The University Research Ethics Commitee and selected School Research Ethics Committees require the submission of a data management plan (DMP) with applications for ethical approval. This is to ensure that relevant data management considerations are addressed and that where the research is expected to result in published resarch outputs (including PhD theses), the researcher is planning for the ethical sharing of data collected from resarch participants, as required by University policy.
This section provides guidance on requirements and documentation for use by applicants and School Research Ethics Committees and reviewers, including the DMP template that must be used for applications.
When planning for the management of data collected from research participants, it is essential to consider issues of research ethics and data protection from the outset, because you have an ethical and legal responsibility to manage confidential and personal data securely and not to disclose them to unauthorised persons. It is also important that you plan data sharing before you have started your research.
In most cases, data collected from human subjects can be made accessible to others, either publicly or (where necessary) on a restricted basis, using a suitable data repository; but you will need to ensure that you use appropriate consent procedures, and that you plan for safe sharing of data, e.g. by using anonymisation, and if necessary depositing data in a controlled-access repository.
We provide a DMP template that must be used as part of the ethical review process. It is not intended as a practical tool for data management throughout a research project, although you can certainly use it to help you develop the project delivery DMP. For dfelivering the project, a general-purpose data management plan template is better suited for such a purpose. See the Data management planning section for information about general-purpose planning tools, and the PGR data management section for the DMP template that postgraduate research students must use for confirmation of registration and annual review.
All applications to the University's Research Ethics Committee must be accompanied by a DMP, but a DMP will not be required for all applications to School Research Ethics Committees.
A DMP must be submitted with an application for ethical review:
when the research involves collection of research data from participants for or on behalf of the University, including by staff employed by the University, students and visiting researchers
AND
it is expected to result in the publication of peer-reviewed research outputs, which may be research publications or PhD theses
The requirement for a DMP will always apply to postgraduate research students (PGRs), as their research is expected to result in a PhD thesis that will be placed on public record when it is deposited with the University at the end of the programme. Many PGRs will also publish research outputs based on their PhD work in journals, either during or after the conclusion of the PhD programme.
The DMP requirement will only apply to research conducted by undergraduate or taught postgraduate students if it is expected to result in the publication of peer-reviewed research outputs.
Where proposed research does not fall under the requirements outlined above, Schools may exercise discretion in determining whether a DMP should be submitted. In such cases we recommend Schools consider requesting the submission of a DMP with the application for ethical review where:
Applications for ethical approval submitted to the University Research Ethics Committee must be accompanied by a DMP prepared using the REC DMP template provided here. Applicants should refer to the guidance document when completing the DMP. The submitted DMP will be reviewed in the context of the application as a whole by the Information Management and Policy Services (IMPS) office and the Research Data Manager. Comments on the DMP will be returned to the applicant with the UREC opinion, and any conditions that must be met for a favourable opinion to be granted will be specified.
The following Schools require the submission of a DMP as part of an application for ethical approval:
This requirement applies to all applications relating to research projects where publication of results is anticipated. Publication includes by means of the PhD thesis deposited with the University. Schools may exempt certain applications from this requirement, such as those relating to undergraduate projects where no publication of results is anticipated; but other criteria may determine the need for a DMP in such cases, for example if the project entails collection of special category data, such as information about a person's health or political opinions, or if data from a substantial number of people (e.g. > 100) will be collected.
The general criteria that determine whether a DMP should be required are set out in the When is a DMP required? document. Applicants should always refer to School guidance to determine whether a DMP is required, and should contact their School REC if in any doubt.
Where a DMP is required, applicants must submit the DMP using the REC DMP Template (CFP, IoE, PCLS) or the HBS REC DMP Template with Review Form (HBS).
SRECs should review the DMP with reference to the DMP Assessment Guide for School RECs. The Checklist can be used to assist in the review process and the DMP Review Form can be completed and returned to the candidate with any requirements or advice. For HBS reviewers the review form is appended to the HBS REC DMP Template with Review Form. For the benefit of reviewers a DMP Review Standard Text document provides examples of standard responses that can be used to address common issues.
IMPS and the Research Data Service can be contacted by SRECs for advice on specific questions or concerns raised by an application.
DMPs will be reviewed in the context of the application as a whole, and in particular with reference to the participant information and consent documentation. It is essential that participants are informed appropriately about how their data will be used, and that assurance provided to them are consistent with the DMP.
Participant Information Sheets (PIS) should discuss how research data collected from participants will be used, and consent forms should include statements indicating understanding that research data will be preserved and shared in support of research findings, in accordance with the University's Research Data Management Policy.
