chat loading...
As a researcher working with data as part of a University project, it’s worth being aware that there are a number of contexts in which you are considered to be acting as a representative of the University, rather than a private individual.
Where personal data is involved, it is the University, and not the individual researcher, that is the Data Controller, or the body with ultimate legal responsibility. This means that if a University of Wales Trinity Saint David researcher were to inadvertently release such data, it would be the University that had to answer to the Information Commissioner’s Office (ICO).
Funding agreements and non-disclosure agreements are usually signed by a representative of the University, not individual researchers. This means that individual researchers are insulated from many risks associated with regulatory and legal compliance. However, it also means that researchers must seek to minimise the University’s exposure to the same risks, by asking for support where they feel uncertain about how best to handle their data.
If your research project involves human participants, personal data, and/or regulated material and procedures, it will need to be reviewed and approved by the University’s Ethics Committee before the research begins.
Any research data relating to human participants will need to be carefully managed. This may include using suitably secure storage (and transferring data securely when it is moved), and putting in place appropriate restrictions on who can access the data: see the Keeping working data safe section for more on this topic. It is also important to ensure participants have full information about how their data will be used – and, of course, that any assurances made are acted upon.
Thought needs to be given to what will happen to the data at the end of the project. It is best to factor this into plans from the beginning: this means that, for example, research participants can be enabled to make a properly informed decision about whether to take part, and where appropriate, consent for further use of data can be sought. If data is to be retained, a suitable home for it (such as a data archive) will need to be identified. Personal data is often not suitable for open sharing for reuse, but it may be possible to provide restricted access, or to share an anonymised, aggregated, or otherwise redacted version of the data. In cases where data cannot be retained and preserved, secure destruction may be needed. See the Post-project data preservation section for more on this topic.
Further guidance can be found on the University’s Research Integrity and Ethics pages.
The UK Data Service offers a Research Data Management guide which covers ethical issues, data protection, and anonymisation. Your funding body may also provide guidelines on creating, storing, and working with data in such cases.
Making sure that research information is securely stored is extremely important for several reasons. At the simplest level, secure storage and processing ensures that the data remains available for as long as it is needed, and confidentiality and integrity of information are protected.
Information security also underpins other important aspects of good research practice. Complying with personal data regulations requires good information security, to ensure the data is only accessed by authorised people, and remains accurate and uncorrupted. External funders, commercial partners, and collaborating research institutions will also often require an agreed level of information security good practice.
The University’s Research Data Management Policy, Data Protection Policy and IT Acceptable Use Policy provide guidance for categorising and dealing safely with data across the University, including appropriate storage mechanisms. UWTSD also provides an Information Security Awareness e-learning course with an overview of the key considerations and good practice in this area.
A wide range of third party online services for gathering and processing research data are also available. Before such services are used to work on data for which UWTSD is responsible, it is essential to check whether their security practices are adequate and meet the requirements of UWTSD and funder policy. For further advice please contact INSPIRE or the IT Service Desk.
If you need to share data with specific individuals, you may need to put a formal agreement in place. Where proposed research projects involve collaboration with third parties (e.g. another university, NHS Trust or other external partner) and the sharing of personal data, special category data, criminal convictions or offences data or pseudonymised data is anticipated, an appropriate contract or data sharing agreement must be put in place before any data is exchanged. Requests for agreements should be channelled through the University’s INSPIRE team .
When research involves the collection or processing of information that could be used to identify living individuals, data protection rules must be followed.
As a UK-based institution, the University is subject to the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018. When collaborating with institutions in other countries, it may also be necessary to consider other data protection regimes.
It will frequently be obvious that you are gathering personal data. However, there are occasions when you may end up with personal data even when it was not your primary intention to collect it. For example, participants may provide identifiable information in their responses to more general questions. Data like internet IP addresses, genetic information, voice recordings, or certain biological imaging results may also count as personal data, even if not stored with more obvious identifying facts.
Section 6 of the University’s Research Data Management Policy outlines the obligations arising from the UK GDPR and Data Protection Act on research data.
The production of a research dataset can lead to the creation of intellectual property such as copyright and database rights. These legal protections recognise the creativity or substantial investment required to generate or compile a collection of data.
The University’s Research Data Management Policy states that, unless otherwise specified in the terms of any specific research grant or contract, research data which supports a scholarly work produced by a member of University staff shall by owned by the University. Research data supporting a scholarly work produced by a University student shall remain the intellectual property of the student.
The University is keen to encourage making research data available for reuse where this is appropriate, so the ownership of the data will not normally be a bar to depositing it in an appropriate data archive or repository, or to disseminating it via other means such as a project website. See the Sharing data section for more on this topic.
Aside from personal data, the main exception to this is in the case of material with the potential for commercial exploitation, which is covered in the next section below.
Staff may not have an automatic right to take the data they have generated with them when they leave the University. Please consult the Staff Intellectual Property Policy for further information. You should discuss this with your line manager in good time and agree what will happen to your data when you leave. If it is possible to share your research data by depositing it in a data archive, this has the additional benefit of ensuring you will always be able to access a copy of it yourself, regardless of whether you are still a member of the University.
If your research generates a dataset or other intellectual property which is capable of commercial exploitation, it is very important that this is not shared, made publicly available or discussed with anyone unless a non-disclosure agreement is put in place. Please consult the Staff Intellectual Property Policy for further information and contact INSPIRE for advice.
Research data can also be sensitive for other reasons. For example, it may identify the locations of archaeological sites or the habitats of endangered species, or may provide information about vulnerabilities in national infrastructure which might make them a target for terrorist attack.
In such cases, the researchers working with the data will usually be the people best placed to assess potential risks, and to decide how best to mitigate these. This may be through approaches such as appropriate data security, restriction of access, or redacting data before making it available for reuse. It’s also important to establish whether there are any additional relevant legal requirements or professional guidelines, and to make a plan for complying with these.
It is very important to be aware that your research data may be subject to export control laws. These legal controls cover transfers of sensitive technology, data, equipment and software and are intended to manage the risks of their being misused to fuel conflict, threaten national security, support terrorism and crime, violate human rights or proliferate Weapons of Mass Destruction. Controls may apply to material goods (e.g. equipment, materials), and also software, data, technology (e.g. blueprints, plans, diagrams, models, specifications, formulae, manuals or instructions) and know-how (through e.g. consultancy or, in some cases, teaching). Export controls apply to the physical, electronic or oral transmission outside the UK of the following technologies and or uses:
You should consult the UWTSD Export Control Policy and contact INSPIRE, who will offer support and advice.
