Library Guides: Research Data Management: Legal and ethical requirements

How to describe your plan managing legal and ethical requirements

In your DMP, you should address any legal and ethical requirements that may affect how the data are captured, stored, and shared with others. This section of the DMP broadly encompasses three main questions:

If personal data are processed, how will you ensure compliance with data protection legislation?
How will you manage intellectual property rights and ownership of the data?
What ethical issues and codes of conduct apply to your study, and how will they be taken into account in terms of data collection, storage and data sharing?

1. How will you ensure compliance with data protection legislation?

Most health research involves human participants, and the researcher must ensure that the:

Participant’s identity is protected, e.g. via anonymisation (removal of identifying information)
Participant is asked for their consent for their data to be preserved and/or shared with third parties e.g. for future research
Data is only accessible to appropriate users e.g. named members of the research team
Personal data are stored within the GDPR legal jurisdiction i.e. if using cloud storage, the servers must be located within the EU-GDPR region.

DMPs involving personal data should make reference to the General Data protection Regulation (GDPR) in Ireland and the Data Protection Act 2018 (Section 36(2)) (Health Research) (Amendment) Regulations 2021

The General Data Protection Regulation (GDPR) came into force in May 2018 and applies to any research that uses personal data. It aims to empower EU citizens by providing a modern, single set of data protection and privacy rules across Europe. Individuals whose personal data are used have a fundamental right to privacy. GDPR covers most situations in which information about somebody (the ‘personal data’ of a ‘data subject’) is used in some way (‘processed’) by some other person or organisation (the ‘data controller’ and/or 'data processor'). Organisations (including universities) that process personal data in the context of their activities, are classed as data controllers. Data processors are those organisations or bodies, that process personal data ‘on behalf of’ data controllers e.g. a collaborating organisation. A Principal Investigator and their research team come under the umbrella of their organisation in its data controller capacity and have day to day responsibilities to comply with Data Protection law. Under GDPR, both controllers and processors are subject to increased obligations, especially in terms of accountability for their processing.

According to the GDPR, if you process data, you have to do so according to seven protection and accountability principles:

Lawfulness, fairness and transparency - Processing must be lawful, fair, and transparent to the data subject.
Purpose limitation - You must process data for the purposes specified explicitly to the data subject when you collected it.
Data minimization - You should collect and process only as much data as absolutely necessary for the purposes specified.
Accuracy - You must keep personal data accurate and up to date.
Storage limitation - You may only store personally identifying data for as long as necessary for the specified purpose.
Integrity and confidentiality - Processing must be done as to ensure appropriate security, integrity, and confidentiality
Accountability -The data controller is responsible for being able to demonstrate GDPR compliance with these principles.

Ensure that when dealing with personal data data protection laws (for example GDPR) are complied with:

Gain informed consent for preservation and/or sharing of personal data.
Consider anonymisation of personal data for preservation and/or sharing (truly anonymous data are no longer considered personal data).
Consider pseudonymisation of personal data (the main difference with anonymisation is that pseudonymisation is reversible).

Consider encryption which is seen as a special case of pseudonymisation (the encryption key must be stored separately from the data, for instance by a trusted third party).

Explain whether there is a managed access procedure in place for authorised users of personal data.

The Health Research Regulations were made by the Minister for Health under section 36 of the Data Protection Act 2018 and came into effect on 8 August 2018. They govern the use of personal data for health research purposes in Ireland, and outline mandatory suitable and specific measures that ensure that health research in Ireland is conducted using best practice principles of information governance in line with new GDPR requirements.

The Health Research Regulations were amended in January 2021 to further enhance the health research framework in Ireland. The amendments relate to pre-screening of participants for the inclusion in research, retrospective chart review, deferred consent, consent obtained during the previous EU Data Protection Directive, clarifying ‘explicit’ consent, and other technical amendments. The Health Research Consent Declaration Committee (HRCDC) have prepared a guide to these amendments, which are available here.

The responsibility for compliance with the GDPR, the Data Protection Acts and the Health Research Regulations 2018 lies solely with the data controller or joint-data controllers. Please see the RCSI Data Protection page (login required) for further information. The Health Research Board's Health Research Regulations 2018 Summary and FAQ also provide more information.

If you have any queries or concerns regarding Data Protection in your research, please contact the RCSI Data Protection Officer at dataprotection@rcsi.ie. Further information can be found on the RCSI Data Protection page. The current versions of the Data Impact Assessment forms from the RCSI's Data Protection Officer can be downloaded below.

Beaumont Hospital RCSI Health Research Data Protection Impact Asessment for Research and Clinical Trials
Download a MS Word version of the Beaumont Hospital RCSI Health Research DPIA and TIA
RCSI Data Impact Assessment (DPIA) template (Research)
Download a MS Word version of the RCSI Data Impact Assessment (DPIA) template (Research)
Material and Data Information Form (MDIF)
If your research study involves the sharing of patient tissue and/or personal/ pseudonymised data from a hospital for a research study, where a clinical trial agreement is not required, the PI should complete the Material and Data information Form (MDIF) and email it to it to RCSI Research Contract team (researchcontracts@rcsi.ie).

