Concordat on Open Research Data Principle #2 states:
"There are sound reasons why the openness of research data may need to be restricted but any restrictions must be justified and justifiable."
The University and funders recognise that there are constraints on the open1 release of research data.
Before publishing research data it is important that you consider the wider consequences of your research and identify any legal, ethical, contractual or commercial reasons to restrict access to data.
The key principle to bear in mind is to be as "open as possible, as closed as necessary".
Click on the options below to find out why you may need to consider restricting access to:
Personal data is information that relates to an identified or identifiable individual
If your research involves human participants, you will have to comply with the General Data Protection Regulation (GDPR) and Data Protection Act 2018 which came into force on 25 May 2018. At the same time, research data obtained from people can be published in a data repository, shared and reused in future if you pay attention to gaining consent for data sharing, de-identifying data where needed and controlling access.
If your intention is to deposit the data in a repository/archive (in anonymised or any other form) so it can be used by others you must obtain the explicit, written, informed consent of study participants.
Even if consent is obtained, it is usually 'safer' to publish anonymised data and to consider controls on data access.
Reasons to restrict access to personal data:
For help with data protection compliance: see the University’s Data protection web pages (including GDPR Compliant Research, which unpicks key issues and provides some guidance on steps researchers should be taking to ensure compliance) or contact firstname.lastname@example.org. The data protection training resources site includes recordings of training delivered to specific audiences.
For more information on anonymising data: see the guidance provided by the Information Commissioner's Office Anonymisation code of practice [PDF] and by the UK Data Service. The Anonymisation Decision Making Framework, a practical guide to GDPR-compliant anonymisation provided by the UK Anonymisation Network may also be useful.
For guidance on gaining informed consent from study participants: see the information provided by the UK Data Service on Consent for data sharing.
Even if data is not personal as defined in the Data Protection Act, it still may not be ethical to share them openly. There may be circumstances where the inappropriate release of data might put research participants, the public or vulnerable groups at risk. For example, domestic energy usage data could be used to determine occupancy patterns in participants' homes.
Confidential … "Information which is sensitive because it is personal data, commercial or legal information, under embargo prior to wider release, or which could not be disclosed under Freedom of Information legislation."
If you are working with confidential information/data, the terms of contract for the data will not only stipulate how such data should be managed but also express strict controls on access or sharing.
The University’s guidance on Information security includes an Information Classification and Handling Scheme. The Scheme sets out the appropriate handling of confidential information to mitigate risks arising from loss, theft or unauthorised access.
For help with ethical compliance: see the University’s Research integrity and ethics web pages, the Code of Practice on Research Integrity and the Code of practice and principles for good ethical governance; contact the Chair of your Departmental/Subject Ethics Committees.
For guidance on information security: see the University’s Using and protecting information and the Information Security Policy; contact the IT Support.
For more information on restricting access to sensitive and confidential information: see the guidance provided by UK Data Service.
If you handle commercially sensitive data, for example data provided by a commercial partner or data collected from industry-based research participants, your ability to share data is likely to be defined by the terms of contract or by collaboration/participation agreements with your commercial sponsor or partner.
The need to comply with confidentiality clauses and contractual obligations would be valid justifications for withholding research data. However, it may be possible to share such data with other researchers, subject to non-disclosure agreements.
It is important to negotiate with commercial partners about the sharing of research data before your research begins, particularly for publicly funded research.
The data you create might have commercial potential/value. These data might eventually be suitable for sharing, but delaying access can often be justified to allow time to assess and protect the commercial potential of the research (eg through the use of embargoes).
If you think your research might have commercial value, you should consult with the University's Commercialisation Team for advice on commercialisation before you publish the data.
Before you can openly share research data you need to ensure that you have the right to do so, including ownership rights and conditions of use. It is therefore vital to clarify copyright and intellectual property ownership of any data that you will use before your research begins.
In general, if you create original research data, ownership or intellectual property rights in the data are typically held by the University or the person who gathered the data. However, this presumption can be altered by contract (eg where a funder takes ownership of the resulting intellectual property).
Issues around data ownership, who has the rights to share or prohibit the sharing of data, occur for:
For help with intellectual property rights: see the University's Intellectual property web pages and the Policy on Intellectual Property; contact the Research and Knowledge Exchange Contracts Team.
For further information and guidance about copyright compliance: see the University’s Copyright web pages and Copyright: a practical guide; for advice, contact: email@example.com
Restricting access to the whole or any part of the dataset so it is not freely and openly downloadable.
It is your responsibility to be clear on the restrictions that need to be imposed to safeguard your data. It is therefore important to document why and how you intend to restrict access to the data; to inform the data archive or repository, to inform prospective users of the data, and where appropriate, to justify your decisions to your funder.
Several techniques can be used to restrict access to data, for example:
Please note: The University's Research Data York service cannot accommodate all access restrictions. If you plan to deposit data to Research Data York and you have identified reasons to restrict access, you should discuss these with the Open Research team (firstname.lastname@example.org) as early as possible.
For research data obtained from people (personal data), see the specific requirements that need to be met on the Deposit and sharing of sufficiently anonymised personal data.
Concordat on Open Research Data states:
"It is not always appropriate to make research data openly accessible, and there are a variety of legitimate reasons to restrict access, however, the concordat takes as its starting axiom that, where possible, making research data openly available for inspection and use by others is an inherent good with many benefits."
Any restrictions on data access should be reasonable, transparent and in line with established best practice.
The same level of restriction does not need to be applied to all your research data, ie not everything has to either be openly available to the public or completely restricted.
There are many types of access control that can be applied to all or part of your data, some of which will still allow you to share your data but only with specific users under certain conditions.
This should always be considered in preference to a complete restriction on the whole dataset.
If you are unsure as to whether you could or should make your data openly available, please contact the Open Research team before you publish your data.
1 The Open Definition "Open means anyone can freely access, use, modify, and share for any purpose (subject, at most, to requirements that preserve provenance and openness)."
2 Concordat on Open Research Data Principle #6 states "Good data management is fundamental to all stages of the research process and should be established at the outset."
3 Concordat on Open Research Data Principle #4 states "The right of the creators of research data to reasonable first use is recognised" and the RCUK's Guidance on best practice in the management of research data addresses six valid reasons for a period of exclusive use. However, funders' data policies differ so you should always check what is permitted.