Accessibility statement

Restricting access to data

Concordat on Open Research Data Principle #2 states:

"There are sound reasons why the openness of research data may need to be restricted but any restrictions must be justified and justifiable."

The University and funders recognise that there are constraints on the open1 release of research data.

Before publishing research data it is important that you consider the wider consequences of your research and identify any legal, ethical, contractual or commercial reasons to restrict access to data.

In some cases you may not be able to share data at all, though this can often be avoided by considering the issues from the start and planning your data management.2

The key principle to bear in mind is to be as "open as possible, as closed as necessary".

Reasons to restrict access to data

Click on the options below to find out why you may need to consider restricting access to:

Personal data

Personal data is information that relates to an identified or identifiable individual

If your research involves human participants, you will have to comply with the General Data Protection Regulation (GDPR) and Data Protection Act 2018 which came into force on 25 May 2018. At the same time, research data obtained from people can be published in a data repository, shared and reused in future if you pay attention to gaining consent for data sharing, de-identifying data where needed and controlling access.

If your intention is to deposit the data in a repository/archive (in anonymised or any other form) so it can be used by others you must obtain the explicit, written, informed consent of study participants.

Even if consent is obtained, it is usually 'safer' to publish anonymised data and to consider controls on data access.

Reasons to restrict access to personal data:

  • You do not have informed consent from participants to archive and share the data.
    Informed consent should specify what you are allowed to share, to whom, for what use and under what conditions.
  • You have anonymised the data but consider there to be a risk of identification resulting from linkage to other data.
    Unlinked, truly anonymised data (data from which a living individual cannot be identified and where the link/key to individuals is irreversibly broken) is no longer classified as personal data. However, true anonymisation is often difficult to achieve and may limit the data's reuse potential.

For help with data protection compliance: see the University’s Data protection web pages (including GDPR Compliant Research, which unpicks key issues and provides some guidance on steps researchers should be taking to ensure compliance) or contact The data protection training resources site includes recordings of training delivered to specific audiences.

For more information on anonymising data: see the guidance provided by the Information Commissioner's Office Anonymisation code of practice [PDF] and by the UK Data Service. The Anonymisation Decision Making Framework, a practical guide to GDPR-compliant anonymisation provided by the UK Anonymisation Network may also be useful.

For guidance on gaining informed consent from study participants: see the information provided by the UK Data Service on Consent for data sharing.

Sensitive or confidential data

Even if data is not personal as defined in the Data Protection Act, it still may not be ethical to share them openly. There may be circumstances where the inappropriate release of data might put research participants, the public or vulnerable groups at risk. For example, domestic energy usage data could be used to determine occupancy patterns in participants' homes.

Confidential … "Information which is sensitive because it is personal data, commercial or legal information, under embargo prior to wider release, or which could not be disclosed under Freedom of Information legislation."

If you are working with confidential information/data, the terms of contract for the data will not only stipulate how such data should be managed but also express strict controls on access or sharing.

The University’s guidance on Information security includes an Information Classification and Handling Scheme. The Scheme sets out the appropriate handling of confidential information to mitigate risks arising from loss, theft or unauthorised access.

For help with ethical compliance: see the University’s Research integrity and ethics web pages, the Code of Practice on Research Integrity and the Code of practice and principles for good ethical governance; contact the Chair of your Departmental/Subject Ethics Committees.

For guidance on information security: see the University’s Using and protecting information and the Information Security Policy; contact the IT Support.

For more information on restricting access to sensitive and confidential information: see the guidance provided by UK Data Service.

Commercially sensitive data

If you handle commercially sensitive data, for example data provided by a commercial partner or data collected from industry-based research participants, your ability to share data is likely to be defined by the terms of contract or by collaboration/participation agreements with your commercial sponsor or partner.

The need to comply with confidentiality clauses and contractual obligations would be valid justifications for withholding research data. However, it may be possible to share such data with other researchers, subject to non-disclosure agreements.

It is important to negotiate with commercial partners about the sharing of research data before your research begins, particularly for publicly funded research.

For help with contractual negotiation and compliance: see the University's Contract Drafting and Negotiations web pages; contact the Research and Knowledge Exchange Contracts Team.

Data with commercial potential

The data you create might have commercial potential/value. These data might eventually be suitable for sharing, but delaying access can often be justified to allow time to assess and protect the commercial potential of the research (eg through the use of embargoes).

