Skip to Main Content

Research Data Management

Legal and Ethical Requirements

According to Science Europe, when developing a data management plan, the fourth topic researchers are required to address is "Legal and Ethical Requirements", which broadly encompasses three main questions:


If personal data are processed, how will compliance with legislation on personal data and on security be ensured?

  • Ensure that when dealing with personal data data protection laws (for example GDPR) are complied with:
    • Gain informed consent for preservation and/or sharing of personal data.
    • Consider anonymisation of personal data for preservation and/or sharing (truly anonymous data are no longer considered personal data).
    • Consider pseudonymisation of personal data (the main difference with anonymisation is that pseudonymisation is reversible).
    • Consider encryption which is seen as a special case of pseudonymisation (the encryption key must be stored separately from the data, for instance by a trusted third party).
    • Explain whether there is a managed access procedure in place for authorised users of personal data.

How will other legal issues, such as intellectual property rights and ownership, be managed? What legislation is applicable?

  • Explain who will be the owner of the data, meaning who will have the rights to control access:
    • Explain what access conditions will apply to the data? Will the data be openly accessible, or will there be access restrictions? In the latter case, which? Consider the use of data access and re-use licenses.
    • Make sure to cover these matters of rights to control access to data for multi-partner projects and multiple data owners, in the consortium agreement.
  • Indicate whether intellectual property rights (for example Database rights under the Database Directive) are affected. If so, explain which and how will they be dealt with.
  • Indicate whether there are any restrictions on the re-use of third-party data (Note: Third party research data is any data that has been created by other researchers or by external agents, for example: census data created by the Irish Central Statistics Office).

What ethical issues and codes of conduct are there, and how will they be taken into account?

  • Consider whether ethical issues can affect how data are stored and transferred, who can see or use them, and how long they are kept. Demonstrate awareness of these aspects and respective planning.
  • Follow the national and international codes of conducts and institutional ethical guidelines, and check if ethical review (for example by an ethics committee) is required for data collection in the research project.

RCSI Research Ethics Committee


If you are conducting research involving human participants, you must have approval from the RCSI Research Ethics Committee (REC) before you can proceed. The REC considers ethical issues related to research and research-related activities brought to its attention by the academic schools, researchers, staff and the wider RCSI community. The aim of the RCSI REC is to ensure the highest standards of conduct in our research and to support staff in pursuing this goal. The REC also acts in an educational and advisory role regarding ethical aspects of research in order to promote best practice in research conducted throughout the RCSI. If you would like to contact the REC with a query about research ethics at RCSI or to discuss your application, please email recadmin@rcsi.ie.

 

 

Informed Consent


Researchers proposing to process personal data for health research purposes are also required to obtain the explicit consent of any individual whose data they are proposing to process. In order for such consent to be valid it must be both (a) informed and (b) appropriately recorded (generally in the form of an Informed Consent Form).

The researcher must explain the purpose of the research to potential participants, including what their role would be, the level of confidentiality the research data will be subject to and the measures that will be taken to ensure that confidentiality is maintained. Researchers should provide a clear description of the steps that will be taken to process the data, protect the privacy of the participant and indicate under what circumstances records will be made available and to whom, including any potential future use of data and data sharing. The processing of all personal data must be compatible with the purpose consented to by the data subject. All of these aspects should be clearly outlined in the consenting procedure and explicitly documented in an Informed Consent Form. 


Personal data cannot be shared with a third party, unless specific and explicit consent is secured, even if the data are anonymised prior to sharing them with a third party. In order to ensure that research data can be made available for future reuse, informed consent for future reuse of the data by other researchers should be sought from participants. Participants should also be informed how research data will be stored, preserved and used in the long-term, and if appropriate, how their confidentiality will be maintained.


