The University's Data Protection Policy (pdf download) can be found on the Data Protection Office's pages. This policy ensures compliance with GDPR and the Data Protection Act 2018 (which focus purely on the use of personal data), while guidance documents provide up-to-date best practice. The policy covers all uses of personal (including special category) data, including in research. All researchers who work with personal data should familiarise themselves with this policy and their responsibilities around personal data.
Sections of interest include (but are not limited to):
4.5 Processes
4.6 Using Personal Data
4.8 Sharing and Disclosing Personal Data
4.9 Retention and Disposal
The Data Protection Office's pages also have vital knowledge around:
Reporting a data breach (form), which is essential to do in a timely manner when this occurs (i.e. where data has become accessible to people that should not have access).
Data Protection Impact Assessments (DPIA) and when they are required for research projects; this includes a screening questionnaire to ascertain whether a full DPIA is required.
The University's Records Retention Schedule covers all data that the University holds, and guidance on how long it should be kept. The second tab focuses on research and includes:
Policy and Planning (Research Strategy and Policy Development, Research Programme Development, Research Business Development, Research Design & Planning, Research Funding Administration
Conduct and Monitoring (Research Quality & Standards Management, Research Project Management, Research Conduct, Research Integrity & Research Governance
Reporting and Review (Research Reporting, Research Programme Review, Research Programme Assessment, Research Supervisor Appointment & Training, Research Student Monitoring & Support, Research Excellence Framework [REF]).
This guidance, along with any project-specific contracts or agreements, should be followed and planned for at the early stages of a project.
The University's Digital Preservation Policy formalises the University's commitment to safeguarding University assets like research data and outputs for as long as required. University-created digital research content, such as content deposited within ORDA, will be managed in a way that ensures preservation of the following attributes of our digital
Accessibility - the ability to access the data over the period of time required
Integrity - the data is complete and unaltered
Authenticity - what the data purports to be
Reliability - trusted contents which accurately reflects the output of a transaction
Usability - can be located, retrieved, presented and interpreted
The Digital Preservation Policy highlights the role staff play in managing their digital assets. The Digital Preservation Service works closely with Research Data Management to support good practice throughout the data lifecycle.
[Links will be updated once the new version of GRIP is finalised]
The University's GRIP Policy is the overarching policy on how research and innovation should be carried out with integrity. It includes sections focused on, or relevant to, research data:
Project Design - while this is about researchers' projects as a whole, the points and concerns raised can very easily be applied to the research data that needs to be managed.
Planning for Impact - data from a research project could have impact beyond the outputs of the project it was gathered for; this should be considered alongside other elements at the start of a project.
Ethics of Research Involving Human Participants, Personal Data and Human Tissue - key knowledge for any research involving data in these categories. As well as giving an overview of key issues and requirements, it also links to the Ethics team's papers that provide special guidance for certain areas of research, and processes for using UK health and social care data - Research Governance Procedure
Managing Research Data and Code - an overview of what all data stewards should be aware of when carrying out their roles, including Data Management Plans, managing personal data, data sharing agreements and other contracts, ownership of data, and use of approved tools and platforms.
The University's Statement on Open Research clarifies its position for both the University and researchers around open research, including open data. It states that:
'Data underlying publications [should] be made openly available and FAIR where legally, ethically, and technically possible, as well as referenced via a data access statement in the publication. '
and that the University will:
'Provide infrastructure to support sharing of the research process and outputs, e.g. ORDA [the University's institutional data repository], WRRO, in line with the FAIR Guiding Principles for scientific data management and stewardship.'
The FAIR Principles stipulate that research data should be as 'open as possible, but as closed as necessary'.
The University has also detailed information and guidance around all aspects of Information Management, including a comprehensive list of policies and guidance, which apply to all data the University collects and processes, not just research data.
GDPR UK is the main legislation that governs personal data, including special category data, in the UK. When handling such data, you should be aware of the main clauses of GPDR and what this means for the data. These mainly fall into the areas of:
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality
Accountability
You should document the way you have fulfilled these criteria for the research data concerned. The Information Commissioners Office (ICO) have produced a detailed guide around research provisions that may be taken, as well as other guides that could be useful.
Currently (April 2025), GDPR UK and (EU) GDPR are closely aligned with some minor modifications.
The Data Protection Act 2018 sits alongside and supplements UK GDPR. It sets out separate data protection rules for law enforcement authorities, and extends data protection to some other areas such as national security and defence, as well as providing some additional exemptions.
For all funded research, the funder (research councils, charities, foundations) will have policy(ies) regarding the handling of the data collected in the project. It's important to be aware of these policies from the outset of the project, to ensure adherence. Polices should be made apparent at the point of funding confirmation, but a collection of funder policies is also available here.
Please be aware that the individual UKRI council policies are currently under view, with an overarching UKRI policy potentially being implemented in the near future.
Like funders' policies, many journals and publishers also have research data policies. Although these often overlap with funders' policies, there are often additional requirements such as the inclusion of a data availability statement. It's important to pay attention to these, and to plan from an early stage in order to be able to meet these requirements, e.g. Sage Publishing data policy.