Research Data – Legal and ethical aspects

There are a number of important legal, ethical and commercial issues to consider when you are planning your research

It is advisable to think carefully about these issues when planning your research data because they will have consequences for how you manage your data throughout the project.

Ethics and approval and consent
If you are working with human participants, the consent that you seek will determine

  • how you need to manage your data
  • if and how it should be kept for the long-term
  • whether it can be shared and how

Personal, confidential and sensitive data may not be shared unless informed consent has been obtained from the participants; sharing those data usually has to happen in anonymised form. It is therefore important to consider ethics in your data management plan.

It is essential that you seek consent from human participants that allows the data to be shared and re-used at the end of the project via participant consent forms. There is usually no ethical or legal reason to destroy research data at the end of a project — except in the case of personal and sensitive personal data as outlined below under keeping personal data — and there is therefore usually no need to promise destruction of data unless your research funder or sponsor requires you to do so.

It may also be that your participants are less reluctant over data sharing than you might think. Explain to your participants the benefits of sharing their data with the research community, highlighting possible restrictions to re-use via licences (which may include not breaching confidentiality, no further sharing of data with other people, and no re-use for commercial purposes). Make it clear that it is entirely their decision, whereby they can decide whether their data can be shared, independent of them participating in the research.

Ethical consent should follow University policies and procedures

Under the new GDPR legislation, when gaining individual consent from participants for gathering your data you will now need to include a Privacy Notice with your ethical consent material. See GDPR Guidelines for Researchers for further information.

The UK Data Service has guidance on consent, confidentiality and ethics.

Data protection
The General Data Protection Regulation (GDPR) provides a framework to ensure that personal and sensitive personal data is handled responsibly and with regard to the rights of individuals. It also gives individuals the right to know what information is held about them and how it is used.

All researchers must adhere to the requirements of the GDPR when they collect, manage, keep and share their research data. The GDPR applies to all personal and sensitive personal data. Personal data is data that relates to living individuals who can be identified from that data. Sensitive personal data includes information about racial or ethnic origin, physical or mental health or condition, political opinions, religious belief, sexual life and information about offences, alleged offences and any related court proceedings. The General Data Protection Regulation does not apply to general, non-personal research data, and it also does not apply once personal data has been anonymised or to data about the deceased. However the GDPR still applies to pseudonymised data. Further guidance on anonymisation and psuedonymisation is available from the ICO Anonymisation code of practice

Keeping personal data
The GDPR states that personal and sensitive personal data ‘processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes’. However, there is an exemption if the data is used for research as long as it satisfies two conditions

  • the data must not be used to ‘support measures or decisions with respect to particular individuals’
  • the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be caused to any data subject’

The exemption therefore allows personal and sensitive personal data to be kept indefinitely for research purposes.

However, the 7th data protection principle (which relates to security) and the 1st data protection principle (which requires that data is only processed where it is necessary for a legitimate purpose) still apply. Researchers should, therefore, retain primary data which consists of or includes personal and sensitive personal data in line with the retention periods specified in the University’s records retention schedule and review the data at the end of the retention period; researchers may consider extensions on a case by case basis depending on the ongoing value to the University and the wider research community. Where the research is governed by a legal contract, the retention period specified in the contract overrides the records retention schedule.


Where possible, personal and sensitive personal data should be modified as early as possible in the processing of data so as to safeguard data against accidental or mischievous disclosure. For some research projects there is no need to associate data with the data subjects and the data can be collected anonymously. In other cases, it may be possible to anonymise the data at a later stage of the project. For more information on anonymisation see

  • the Anonymisation Code of Practice published in 2012 by the Information Commissioner’s Office
  • L. Corti, V. Van den Eynden, L. Bisshop, M. Woollard (2014). Managing and Sharing Research Data: A Guide to Good Practice. London: Sage, pp. 118-124. Available from both Adsetts and Collegiate Libraries via Library Search

The University has a privacy policy and provides useful guidance on data protection.

The right of subject access

The GDPR gives data subjects a right to obtain copies of all their personal and sensitive personal data that a data controller holds (the right of subject access). The GDPR recognises, however, that this may be difficult for researchers, so there is an exemption from the right of subject access where

  • the data must not be used to ‘support measures or decisions with respect to particular individuals’
  • the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be caused to any data subject’

and where

  • ‘the results of the research or any resulting statistics are not made available in a form which identifies the data subjects or any of them’

Provided these conditions are met, researchers are not required to provide personal data from research files in response to a subject access request.

Intellectual property
The copyright of your data, or parts of your data, may be owned by various parties: Sheffield Hallam University, academic collaborators, commercial partners, your interviewees and (if you are using existing datasets) data providers. Establishing ownership early on in your project will be useful later on if questions arise about what can be done with a particular piece of data and by whom. This is particularly important when you want to archive and share your data.

Generally, all outcomes of research work carried out by University employees are owned by the University and not by the individual or individuals who created these outcomes. If you are re-using existing data sources, it is important to check under which conditions you can use these data. If you are planning on sharing (large extracts from) interviews, it is advisable to ask your interviewees for transfer of their copyright (a signed form) or a license to use the data obtained through the interviews, as the possibility exists that the interviewee may at some point wish to assert the right over their words.

The UK Data Service provides a useful copyright overview.


For single-institution projects ownership initially lies with the University but may utlimately lie with your funder or sponsor. In multi-partner projects, you should outline which partner owns what intellectual property and what rights the other partners have to use it, which may depend on your funder’s or sponsor’s terms. This should have been set out in your collaboration agreement. If you are using secondary data (ie data produced by somebody else) then please give an idea of the licensing restrictions that apply. Please refer to the University’s Intellectual Property Policy (staff).


For research students, the copyright in the thesis submitted for examination remains with the candidate, but all other Intellectual Property rights lie with the University and/or the funder of the research project — including those over the research data produced for the thesis. See the Regulations for the Awards of the University’s degrees of Master of Philosophy and Doctor of Philosophy (pdf), the Student Intellectual Property Policy, and the Student Terms and conditions

Commercially sensitive information
It may be that your data is commercially sensitive, for example when you are seeking patent or a third party has a legitimate interest. In this case, data sharing may be restricted — you may foe example consider making your data available to others subject to a suitable legally enforceable non-disclosure agreement.

Nonetheless, it is always advisable to make sure your published findings can be validated by others, especially when you are working with public funding. The EPSRC, for example, states that

Research organisations and researchers have a reponsibtiliy to ensure that publicly funded research involving third parties is planned and executed in such a way that published findings can be scrutinised and if necessary validated by others. […] Third parties who collaborate in publicly funded research should be made aware of the importance of ensuring that published findings can be validated by others.