The University's Data Protection Policy can be found on the GDPR and Data Protection hub. The policy ensures compliance with GDPR and the Data Protection Act 2018 (which focus purely on the use of personal data), while guidance documents provide up-to-date best practice. The policy covers all uses of personal (including special category) data, including in research. All researchers who work with personal data should familiarise themselves with this policy and their responsibilities around personal data.
Sections of interest include (but are not limited to):
4.5 Processes
4.6 Using Personal Data
4.8 Sharing and Disclosing Personal Data
4.9 Retention and Disposal
The GDPR and Data Protection hub also hosts key information on:
Research and data protection legislation, with guidance for researchers on incorporating data protection and privacy into the research planning process;
Reporting a data breach, which is essential to do in a timely manner when this occurs (i.e. where data has become accessible to people that should not have access);
Data Protection Impact Assessments (DPIA) and when they are required for research projects; this includes a screening questionnaire to ascertain whether a full DPIA is required.
The University's Records Retention Schedule covers all data that the University holds, and guidance on how long it should be kept. The second tab focuses on research and includes:
Policy and Planning (Research Strategy and Policy Development, Research Programme Development, Research Business Development, Research Design & Planning, Research Funding Administration)
Conduct and Monitoring (Research Data, Research Quality & Standards Management, Research Project Management, Research Conduct, Research Integrity & Research Governance)
Reporting and Review (Research Reporting, Research Programme Review, Research Programme Assessment, Research Supervisor Appointment & Training, Research Student Monitoring & Support, Research Excellence Framework [REF]).
This guidance, along with any project-specific contracts or agreements, should be followed and planned for at the early stages of a project.
The University's Digital Preservation Policy formalises the University's commitment to safeguarding University assets like research data and outputs for as long as required. University-created digital research content, such as content deposited within ORDA, will be managed in a way that ensures preservation of the following attributes of our digital
Accessibility - the ability to access the data over the period of time required
Integrity - the data is complete and unaltered
Authenticity - what the data purports to be
Reliability - trusted contents which accurately reflects the output of a transaction
Usability - can be located, retrieved, presented and interpreted
The Digital Preservation Policy highlights the role staff play in managing their digital assets. The Digital Preservation Service works closely with Research Data Management to support good practice throughout the data lifecycle.
The University's Good Research and Innovation Practices (GRIP) Policy is the overarching policy on how research and innovation should be carried out with integrity. It includes sections focused on, or relevant to, research data:
Open research (open science): making the processes and outputs of research transparent and freely accessibly, whenever possible;
Managing research data and code, and the FAIR Principles: including for code, numerical data, transcripts, digital images, fieldnotes, maps, sound recordings, workshop reports, and lab notebooks;
Reproducibility: including Method, Analysis and Computational reproducibility;
Authorship and acknowledgement: ensuring all contributions and contributors to research are CRediT-ed;
Appropriate use of Generative AI: including guidance on aligning the use of Generative AI with research and academic integrity;
Ethical practice in research: ethical requirements for research involving human participants, personal data and human tissue, including links to Specialist Guidance for certain areas of research, and processes for using UK health and social care data.
The University's Statement on Open Research clarifies its position for both the University and researchers around open research, including open data. It states that:
'Data underlying publications [should] be made openly available and FAIR where legally, ethically, and technically possible, as well as referenced via a data access statement in the publication. '
and that the University will:
'Provide infrastructure to support sharing of the research process and outputs, e.g. ORDA [the University's institutional data repository], WRRO, in line with the FAIR Guiding Principles for scientific data management and stewardship.'
The FAIR Principles recommend that research data should be as 'open as possible, but as closed as necessary'.
The University has also detailed information and guidance around all aspects of Information Management, including a comprehensive list of policies and guidance, which apply to all data the University collects and processes, not just research data.
GDPR UK is the main legislation that governs personal data, including special category data, in the UK. When handling such data, you should be aware of the main clauses of GPDR and what this means for the data. These mainly fall into the areas of:
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
You should document the way you have fulfilled these criteria for the research data concerned. The Information Commissioners Office (ICO) have produced a detailed guide around research provisions that may be taken, as well as other guides that could be useful.
N.B. Due to the Data (Use and Access) Act coming into law on 19 June 2025, the ICO guidance is under review and may be subject to change.
The Data Protection Act 2018 sits alongside and supplements UK GDPR. It sets out separate data protection rules for law enforcement authorities, and extends data protection to some other areas such as national security and defence, as well as providing some additional exemptions.
For all funded research, the funder (research councils, charities, foundations) will have policy(ies) regarding the handling of the data collected in the project. It's important to be aware of these policies from the outset of the project, to ensure adherence. Polices should be made apparent at the point of funding confirmation, but a collection of funder policies is also available here.
Please be aware that the individual UKRI council policies are currently under view, with an overarching UKRI policy potentially being implemented in the near future.
Like funders' policies, many journals and publishers also have research data policies. Although these often overlap with funders' policies, there are often additional requirements such as the inclusion of a data availability statement. It's important to pay attention to these, and to plan from an early stage in order to be able to meet these requirements, e.g. Sage Publishing data policy.