DO NOT undertake to destroy research data collected from the participants, or not to share such data outside the project, as this will prevent you from sharing data. Research data that have been anonymised are no longer confidential and can be shared; data that are higher-risk or that contain confidential information can be made available to others in a safe and ethical manner under a controlled access procedure. For example, the UK Data Service ReShare repository has a 'safeguarded' option for higher-risk anonymised data, and the University's Research Data Archive offers a restricted dataset option for very high-risk data and data containing identifiable/confidential information. Data managed on such terms would only be made available in confidence to authorised researchers under a data access agreement. Refer to guidance on controlled-access repositories for more information.
In the information given to participants, you should clearly distinguish between any personal and confidential information that will be held in confidence and ultimately destroyed when no longer required for the stated research purpose, and the (in most cases) anonymised research data that will be retained indefinitely and made accessible to others in accordance with University policy.
The consent form should allow the participant to indicate they have understood the notified intention to presrve and share data, by checking an appropriate statement.
This should be formulated as an 'I understand' statement, not as 'I give permission/I consent'. It is best to avoid making your use of the data subject to an individual's permission, as in principle this may be withdrawn. The participant should consent to participate in the research on the understanding that the data collected will be used in the manner specified by you. We advise using the following wording.
Open data
This statement is suitable where anonymised data will be be made available as open data, i.e. without restriction:
Controlled-access data
This statement is appropriate if access to data will be subject to a controlled-access procedure:
The statements above are provided in the University's sample consent form, available in the Data protection and research guide. This wording can also be used as a basis for the information given about how the participant's data will be used in the PIS.
The UK Data Service provides guidance on seeking consent for data sharing, including a model consent form.
Identifiable data
Some research may involve collecting data from persons who may or would be identifiable, for example, people with a public profile or with a unique or distrinctive role, or people from very small cohorts, such as headteachers of secondary schools in Reading. Those in public positions may be willing to go on public record; private individuals may consent if there is perceived to be particular value in making identifiable or potentially identifiable data available. There should always be an appropriate assesment of risks when considering such a course of action, and participants should be fully informed about the risks and their rights.
In this scenario it is appropriate to formulate the statement on the consent form as an 'I consent' statement, as consent is the lawful basis on which the participant's personal data would be disclosed to others. Where this approach is taken, an appropriate statement for the consent form might be:
Personal data is any information relating to an identified or identifiable natural person. These data enjoy statutory protection under data protection law and must be processed fairly and lawfully and with the data subject's knowledge. For certain kinds of research, for example involving the processing of sensitive data, you may need to complete a Data Protection Impact Assessment.
If you will be processing personal data in your research, you are advised to consult University guidance on Data protection and research. Here you can find a Data Protection Checklist for researchers, which you should use as part of your planning process. A sample privacy notice and consent form are also provided. You should acquaint yourself with the University's Data Protection, Classification, Encryption and Remote Working policies, which can be found on the Information Compliance Policies web page.
You must ensure that personal data are kept secure and are not disclosed to unauthorised persons, by using appropriate access-controlled University infrastructure. This especially applies in the case of special category personal data, for example about an individual's race, politics or health. Refer to the University's Classification Policy for guidance. Working procedures should be designed to minimise the risk of disclosure. Data can often be pseudonymised for purposes of processing and analysis, with personally-identifying information and linked IDs stored separately from the working dataset: this is cometimes called pseudonymisation or link-coding.
Third-party services such as survey tools that process data on your behalf are defined as data processors in data protection law. These services must be provided under a data processing agreement with the University to ensure there are appropriate protections in place for personal data. Refer to our gudidance on online survey tools to find out about approved survey tools available through the University. If you want to use a data collection tool and are not sure whether it is suitable, contact us for advice.
Personal data can be retained as long as they are needed for the purpose notified to data subjects, but they should be destroyed when no longer required. Consent forms should be retained by the University as long as any personal data are retained and otherwise for at least 5 years after the completion of the project. Where personal data are retained, they should be managed under a retention schedule that specifies periodic reviews, so that they can be securely destroyed when no longer needed.
Most data collected from human subjects can be anonymised for public sharing. This applies to both quantitative and qualitative data. The UK Data Service provides guidance on anonymisation of quantitative and qualitative data; the MRC also provides information about anonymisation and pseudonymisation. Where anonymisation is not possible (for example, in the case of biometric data), or where a higher risk of identification and harm is judged to exist, controlled access archiving options may be used.
Link-coded or pseudonymised data should be treated as personal data subject to data protection law. Even though individuals are not directly identifiable from the coded data alone, the means to relink them to identifiable individuals exists as long as the link table or linking key exists, even if this is not shared with anyone else. The most effective way to ensure data are fully anonymous would be to remove any linked ID from the data, or destroying the link table, so that it would not be possible for anyone (including anyone within the University) to relink an individual record to an identified individual.
If you have a question or require assistance please contact us.
General process, data management and sharing:
Data protection: