Most research data - even sensitive data - can be shared ethically and legally if researchers employ strategies of informed consent, anonymisation and controlling access to data. Researchers obtaining data from people are expected to maintain high ethical standards and comply with the relevant legislation.
Researchers must adhere to data protection requirements when managing or sharing personal data. However, not all research data obtained from people count as personal data. If data are anonymised then the Act will not apply as they no longer constitute 'personal data'. The Data Protection Act 1998 (DPA) provides some exceptions for research data and applies only to personal or sensitive personal data, and not to all research data in general, nor to anonymised data. The new EU General Data Protection Regulation will come into effect in 2018 and will also play a key role in managing and sharing research data.
The DPA defines 8 principles that deal with the processing of personal data relating to identifiable living people. All such data must be:
Personal data are records or other information that on its own, or linked with other data or information in the possession of the data controller, can reveal the identity of an actual living person.
Sensitive personal data are data on a person's race, ethnic origin, political opinion, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life, commission or alleged commission of an offence, proceedings for an offence (alleged to have been) committed, disposal of such proceedings or the sentence of any court in such proceedings.
Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – e.g., an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – e.g., key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
1. Research should aim to maximise benefit for individuals and society and minimise risk and harm
2. The rights and dignity of individuals and groups should be respected wherever possible, participation should be voluntary and appropriately informed
3. Research should be conducted with integrity and transparency, lines of responsibility and accountability should be clearly defined
4. Independence of research should be maintained and where conflicts of interest cannot be avoided they should be made explicit.
5. Informed consent is an ethical requirement for most research and must be considered and implemented throughout the research lifecycle, from planning to publication to sharing
6. Failure to properly address issues of consent may restrict the opportunities for initial use of data, the publishing of your results and the sharing of the data
7. In order to make sure that research data can be made available for future reuse, it is important that consent for future reuse of the data by other researchers is sought from participants. Participants should be informed how research data will be stored, preserved and used in the long-term, and how confidentiality can be protected when needed.
8. Consent forms should not preclude data sharing. So promises to destroy the data or promises that the data will only be seen or accessed by the research team should be avoided
9. Terms such as 'fully anonymous' or 'strictly confidential' should be avoided, as they are often impossible to define. It would be better to indicate how data will be anonymised (e.g. by removing all personal information that could directly identify an individual) and that whilst data will be made available to other researchers, confidentiality will be protected.
10. Consent procedures must be tailored for the specific research context, methods and sample, the nature of the data (personal, sensitive, level of detail), the format of the data (surveys, written, recordings) and the planned data uses and handling. This will influence the type of consent and consent process used
11. It is important to note that researchers are not obliged to obtain consent. They are obliged to seek consent and to impartially advise participants about risks and benefits of research participation and data sharing. Participants then decide what they will consent to.