skip to content
 

Data Protection and Ethics

This page provides general guidance rather than legal advice in the form of questions and answers (below). 

If you are working with people for your research project then you have a duty to ensure that any data you gather and subsequently use is handled correctly. Ethical guidelines are issued by funding organisations and also produced by the University. In addition, laws such as the Data Protection Act 1998, which governs the processing of personal data, must be adhered to.

The UK Data Service provides comprehensive guidelines on personal and sensitive data.

Guidance from the University of Cambridge

The University of Cambridge Ethics Website provides a comprehensive guidance on applying for an ethics approval, as well as guidance on consent forms and participant information sheets.

 


Frequently asked questions about Data Protection and Ethics

 

Q. What is personal and sensitive data?

Personal data is data relating to a living individual, which allows the individual to be identified from the information itself or from the information plus any other information held by the 'data controller' (or from information available in the public domain). The University of Cambridge as a whole is the data controller.

Sensitive data is personal data about:

  • racial or ethnic origin
  • political opinions
  • religious beliefs
  • Trade Union membership
  • physical and mental health
  • sexual life
  • criminal offences and court proceedings about these

If you would like to learn more about personal and sensitive data and do some practicial excercises on identifying these data types, the University of Cambridge offers short 30-mins long online courses on personal and sensitive data. Additionally, you can also register for a face to face training on Data Protection and FOI, delivered by the University of Cambridge Information Compliance Officer.

Q. What does the law require me to do with data protection?

The Data Protection Act of 1998 gives individuals certain rights, and imposes obligations on those who record and use personal information to be open about how information is used and to follow eight data protection principles. Personal data must be:

  • processed fairly and lawfully
  • obtained for specified and lawful purposes
  • adequate, relevant and not excessive
  • accurate and, where necessary, kept up-to-date
  • not kept for longer than necessary
  • processed in accordance with the subject's rights
  • kept secure
  • not transferred abroad without adequate protection

If you would like to learn more about personal and sensitive data and do some practicial excercises on identifying these data types, the University of Cambridge offers short 30-mins long online courses on personal and sensitive data. Additionally, you can also register for a face to face training on Data Protection and FOI, delivered by the University of Cambridge Information Compliance Officer.

Q. Does my project need a review by a university ethics board?

The University of Cambridge has an Ethics in Research web page, which explains when to seek an ethics review and what body to consult. 

That page includes a handy Ethics Review Flow Chart and the University Guidelines on Ethics in Research.

Q. How should I store my sensitive or confidential data?

You should limit physical access to sensitive data or encrypt it (speak with your local IT/Computing Officer or the University Information Services Help Desk for help in doing this). 

To avoid accidentally compromising the data at some future date, you should always store information about the data's sensitivity and any available information on participants' consent or use agreements from your data provider with the data itself (i.e. put information about lawful and ethical data use in your data documentation or metadata description).

Q. How do I share or publish my findings for research using sensitive or confidential data?

There can be a potential conflict between abiding by data protection legislation and ethical guidelines, whilst at the same time fulfilling funder's and individual's requirements to make research results available. Ethics committees may believe that any personal or sensitive data should remain confidential. It is important therefore to distinguish between personal and more general data gathered during research. 

Personal data can be disclosed or shared if the individual has given explicit consent and specified the level at which this should be done. You should always consult with your Faculty Ethics Committee if you are unsure whether the data you wish to share or publish can be used. The University of Cambridge has an Ethics in Research website, which explains when to seek an ethics review and what body to consult. That page includes a handy Ethics Review Flow Chart, the University Guidelines on Ethics in Research, information on applying for ethical approval and information on consent forms.

In some cases, you may be able to anonymise your data in order to share and publish it in more detail. The UK Data Service provides brief Guidance on Anonymisation.

Q. What online courses are available on data protection?

The University of Cambridge offers self-taught web courses on Data Protection. Following these courses offers a good way of gauging your basic knowledge about the Data Protection Act and your responsibilities (note: you need a Raven login to enrol). They will only take you 30 minutes to complete and are a good resource to get a general understanding of data protection issues.

Additionally, there is also a group workshop on Data Protection and FOI delivered regularly by the University Information Compliance Officer: Data Protection and FOI: An Introduction