings) and the planned data uses and handling. This will influence the type of consent and consent process used.
  • It is important to note that researchers are not obliged to obtain consent. They are obliged to seek consent and to impartially advise participants about risks and benefits of research participation and data sharing. Participants then decide what they will consent to.

Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – e.g., an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.

Personal data that has been pseudonymised – e.g., key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.