 

Sharing Sensitive Data


If you are handling and dealing with sensitive data, keep in mind that special attention should be given to collecting, processing, handling and storing data throughout the research process. Sharing of personal data with another organisation for health research purposes must have the explicit consent of the data subject via participant information leaflet or Informed Consent Form. If you wish to make these data available at the end of the project then you will need to consider this when you are designing your study. In particular, when you are collecting data you will need to ensure you are asking for informed consent to share the data at the end of the project. This might limit your data sharing opportunities, however you can publish a description of your data (metadata) without making the data itself openly accessible, and you can place conditions around access to published data if necessary. Sensitive data that has been properly anonymised can be shared without breaching data protection regulations. 


Anonymisation

Anonymisation irreversibly destroys any way of identifying the data subject. Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible. OpenAIRE provides researchers with a tool to anonymise data: Amnesia. The guide for which you can find here.

Pseudonymisation

Pseudonymisation replaces any identifying characteristics of data with a pseudonym, a value which does not allow the data subject to be directly identified. The personal data can only be attributed to a specific data subject with the use of additional information, such as decryption key. This key should be kept separately, and be subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable individual. Pseudonymisation only provides limited protection for the identity of data subjects and in many cases as it still allows identification using indirect means. 


Please see the Data Protection Commission's Guidance on Anonymisation and Pseudonymisation for more information. The Irish Health Research Data Protection Network (HRDPN) have developed a Practical Guide on Data Protection for Health Researchers to help researchers understand with plain non-legal language their and their organisation’s role with regard to Data Protection as well as related responsibilities and requirements. Both the Australian National Data Service (ANDS) guidelines on Publishing and Sharing Sensitive Data and the OpenAire guide on How to Deal with Sensitive Data provide further information on dealing with and sharing sensitive data. 

Practical Guide on Data Protection for Health Researchers


The Irish Health Research Data Protection Network (HRDPN) have developed a Practical Guide on Data Protection for Health Researchers to help them understand with plain non-legal language their and their organisation’s role with regard to Data Protection as well as related responsibilities and requirements. This guide clarifies GDPR definitions of Personal Data (Data), Data Processing, Data Controller (Controller), Joint Data Controllers (Joint Controller), Separate Data Controllers (Separate Controller), and Data Processor (Processor); and explains the roles and responsibilities of Controllers and Processors, clarifying the types of contracts that should be put in place between them.

 

General Data Protection Regulation (GDPR) 


The General Data Protection Regulation (GDPR) came into force in May 2018 and applies to any research that uses personal data. It aims to empower EU citizens by providing a modern, single set of data protection and privacy rules across Europe. Individuals whose personal data are used have a fundamental right to privacy. GDPR covers most situations in which information about somebody (the ‘personal data’ of a ‘data subject’) is used in some way (‘processed’) by some other person or organisation (the ‘data controller’ and/or 'data processor'). Organisations (including universities) that process personal data in the context of their activities, are classed as data controllers. Data processors are those organisations or bodies, that process personal data ‘on behalf of’ data controllers e.g. a collaborating organisation. A Principal Investigator and their research team come under the umbrella of their organisation in its data controller capacity and have day to day responsibilities to comply with Data Protection law. Under GDPR, both controllers and processors are subject to increased obligations, especially in terms of accountability for their processing.

According to the GDPR, if you process data, you have to do so according to seven protection and accountability principles:


  • Lawfulness, fairness and transparency - Processing must be lawful, fair, and transparent to the data subject.
  • Purpose limitation - You must process data for the purposes specified explicitly to the data subject when you collected it.
  • Data minimization - You should collect and process only as much data as absolutely necessary for the purposes specified.
  • Accuracy - You must keep personal data accurate and up to date.
  • Storage limitation - You may only store personally identifying data for as long as necessary for the specified purpose.
  • Integrity and confidentiality - Processing must be done as to ensure appropriate security, integrity, and confidentiality
  • Accountability -The data controller is responsible for being able to demonstrate GDPR compliance with these principles.

 

Health Research Regulations (HRR)


The Health Research Regulations were made by the Minister for Health under section 36 of the Data Protection Act 2018 and came into effect on 8 August 2018. They govern the use of personal data for health research purposes in Ireland, and outline mandatory suitable and specific measures that ensure that health research in Ireland is conducted using best practice principles of information governance in line with new GDPR requirements.

