skip to content

Data Protection and Ethics

This page provides general guidance rather than legal advice in the form of questions and answers (below). 

If you are working with people for your research project then you have a duty to ensure that any data you gather and subsequently use is handled correctly. Ethical guidelines are issued by funding organisations and also produced by the University. In addition, laws such as the General Data Protection Regulation, which governs the processing of personal data, must be adhered to. The University provides guidance on GDPR and details the University's measures to ensure the regulations are met.

The UK Data Service provides comprehensive guidelines on working with personal and sensitive data and has an FAQ section on GDPR.

Guidance from the University of Cambridge

The University of Cambridge Ethics Website provides a comprehensive guidance on applying for an ethics approval, as well as guidance on consent forms and participant information sheets.


Frequently asked questions about Data Protection and Ethics


Q. What are personal and sensitive data?

Personal data are data relating to a living individual, which allows the individual to be identified from the information itself or from the information plus any other information held by the 'data controller' (or from information available in the public domain). The University of Cambridge as a whole is the data controller.

GDPR also defines some types of data as special category data, which are considered more sensitive than others. These include:

  • racial or ethnic origin
  • political opinions
  • religious beliefs
  • genomic/biometric data
  • Trade Union membership
  • health data
  • sexual life or sexual orientation
  • criminal offences (although not technically defined as special category, this data is afforded similar protections.

More information on special category data can be found on the University's Information Compliance website.

For training courses on data protection, please see the University’s Information Compliance webpages.

Q. What does the law require me to do with data protection?

The General Data Protection Regulation gives individuals certain rights, and imposes obligations on those who record and use personal information to be open about how information is used. Researchers working with personal data must:

  • Know and communicate your legal basis for collecting and using the data
  • Be transparent with data subjects
  • Process accurately and only what is needed
  • Keep personal data secure
  • Process fairly, considering any ethical risks to the data subject
  • Comply with institutional accountability processes, e.g. ethical review

For training courses on data protection, please see the University’s Information Compliance webpages.

Q. Does my project need a review by a university ethics board?

The University of Cambridge has an Ethics in Research web page, which explains when to seek an ethics review and what body to consult. The Ethics web page includes a handy Ethics Review Flow Chart and the University Guidelines on Ethics in Research.

Q. How should I store my sensitive or confidential data?

You should limit physical access to sensitive data or encrypt it (speak with your local IT/Computing Officer or the University Information Services Help Desk for help in doing this). 

The Clinical School provides a Secure Data Hosting Service for its researchers. Researchers in other Schools will need to store the data on password protected hard drives which are kept in secure locations.

To avoid accidentally compromising the data at some future date, you should always store information about the data's sensitivity and any available information on participants' consent or use agreements from your data provider with the data itself (i.e. put information about lawful and ethical data use in your data documentation or metadata description).

Q. How do I share or publish my findings for research using sensitive or confidential data?

There can be a potential conflict between abiding by data protection legislation and ethical guidelines, whilst at the same time fulfilling funder's and individual's requirements to make research results available. Ethics committees may believe that any personal or sensitive data should remain confidential. It is important therefore to distinguish between personal and more general data gathered during research. 

Personal data can be disclosed or shared if the individual has given explicit consent and specified the level at which this should be done. You should always consult with your Ethics Committee if you are unsure whether the data you wish to share or publish can be used. The University of Cambridge has an Ethics in Research website, which explains when to seek an ethics review and what body to consult. This page includes the Ethics Review Flow Chart, the University Guidelines on Ethics in Research, information on applying for ethical approval and information on consent forms.

In most cases, you may be able to anonymise your data in order to share and publish it in more detail. The UK Data Service provides Guidance on Anonymisation.

Q. What online courses are available on data protection?

For training courses on data protection, please see the University’s Information Compliance webpages.