Research data management

Data protection and ethics

Researchers need to maintain high ethical standards and adhere to data protection laws when obtaining data from people via questionnaires, interviews, etc. If you are undertaking such research you have a duty to ensure that any data gathered and shared is handled correctly and in accordance with the law. The following guide gives a simple introduction to data protection law and ethics (for further legal advice please contact the University of Sussex Data Protection Officer - dpo@sussex.ac.uk).

Could data protection laws and ethics have an affect my research data?


If you are collecting data from people it may hold personal, sensitive or confidential information. Laws such as the Data Protection Act 1998 govern the processing of such data. The university's ethical guidelines plus those issued by your research funder also need to be observed. If any of the following definitions apply to your data you will need to consider data protection laws and your research funder's / the university's code of ethics.

Personal data - data which relate to a living individual who can be indentified - 
(a) from those data or 
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, 
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual (Data Protection Act 1998)

Confidential data - confidential data are data given in confidence or data agreed to be kept confidential between two parties, that are not in the public domain such as information on business, income, health, medical details, and political opinion.

Sensitive personal data - sensitive personal data are defined in the Data Protection Act 1998 as data on a person's race, ethnic origin, political opinion, religious or similar beliefs, trade union mebership, physical or mental health condition, sexual life, commission or alleged commission of an offence, proceedings for an offence (alleged to have been) committed, disposal of such proceedings or the sentence of any court in such proceedings.

Do I need to anonymise my data?


Personal information held within research data should not be disclosed to others unless the respondent has given specific consent to do so. In which case you made need to anonymise their data so that they cannot be identified by any third parties with whom you share your work.

Data may be anonymised by:

  • removing direct identifiers, e.g. name or address
  • aggregating or reducing the precision of information or a variable, e.g. replacing date of birth by age groups
  • generalising the meaning of detailed text, e.g. replacing a doctor’s detailed area of medical expertise with an area of medical speciality
  • using pseudonyms
  • restricting the upper or lower ranges of a variable to hide outliers, e.g. top-coding salaries

It can be time consuming and, as a result, costly to anonymise research data, especially if not planned for early in the research life cycle or left until the end of a project. Therefore it is crucial to consider whether you will need to anonymise your data when making your data management plan.

Do I need consent to share my data?


You are expected to obtain informed consent from those who participate in your research and for the use of the data you collect. Participants should be informed of the following:

  • purpose of the research
  • what is involved in participation
  • benefits and risks
  • mechanism of withdrawal
  • data uses – primary research, storing, processing, reuse, sharing, archiving, etc.
  • strategies to ensure confidentiality of data where this is relevant – anonymisation, access restrictions, etc.

Only after such sufficient information has been provided on all aspects of participation and data use should you then obtain written or verbal consent from the participant. Consent must never be inferred from a non-response to a communication such as a letter. Without consent, opportunities for sharing data with other researchers can be jeopardised.

Written or verbal consent?

This depends on the nature of the research, the kind of data gathered, the data format and how the data will be used.

For detailed interviews or research where personal, sensitive or confidential data are gathered, the use of written consent forms is recommended.

This will ensure compliance with the Data Protection Act and institutional/funder ethical guidelines. Written consent typically includes an information sheet and consent form signed by the participant. The UK Data Service has a selection of example consent forms for different purposes. Verbal consent agreements can be recorded together with audio or video recorded data.

For surveys or informal interviews, where no personal data are gathered or personal identifiers are removed from the data, obtaining written consent may not be required. In this case, an information sheet should still be provided covering the above points together with the identity of the researcher(s).