image: research data management

Ethical and legal issues

The management of research data is regulated by law, in particular in relation to confidential, sensitive and/or personal data.

Ethics of RDM

The management of confidential, sensitive and/or personal data has ethical as well as legal implications. The core principle underpinning the University's Code of practice and principles for good ethical governance is that of avoidance of harm. This includes harm to the welfare and interests of human participants (whether participating actively or through observation/use of their data) and harm to the welfare and interests of the wider community. Two key considerations when managing your research data are:

  • To ensure the security of confidential, sensitive and/or personal data, including access control. For more information see our Storing your data securely web page.
  • To ensure that appropriate consent is in place for the use or reuse of human data.

Further detail can be found in the Code of practice and principles for good ethical governance.

For further guidance on the ethics of research data management, speak to a member of your departmental/subject level ethics committee in the first instance.

All research undertaken in the University's name or on its behalf which falls within the University's framework of ethical principles, regardless of funding source, should undergo review by a University ethics sub-committee, and have been signed off by the sub-committee before the research commences, even where ethical scrutiny is also undertaken by an outside body.

The review process will include addressing the above considerations where they apply. Details of the University's procedures for conducting ethical review are set out in the Code.

Your funder and/or your professional body may also have requirements and/or guidance relating to the ethical management of research data, which you will need to take into account when addressing the above considerations.

Many research funders now require the researchers they fund to share and preserve their research data. Writing a Data Management Plan at the start of your research project will help you to consider these issues and how you might produce a version of your data that you can share.

University guidance on Data Protection, FOI and IPR

Click on the one of the options below to read the University's guidance on Data Protection, Freedom of Information or Intellectual Property Rights.

Data Protection

If your research involves working with people, be it through surveys, interviews, trials, experiments, focus groups or other methods, then it is important to know the legal and ethical obligations you have towards research participants.

Ethical guidelines issued by funders and the University cover how you can create and store data. In addition, statutory requirements such as the General Data Protection Regulation (GDPR) and the UK's Data Protection Act 2018 govern the processing of personal data.

The University's:

  • Code of practice and principles for good ethical governance "articulates a set of principles and standards to help identify and address ethical considerations, and sets out the procedures for conducting ethical review". Ethical review will be necessary for "research or research-related activity involving humans". 
  • Data Protection web pages provide guidance, procedures and policy to assist with implementation of the GDPR and the Data Protection Act 2018. The pages include GDPR Compliant Research, which unpicks key issues and provides some guidance on steps researchers should now be taking to ensure compliance.

When gaining consent from participants for gathering personal data you need to include a Privacy Notice with your ethical consent material. This is not a new requirement under data protection legislation. However, the GDPR does introduce more granular requirements for notices. 

All Ethics Chairs have been issued with a standard GDPR compliant Participant Information Sheet. These templates have been amended by individual departments to better reflect departmental need and can be made available, on request, for reuse. For further information contact your department’s ethics committee.

  • Records management guides (login required) offer tips and examples to help support the maintenance and good management of records. Data Security (PDF  , 255kb) gives guidance on data acquisition, storage, data retention and the disposal of personal and sensitive data to meet ethical and legal requirements.

For help with data protection compliance, contact dataprotection@york.ac.uk

Freedom of Information

The Freedom of Information Act and Environmental Information Regulations provide members of the public with a general right of access to the recorded information held by the University. The legislation works to promote openness across the public sector. So you could be required to release information about your research based on FOI and EIR requests.

For FOI advice, contact foi@york.ac.uk

Intellectual Property Rights

Intellectual Property Rights (IPR), for example copyright or patents, affect and may limit the way you and others can use the outputs of your research. It's therefore important to clarify copyright and intellectual property ownership of any data that you will create or use before your research begins.

If you agree or purchase licences to reuse third party data, be aware of any restrictions this places on what the data can be used for in the future. You should read carefully the terms and conditions associated with the use of third party data as it's probable that copyright and/or licensing issues are associated.

Research funders may expect you to clarify IPR ownership in your Data Management Plan.

For advice on IPR, contact the IP & Legal team

Recommended ethical and legal guidance from other organisations

  • UK Data Service Legal and ethical issues
    Outlines strategies that you can utilise to allow you to share your personal and sensitive data, and meet your funder expectations, whilst protecting data integrity. Consult with your departmental/subject level ethics committee if you are unsure whether your data can be shared or published.
  • Information Commissioner's Office Guide to the General Data Protection Regulation (GDPR)
    Explains the provisions of the GDPR to help organisations comply with its requirements. For a list of the ICO's data protection guidance, including guidance on anonymisation, big data and data sharing, see the ICO's full index (note: this guidance has not been updated since the Data Protection Act 2018 became law, and will be updated soon to reflect the changes).
  • Australian National Data Service Publishing and sharing sensitive data
    Step-by-step advice on what you need to know and do before publishing and sharing your sensitive data, in the Australian context.
  • DCC How to license research data
    A guide to help you decide how to apply a licence to your research data, and which licence would be most suitable.
  • Medical Research Council Tool kits
    The Data and tissues tool kit suggests practical ways to meet legal and ethical requirements relating to the use of personal information (and human tissue samples) in healthcare research.
  • MRC Regulatory Support Centre Research data and confidentiality
    This e-learning module explores the concepts of confidentiality and data protection. It is aimed at all researchers working with data.
  • University of Edinburgh, Research Data MANTRA Data protection, rights and access
    A training module from the MANTRA research data management online course. This module covers ethical obligations, data confidentiality and disclosure, data protection and anonymisation.