Know your legal and ethical responsibilities
How to ensure your research data management meets legal and ethical requirements, including information on GDPR.
There are legal responsibilities to consider when creating, preserving, and sharing data. These include data protection (GDPR), Intellectual Property Rights, Copyright, and Licences. The laws and regulations relevant to specific research areas, such as clinical trials regulations and the Human Tissues Act, also need to be observed. Some of the legislation and regulation is included on the UWE Bristol Code of Good Research Conduct. The UK Data Service provides further information on your obligations when sharing information and how to comply with GDPR.
The UWE Bristol Research Governance Team have produced a Research Governance Record to ensure that all legal and ethical aspects of research have been fully considered. Please contact email@example.com to request access to the Research Governance Record.
The Digital Curation Centre have also produced a Checklist on Legal Aspects of RDM.
Intellectual Property Rights
Intellectual property rights, or IPR, affect the way research outputs can be used. Failure to clarify rights at the start of the research process can lead to unexpected limitations that affect:
- your research
- dissemination of your research
- future related research projects
- associated profit or credit
- your reputation and that of the University.
UWE Bristol advice on intellectual property is available in the Intellectual Property and Knowledge Transfer Guide (staff intranet), and also within the Code of Good Research Conduct and Policy. There is also some helpful advice on the government intellectual property office website.
Copyright and legal protection
Information regarding copyright is provided on the library's copyright webpages. The Code of Good Research Conduct and Policy should be consulted for advice on intellectual property and legal protection.
Mechanisms to permit the re-use of your research data and materials
If you wish to share and allow re-use of your data but with some restrictions, Creative Commons licences provide standard options to enable use of your data in selected ways and restrict other uses.
The Creative Commons website explains the licence options and provides a licence chooser tool to enable you to select the most appropriate license. Remember some funders and publishers may stipulate the type of licence that is required.
Research is governed by a broad range of legislative and regulatory frameworks. It is essential that the collection, storage and any eventual archiving and re-use is compliant with these requirements. Full guidance is provided in the UWE Bristol Code of Good Research Conduct.
Using online materials in your research
There are a number of issues when using online materials. This partly depends on how these materials are licensed. Even if there is no '©' or 'all rights reserved' notice, intellectual property rights are still applicable. When in doubt, contact the website administrator or publisher directly. However it is also essential to ensure that the source of the online materials has the rights to use them, and to allow you to use them for your specific research purpose.
The University Research Ethics Committee has produced information on how to conduct and manage social media research within their guidance webpages.
General Data Protection Regulation (GDPR)
It is your and UWE Bristol's duty to ensure that any data you gather is handled correctly. The General Data Protection Regulation (GDPR), which governs the processing of personal data, must be adhered to. For more information about GDPR, staff should consult the General Data Protection Regulation pages on the staff intranet.
UWE Bristol provides guidelines to help staff undertaking research to comply with legal requirements for data protection within the secure storage area available on the staff intranet.
The Research Governance Team have produced research data security guidance for researchers. Remember that researchers are personally responsible for any breach in data security arising from failures in relation to their data responsibilities.
The Information Commissioners Office (ICO) is formally responsible for data protection and has produced useful guidance.
GDPR and Research data
GDPR applies to the collection, storage and use of anything that might in any way be used to identify an individual. This includes name, ID number, location (including IP address and data from cookies), online identifiers, physical and physiological factors, biometrics, and genetic, mental, economic, cultural or social identity. Note, this does include data where the only identifier is a code, for example a study identifier, if that code can be related back to an individual in any way, e.g. by a registration log held by the PI. This is referred to as ‘pseudonymised data’.
GDPR does not apply if your research involves only fully anonymised data (so there is no way of linking it back to the individual it relates to, including through use of a code or numerical identifier).
GDPR requires additional conditions to be satisfied when dealing with ‘Special category data’. These are particularly sensitive personal data including racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic and biometric data, physical or mental health, sex life, and sexual orientation.
If you are dealing with identifiable personal information you have a responsibility to keep the data safe and report any breaches. To comply with data minimisation requirements, you should that the data collected is:
- adequate – sufficient to properly fulfil your stated purpose
- relevant – has a rational link to that purpose
- limited to what is necessary – you do not hold more than you need for that purpose.
GDPR has implications for anyone using identifiable personal information in their research. All staff and postgraduate research students must complete mandatory e-learning training on data protection and information security (both located on the staff intranet).
You should consult the Data Protection Standard for Research (PDF) to ensure your research is GDPR compliant. If you wish to discuss your individual situation, please contact the Research Governance Team.
Things to consider when completing your research data management plan in relation to GDPR
- Does your research involve human participants?
- Will you be collecting any personal data? If yes, consider whether you need to complete a Data Protection Impact Assessment (staff intranet). Advice and guidance on completing a DPIA can be obtained from the Data Protection Office at firstname.lastname@example.org
- Will any personal data be transferred outside Europe?
- If you will be collecting identifiable data in situ, how will you keep it safe?
- Where will the data be stored and how will it be encrypted?
- Are you planning to make any of the data openly available? If so, how will you ensure that it is fully anonymised, and where are you going to preserve it?
- Does your consent form include permission to share anonymised data? Are the participant information forms comprehensive enough to satisfy GDPR transparency requirements on the right to be informed?
The University has set in place detailed requirements and guidance in relation to research ethics. These are set out in the research ethics webpages.
Ethical responsibilities in research data management.
It is essential that ethics approval is obtained prior to the start of any research activity. It is the responsibility of each researcher to adhere to the ethics requirements of their research project.
Obtaining ethics approval
All research involving human participants, their tissue or their data must be subject to research ethics scrutiny by the University's Research Ethics Committee (UREC) and/or the relevant Faculty Research Ethics Committee (FREC). Human Tissue Legislation and NHS Health Research Authority requirements must also be consulted and adhered to where appropriate.
Research conducted with external collaborators, for example, the NHS, should also be referred to their relevant ethics committees.
Research which does not involve human participants, but is sensitive for other reasons (such as potential negative environmental risk, or security sensitive research) may also be considered by the UWE Bristol ethics committees.
It is fundamentally important that a favourable ethical opinion is received from the appropriate ethics committee prior to research data being collected or generated.
UWE Bristol Research Ethics policy, procedures, guidance and frequently asked questions are provided on the research ethics guidance.
Obtaining informed consent
Obtaining freely given informed consent is central to research involving human participants. Consent needs to make clear what the data will be used for and whether it will be shared/preserved. The activities covered by informed consent should be considered prior to and throughout the research lifecycle.
It is important to note that, as far as is practical, individuals have the right to withdraw from a study at any point. When the research data is collected, it is essential that it is made clear the point at which this would become impracticable. You will need to ensure that you comply with what you have told the research participants, and have in place mechanisms to permit this. This will also have implications for the way data is stored and archived and how re-use is permitted.
Sharing or publishing data
The confidentiality of research participants must always be protected in line with the informed consent for the research. This means that what you say to participants in the participant information about how their data may be retained, shared, and/or used in publication is crucial; because you can only do what you have told them you will do.
If data is to be anonymised to permit sharing, this should be made clear at the consent stage. You should also pay careful attention to the extent to which your research data can be truly anonymised.
The UK Data Archive provides a wide range of advice on collecting data which will be preserved and shared including some guidance on anonymisation (see page 26).
You should always consult with your Faculty Research Ethics Committee if you are unsure whether the data you wish to share or publish can be used.