Data
Researchers are responsible for managing data appropriately. This is in order to protect the privacy and confidentiality of their participants but also, where applicable, to protect the interests of the public.
All staff should familiarise themselves with the legal requirements of the General Data Protection Regulation (GDPR) by completing the mandatory e-learning programme available on the University's Learning Management System (staff login required).
If the research project involves the use of personal or sensitive data, a Data Protection Impact Assessment (DPIA) should be completed and forwarded to the Information Governance Team (email: rec.man@ncl.ac.uk) to provide expert advice on compliance with the General Data Protection Regulation.
Templates
- Data Protection Impact Assessment template (DPIA)
- Template Privacy Notice for research (WORD:31kb)
Ethical considerations for research data
As mentioned, researchers must protect the privacy and confidentiality of their research participants, since not doing so can have negative implications, particularly when the research data collected is sensitive or personal.
In order to protect the privacy and confidentiality of their research participants, researchers should:
Acquire fully informed consent from participants for collecting, using and storing their data
Researchers should fully inform participants about their research study. See the Human Participation section. This includes informing participants about what data will be collected, how this will be stored, who will have access to the data and how long the data will be kept for.
Avoid acquiring/recording information that is not directly necessary for the study
Data collected should be adequate, relevant, accurate and not excessive for the purposes of the research study. Where possible, researchers should aim to anonymize data. The UK Data Service has useful guidance on how to anonymize quantitative and qualitative data.
Implement measures to minimize the risk of unauthorised/unlawful processing and/or accidental loss/destruction of data
Researchers are responsible for the security of their data and should ensure they have backed up their data too. Where data includes personal data, computer files should be encrypted and/or password protected and hard copies should be kept securely locked away, to allow only agreed researchers to access the data. Personal data should not be kept for longer than is necessary for the purpose for which it was collected. As above, researchers should aim to anonymize data where possible.
Sensitive data
Sensitive data can be thought of as any information that individuals/organisations would expect to be private and protected. Examples of studies where sensitive data may be collected include those involving:
- participants’ accounts of sensitive experiences, for example - domestic violence, rape, mental health, death, murder, abortion, sexual health, bullying
- commercially sensitive data from employees/organisations, for example data collected that could form the basis of valuable patents and licences, or proprietary data containing technical information that if revealed could harm a company’s competitive edge
- irreplaceable historical or environmental data, eg the study of extinct animals
- security sensitive information, eg data collected that could pose a terrorism risk
Please refer to the section on working with human participants for additional considerations on research on security sensitive information.
Personal data
Personal data is information that relates to an identified or identifiable individual, i.e. if an individual can be identified directly or indirectly from the data and the data relates to the individual, it is personal data.
Examples of personal data include:
- names
- date of birth
- contact details: telephone number / address / email address
- IP addresses / cookie identifiers
Special categories of personal data
The General Data Protection Regulation (GDPR) identifies special categories of personal data (similar to sensitive personal data under the 1998 Data Protection Act), which is data that could create more significant risks to a person’s fundamental rights and freedoms.
Examples of special category personal data include:
- race
- ethnic origin
- politics
- religion
- trade union membership
- genetics
- biometrics (where used for ID purposes)
- health
- sex life
- sexual orientation
Data already in the public domain
Material about an individual or group of individuals that is already in the public domain, (eg published biographies, newspapers articles, published meeting minutes, interviews broadcast on the radio), is not considered personal data.
However, due to the variety of types of interaction on the internet, it can be a little more difficult to define whether information available on the internet is actually in the public domain. Researchers will need to consider this carefully. People may operate in public spaces but maintain strong perceptions and/or expectations of privacy. For example, an online blogging group may expect the information they post to be private, accessible only within the group in which they post it.
The Association of Internet Researchers (AOIR) have produced guidance with regards to internet specific ethical questions that researchers should consider, (see AOIR Ethical Decision-Making & Internet Research).
Governance considerations for research data
In order to help researchers protect the privacy and confidentiality of their research participants, whilst also encouraging data sharing, Newcastle University has established policies for researchers to follow and monitors their implementation ('governance').
Newcastle University’s research data management policy principles and code of good practice
Researchers should review Newcastle University’s research data management policy, and ensure they adhere to the principles and code of good practice set out in this document. This includes:
Producing a research data management plan
A research data management plan outlines how a researcher will collect, use and store data, during and after the research study. It should specify what data will be collected and who will have access to this data both during and after the research study. The plan should specify any costs for storing research data, and outline how these will be met. (The University will provide up to 500GB of shared file storage per project. Storage above this provision should be costed at £97/TB per annum). Research data should remain available for 10 years following any publication.
Depositing research data in a data repository
Researchers should deposit their research data in an appropriate data repository, in order to encourage data sharing. The majority of research funders expect research data to be made openly available with as few restrictions as possible, following a research study. Therefore, researchers need to consider how they will preserve and publish data following the research study, and will need to inform participants of the possibility of other researchers accessing and using their data, and acquire their consent.
Researchers are responsible for making themselves familiar with and adhering to legislation, funder guidance and University policy governing their research data.
Researchers should be familiar with and adhere to:
- The General Data Protection Regulation (GDPR)
- Funder Data Policies, including for example:
- UK Research and Innovation (UKRI)
- Arts & Humanities Research Council (AHRC)
- Biotechnology & Biological Sciences Research Council (BBSRC)
- Economic & Social Research Council (ESRC)
- Engineering & Physical Sciences Research Council (EPSRC)
- Medical Research Council (MRC)
- Natural Environment Research Council (NERC)
- Science & Technology Facilities Council (STFC)
Newcastle University’s Research Data Service (RDS) supports researchers with Research Data Management (RDM).
If you wish to recommend any changes to the information above, please contact: res.policy@ncl.ac.uk.