This section of you DMP outlines any legal and ethical requirements that you as a researcher need to comply with throughout and after your research project.
Sensitive data is data that must be protected against unwanted disclosure. Access to sensitive data should be safeguarded. Protection of sensitive data may be required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary considerations.
Sensitive data is a catch-all term to refer to:
Other kinds of research data may also be considered sensitive, and researchers should therefore use their own judgement to determine whether research data should be considered as sensitive.
Note any act, procedures, or polices at a local or national level that your Data Management will need to comply with and what measures you will take to ensure compliance.
Outline if you are collecting personal data or data that requires special protection and how sensitive the data is.
If you have sensitive data reference relevant national polices/acts such as the Data Protection Act 2018 and GDPR and how you will comply with these policies.
Do you require informed consent for your project? If so, how will permission be obtained?
How are you going to protect the privacy of your participants? Do you need to anonymise data, for example, to remove identifying information or personal data, during research or in preparation for sharing?
Outline what institutional data protection policies are in place. i.e. TUS Data Protection Policy and TUS Research Integrity Policy and how you will comply with these policies.
Note if you need to apply for Research Ethics approval and add your ethics approval once you get it.
Some National and EU level acts, policies and procedures to consider include:
Some institution level policies and procedures to consider include:
When collecting, using and sharing research data, ethical considerations and legal obligations guide the way. These ethical considerations and legal obligations require researchers to implement data protection and outline they will safeguard sensitive data.
Depending on the type of data you collect you will have to deal with different laws. Whereas Intellectual Property legislation applies to all data, the collection of personal data has its own laws to adhere to. Importantly, since 25 May 2018, the General Data Protection Regulation (GDPR; European Union, 2016a) applies to any EU researcher or researcher in the European Economic Area (EEA) who collects personal data about a citizen of any country, anywhere in the world, as well as any researcher worldwide who collects personal data on EU citizens.
The GDPR applies only to the data of living persons. Data which do not count as personal data do not fall under data protection legislation, though there may still be ethical reasons for protecting this information.
The GPDR (General Data Protection Regulation, Chapter 2, Article 5) prescribes that you should adhere to the following six principles when processing personal data:
The GDPR contains an exemption which entails that some of the principles above are slightly different when you collect and process personal data for research purposes. This is called the 'research exemption'.
In practice, this means that Principle II. and V. are less strict. Further processing of personal data for the purposes of archiving, scientific or historical research purposes and statistical purposes is not considered to be incompatible with the initial purposes of data collection, even when this purpose was not expressly mentioned earlier.
Also, personal data may be stored for longer periods for such purposes. In all cases, appropriate technical and organisational measures should be taken to safeguard the rights and freedoms of the participants in your research, such as data minimisation and pseudonymisation.
(CESSDA Data Management Expert Guide)
Sensitive data can still meet the requirements of the FAIR Data Principles (findability, accessibility, interoperability, and reusability) and be processed in a way that the needed protection is guaranteed also in the future.
When working with data about people, data protection laws require you to apply appropriate technological and organisational measures to ensure personal data is handled appropriately and securely. There are a number of strategies that you can adopt to safeguard the privacy of your research subjects, and these include:
Informed, voluntary and fair consent to participate in a study is the cornerstone of ethical research involving people. It is intended to ensure that the rights of individual participants are respected. Informed consent is the process by which a researcher discloses appropriate information about the research so that a participant may make a voluntary, informed choice to accept or refuse to cooperate.
Normally informed consent is given before the start of the research. Gaining informed consent is crucial to meeting your legal and ethical obligations towards participants whilst simultaneously enhancing the value of your research data. It is through this ethics consent process that research participants can understand what taking part in a specific study will mean for them. Each person can then choose whether to participate using the consent form.
Consent needs to be freely given, informed, unambiguous, specific and by a clear affirmative action that signifies agreement to the processing of personal data.
In order that research participants' consent is informed, voluntary, and fair, your consent documentation should include:
(University of Edinburgh MANTRA Training) (CESSDA Data Management Expert Guide)
Anonymization:
Anonymization is a process by which identifying information in a dataset is removed or masked, and is used primarily to enable data to be shared or published without revealing the confidential information it contains, while limiting the loss of information. Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible. OpenAIRE provides researchers with a tool to anonymise data: Amnesia. The guide for which you can find here.
Where possible, direct identifiers (e.g. names, addresses, telephone numbers, account numbers, etc.) should be removed as soon as the identifying information is no longer needed, by deleting them or replacing them with pseudonyms. For qualitative data, replace or generalise identifying characteristics when transcribing interviews.
Pseudonymization:
De-identified data that can be re-identified using a linkage file (i.e. information linking data subjects to identifiable individuals) is known as pseudonymised data. NOTE: In this instance, the linkage file should be encrypted and stored securely and separately from the de-identified research data.
Pseudonymization substitutes the identity of the data subject in such a way that additional information is required to re-identify the data subject. The pseudonym allows tracking back of data to its origins, which distinguishes pseudonymization from anonymization, where all person-related data that could allow backtracking has been purged. Pseudonymised data are still legally considered as sensitive data because the data can be linked back to a person, but it's considered as a secure approach since personal identifiers are stored somewhere else.
Identification of individuals in pseudonymised or de-identified data may still be possible using combinations of indirect identifiers (e.g. age, education, employment, geographic area, medical conditions, etc). Further, data and outputs (e.g. tables of results) containing small cell counts may be potentially disclosive, particularly where samples are drawn from small populations or include cases with extreme values or relatively rare characteristics.
Encryption:
Encryption is a very generic term and there are many ways to encrypt data. The key to a good encryption strategy is using strong encryption and proper key management. Encrypt sensitive data before it is shared. Encryption will make your data totally unintelligible to those who may try to access it which might reduce re-usability. Encryption provides protection by ensuring that only someone with the relevant encryption key (password) will be able to access the contents.
Encrypting sensitive data will ensure that it cannot be accessed by non-authorised people. Encryption allows you to secure sensitive data by:
Note, encrypting a single file is not recommended. Rather, it is advised to create an encrypted container and store sensitive files securely inside it.
Ethical review is about helping you as a researcher to think through the ethical issues surrounding your research. The principles of good research practice encourage you to consider the wider consequences of your research and engage with the interests of your participants.
Ethics are an integral part of a research project, from the conceptual stage of the research proposal to the end of a research project. Within the EU the RESPECT project has drawn up professional and ethical guidelines (Institute for Employment Studies, 2004) for conducting socio-economic research. The RESPECT Code of Practice is based on three main guidelines:
In addition to any legal obligations, research involving human participants, human material, personal data or live animals will normally be subject to ethical review to ensure the proposed study is conducted ethically.
Ethical principles are in line with or extend beyond legal principles, and cover:
Be aware of the applicable ethical review procedures within your own institution and research area. TUS has a Research Ethics page where you can find videos, ethics schedule days and the TUS preliminary ethics approval form and full application form.
For ethics queries contact:
(University of Edinburgh MANTRA Training) (CESSDA Data Management Expert Guide)
Data Protection Commision of Ireland - Guidance
Sensitive Research Data Bootcamp - University of Bristol
Example Consent Form - UK Data Service
The RESPECT Code of Practice - Institute of Employment Studies
The Library, Technological University of the Shannon: Midwest