If you think your research might have commercial value, you should consult with the University's Commercialisation Team for advice on commercialisation before you publish the data.

Data that's not yours, i.e. you do not own the intellectual property rights in the data

Before you can openly share research data you need to ensure that you have the right to do so, including ownership rights and conditions of use. It is therefore vital to clarify copyright and intellectual property ownership of any data that you will use before your research begins.

In general, if you create original research data, ownership or intellectual property rights in the data are typically held by the University or the person who gathered the data. However, this presumption can be altered by contract (eg where a funder takes ownership of the resulting intellectual property).

Issues around data ownership, who has the rights to share or prohibit the sharing of data, occur for:

  • third party data. If you reuse existing data obtained from a third party (eg data from online repositories or data provided by project collaborators) the data is not yours and you will need to ensure that you understand and comply with the terms and conditions of use.
  • sponsored or collaborative research. Ownership rights are likely to be governed by the terms of any funder or collaboration agreements which are in place. Where research is funded by an external partner, or where an external partner makes a contribution to a project, the partner may be awarded intellectual property rights in the results, including the research data.
    It is recommended that future research-related agreements ensure that publicly funded research involving third parties is planned and executed in such a way that published findings can be scrutinised and, if necessary, validated by others.

For help with intellectual property rights: see the University's Intellectual property web pages and the Policy on Intellectual Property; contact the Research and Knowledge Exchange Contracts Team.

For further information and guidance about copyright compliance: see the University’s Copyright web pages and Copyright: a practical guide; for advice, contact:

Access restrictions

Restricting access to the whole or any part of the dataset so it is not freely and openly downloadable.

It is your responsibility to be clear on the restrictions that need to be imposed to safeguard your data. It is therefore important to document why and how you intend to restrict access to the data; to inform the data archive or repository, to inform prospective users of the data, and where appropriate, to justify your decisions to your funder.

Several techniques can be used to restrict access to data, for example:

  • Placing data under embargo for a given period of time, during which access would be completely restricted. Embargoes might be used to:
    • delay access whilst patents are filed or while research is commercialised.
    • permit a reasonable period of first exclusive use3, to give the researcher an opportunity to publish or otherwise exploit the results of their research.
    • ensure that archived data are not published before the articles based upon them are published, in line with publisher requirements.
  • Some data archives (eg the UK Data Archive) provide registered access, requiring potential users to register before they are able to access data. Some archives may grant access only to registered users that meet certain criteria.
  • Granting access upon request, for example nominating a contact whose permission must be obtained before access to the data is granted. This might be necessary if checks need to be made, to e.g. assess whether the requester is working on a suitable project or has a conflict of interest.
  • Non-disclosure or confidentiality agreements can be used to share confidential or sensitive data with specific individuals, for specific purposes and under specific terms. Contact the Research and Knowledge Exchange Contracts Team if such an agreement is required.

Please note: The University's Research Data York service cannot accommodate all access restrictions. If you plan to deposit data to Research Data York and you have identified reasons to restrict access, you should discuss these with the Open Research team ( as early as possible.

For research data obtained from people (personal data), see the specific requirements that need to be met on the Deposit and sharing of sufficiently anonymised personal data.

Applying access restrictions

Concordat on Open Research Data states:

"It is not always appropriate to make research data openly accessible, and there are a variety of legitimate reasons to restrict access, however, the concordat takes as its starting axiom that, where possible, making research data openly available for inspection and use by others is an inherent good with many benefits."

Any restrictions on data access should be reasonable, transparent and in line with established best practice.

The same level of restriction does not need to be applied to all your research data, ie not everything has to either be openly available to the public or completely restricted.

There are many types of access control that can be applied to all or part of your data, some of which will still allow you to share your data but only with specific users under certain conditions.

This should always be considered in preference to a complete restriction on the whole dataset.

If you are unsure as to whether you could or should make your data openly available, please contact the Open Research team before you publish your data.

[Back to top]


1 The Open Definition "Open means anyone can freely access, use, modify, and share for any purpose (subject, at most, to requirements that preserve provenance and openness)."

2 Concordat on Open Research Data Principle #6 states "Good data management is fundamental to all stages of the research process and should be established at the outset."

3 Concordat on Open Research Data Principle #4 states "The right of the creators of research data to reasonable first use is recognised" and the RCUK's Guidance on best practice in the management of research data addresses six valid reasons for a period of exclusive use. However, funders' data policies differ so you should  always check what is permitted.