The Health Research Data Protection Network (HRDPN) have developed a Practical Guide on Data Protection for Health Researchers in plain, non-legal language. The aim of this guide is to help individuals and organisations to understand their role with regard to Data Protection and their related responsibilities and requirements. This guide clarifies GDPR definitions of Personal Data (Data), Data Processing, Data Controller (Controller), Joint Data Controllers (Joint Controller), Separate Data Controllers (Separate Controller), and Data Processor (Processor); and explains the roles and responsibilities of Controllers and Processors, clarifying the types of contracts that should be put in place between them.

HRB guidance on GDPR for researchers: Health Research Board (HRB) - GDPR guidance for health researchers
Guidance from the Health Research Consent Declaration Committee (HRCDC) on Health Research Regulations

3. What ethical issues and codes of conduct apply to your data?

If you are conducting research involving human participants, you must have approval from the RCSI Research Ethics Committee (REC) before you can proceed. The REC considers ethical issues related to research and research-related activities brought to its attention by the academic schools, researchers, staff and the wider RCSI community. The aim of the RCSI REC is to ensure the highest standards of conduct in our research and to support staff in pursuing this goal. The REC also acts in an educational and advisory role regarding ethical aspects of research in order to promote best practice in research conducted throughout the RCSI. If you would like to contact the REC with a query about research ethics at RCSI or to discuss your application, please email recadmin@rcsi.ie.

RCSI REC: Data Protection and Storage

The REC provides comprehensive guidelines on Data Protection and Storage. All researchers should familiarise themselves with these guidelines and contact the REC for further information.

Consider whether ethical issues can affect how data are stored and transferred, who can see or use them, and how long they are kept. Demonstrate awareness of these aspects and respective planning.

Follow the national and international codes of conducts and institutional ethical guidelines, and check if ethical review (for example by an ethics committee) is required for data collection in the research project.

Researchers proposing to process personal data for health research purposes are also required to obtain the explicit consent of any individual whose data they are proposing to process. In order for such consent to be valid it must be both (a) informed and (b) appropriately recorded (generally in the form of an Informed Consent Form).

The researcher must explain the purpose of the research to potential participants, including what their role would be, the level of confidentiality the research data will be subject to and the measures that will be taken to ensure that confidentiality is maintained. Researchers should provide a clear description of the steps that will be taken to process the data, protect the privacy of the participant and indicate under what circumstances records will be made available and to whom, including any potential future use of data and data sharing. The processing of all personal data must be compatible with the purpose consented to by the data subject. All of these aspects should be clearly outlined in the consenting procedure and explicitly documented in an Informed Consent Form.

Personal data cannot be shared with a third party, unless specific and explicit consent is secured, even if the data are anonymised prior to sharing them with a third party. In order to ensure that research data can be made available for future reuse, informed consent for future reuse of the data by other researchers should be sought from participants. Participants should also be informed how research data will be stored, preserved and used in the long-term, and if appropriate, how their confidentiality will be maintained.

Please see the Department of Health's Guidance on "Information Principles for Informed Consent for the Processing of Personal Data for Health Research", and the UK Data Service's guidance on Consent for Data Sharing for more information.

If you are handling and dealing with sensitive data, keep in mind that special attention should be given to collecting, processing, handling and storing data throughout the research process. Sharing of personal data with another organisation for health research purposes must have the explicit consent of the data subject via participant information leaflet or Informed Consent Form. If you wish to make these data available at the end of the project then you will need to consider this when you are designing your study. In particular, when you are collecting data you will need to ensure you are asking for informed consent to share the data at the end of the project. This might limit your data sharing opportunities, however you can publish a description of your data (metadata) without making the data itself openly accessible, and you can place conditions around access to published data if necessary. Sensitive data that has been properly anonymised can be shared without breaching data protection regulations.

Anonymisation

Anonymisation irreversibly destroys any way of identifying the data subject. Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible. OpenAIRE provides researchers with a tool to anonymise data: Amnesia. The guide for which you can find here.

Pseudonymisation

Pseudonymisation replaces any identifying characteristics of data with a pseudonym, a value which does not allow the data subject to be directly identified. The personal data can only be attributed to a specific data subject with the use of additional information, such as decryption key. This key should be kept separately, and be subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable individual. Pseudonymisation only provides limited protection for the identity of data subjects and in many cases as it still allows identification using indirect means.

Please see the Data Protection Commission's Guidance on Anonymisation and Pseudonymisation for more information. The Irish Health Research Data Protection Network (HRDPN) have developed a Practical Guide on Data Protection for Health Researchers to help researchers understand with plain non-legal language their and their organisation’s role with regard to Data Protection as well as related responsibilities and requirements. Both the Australian Research Data Commons (ARDC) guidelines on Publishing and Sharing Sensitive Data and the OpenAire guide on How to Deal with Sensitive Data provide further information on dealing with and sharing sensitive data.