The Health Research Regulations were amended in January 2021 to further enhance the health research framework in Ireland. The amendments relate to pre-screening of participants for the inclusion in research, retrospective chart review, deferred consent, consent obtained during the previous EU Data Protection Directive, clarifying ‘explicit’ consent, and other technical amendments. The Health Research Consent Declaration Committee (HRCDC) have prepared a guide to these amendments, which are available here

The responsibility for compliance with the GDPR, the Data Protection Acts and the Health Research Regulations 2018 lies solely with the data controller or joint-data controllers. Please see the RCSI Data Protection page (login required) for further information. The Health Research Board's Health Research Regulations 2018 Summary and FAQ also provide more information.

 

Resources


If you have any queries or concerns regarding Data Protection in your research, please contact the RCSI Data Protection Officer. Further information can be found on the RCSI Data Protection page (login required).

Although the sharing of research data is seen as an integral part of good research data management, there are several instances where research data should not be shared. In particular, researchers should also be congnisant of their obligations to commercialise their research and of their obligations to industry collaborators, which can limit or prevent the sharing of research data. For example, data which are generated under an industry funded or co-funded project may not be suitable for sharing. Similarly, sharing of data may be limited where it could impact future plans to protect intellectual property. Any delays in, or limitations to, the sharing of research data as a result of commercialisation and intellectual property should be explicitly outlined as part of a Data Management Plan.

 

What is Intellectual Property?


In the broadest sense, intellectual property (IP) refers to different types of intangible expressions (such literary work, discoveries and inventions, words and designs) that has commercial value and for which specific monopoly rights are recognised under specific laws. It allows the outputs of research work to be owned in the same manner as physical property and protects it from infringement or copying. IP can be bought and sold, and can also be rented out through licensing, resulting in potentially significant commercial and financial benefits for the IP owner, their research group and the organisation employing them. In the context of academic research, the most common types of intellectual property rights (IPR) are:

Patents

A patent is a legal right granted by individual states to an inventor, who in return, must disclose to the world how his invention works (hence it is not in conflict with the publication needs of academic institutions) A patent prevents 3rd parties from commercially using the invention as claimed in the patent, unless the patent owner explicitly allows it. The rights attached to a patent are not automatically enforced, but rather, the owner of the patent has the responsibility, if it wishes, to enforce the rights attached to it by suing those parties it believes infringe on the patent. Patents are useful to protect not only one’s past investment in the research that led to the invention but also future investments while developing and validating the invention it towards commercialisation. Alternatively, patents can be licensed to 3rd parties to allow them to develop the technology around the invention to the commercial stage.

Copyright

Copyright is the legal term which describes the rights given to authors/creators of certain categories of work. The owner of copyright is the author, meaning the person who creates the work. However, as copyright is a form of property, the right may be transferred to someone else, for example, to a publisher. Copyright is a property right and the owner of the work can control the use of the work, subject to certain exceptions. The owner has the exclusive right to prohibit or authorise others to copy, adapt or perform the work. Copyright protection is not applicable for ideas themselves, the idea must be expressed in some form (on paper, film, the internet etc.) to be covered under copyright protection.  

Trade secrets

A trade secret is a specific set of information (data, design, process, formula) which is not generally known and by which its owner or licensee can derive economic advantage over its competitors. It is important to make reasonable efforts to maintain its secrecy, as a trade secret derives most of its value from this. As clearly evident, this conflicts with the move towards Open Science and the FAIR data principles. However in some instances, trade secrets can be a valuable intellectual property protection tool to enable commercialisation.

 

For more information please see the RCSI Office of Research and Innovation's guide to Research Commercialisation and Intellectual Property and Knowledge Transfer Ireland's Guide to Intellectual Property.

 

Intellectual Property Support at RCSI


RCSI has an experienced pro-business team to support licensing of RCSI intellectual property to both established businesses and start-up companies. Intellectual property (IP) developed at RCSI is managed in line with the National IP Protocol 2019  and the  RCSI IP Policy 2019  in conjunction with the  Conflict of Interest Policy. Please contact the Office of Research and Innovation if you require advice or assistance on any aspect of IP.