The University has a Research Data Management (RDM) policy to ensure that information generated as a result of research is effectively managed to avoid loss or security breaches. It also aims to promote open access to this information where appropriate.
For general help and guidance please contact the Library at email@example.com.
What is Research Data Management?
Research data management (RDM) is a concept which helps us to store, preserve and share data collected during a research project. This will typically involve
- Advanced planning prior to the start of a research project.
- Implementation of good data management practices during the project.
- A long-term strategy for data preservation and sharing at the end of the project.
RDM is important for a number of reasons. Many funders will have requirements and expectations which you will need to comply with. Good data management means that data is less likely to be lost and where appropriate is made available openly to future researchers for verification of your project’s finding and their own reuse of the data. There are also specific legal requirements relating to the use of personal data (GDPR and the Data Protection Act)
What is data?
Here are some examples of data. In relation to research, it is important to note that all disciplines are likely to produce and analyse data, not just scientific disciplines
- transcripts of interviews
- audio or video recordings or interviews or participants actions
In other words, research data is data produced and analysed during a research project. Administrative data relating to the project (eg the original funding bid, records relating to people employed on the project) are not included. However, if you have external funding it is important to check your funder's specific requirements and guidance.
What is open data?
Increasingly, funders are requiring the underlying analysed research data that is produced to be made publicly available. Some journal publishers also require this data to be made available. There are two reasons behind this. Firstly, it enables research to be scrutinised and challenged. Secondly, it enables the data to be reused by other researchers in their own projects. Open data is data which has been made publicly available in an open research repository (such as the St Mary's Research Archive). Obviously, not all data can be made open and it is the responsibility of the researcher to select the data which can and should be made available. It would not be possible, for example, to make available any data which contains personal details or which is commercially sensitive.
Data Management Plan
St Mary's (and an increasing number of funders) requires each research project to have a data management plan. It is a one or two page summary of how you are going to manage data and will typically consider
- What type of data will be collected and how will it be described?
- How will it be stored and kept secure?
- Who will be allowed access to your data once the project is completed? Under what conditions and for how long? Will some of the data become open data?
There are various tools and templates available to assist in the creation of a plan including the Digital Curation Centre's online tool.
Legal and ethical requirements
As part of your planning you should identify any special legal or ethical requirements. Your funder may have guidance and or requirements in relation to this. Whoever is funding your work, you will need to follow any legal requirements and especially in relation to how you process personal data. In order to comply with data protection legislation (GDPR) it is important to document why and how you intend to process any personal data.
Data protection – GDPR
The Data Protection Act (2018) and GDPR apply to all personal data that you collect and process as part of your research project. Personal data is any data which could identify a living individual such as a name, a picture of an identifiable face, a National Insurance number etc. Personal data only ceases to become personal data when it is anonymised, not when it is pseudonised . A list of St Mary's student registration numbers is personal data because anybody with appropriate access to the correct systems can work out who an individual is from that data.
Data which identifies factors such as medical history, religious or political beliefs is particularly sensitive and is termed "special category data".
When you collect, process and store personal data there are various principles and safeguards that you must comply with. You must also be able to demonstrate a legal basis for collecting the personal data
If the data you are collecting does not identify any living individuals then you do not need to worry about data protection legislation and GDPR.
Principles of data protection
Under the legislation, all personal data that you collect for your research project must follow the following principles
- You must have a lawful basis to collect it and collect it in a fair and transparent manner (See section below)
- The data you collect must be for a specific purpose and must not be used for another purpose in the future
- The amount of personal data you collect should be kept to an absolute minimum
- The data must be accurate
- The data should not be stored for any longer than is necessary (But the law does not lay down specific limits)
- The data must be stored safely and securely to prevent it being lost or coming into the hands of others
If any of your data is lost or if somebody gains unauthorised access to it you must report it to the University's Data protection Officer immediately (GDPR@stmarys.ac.uk)
The Government, through the Information Commissioner's Office (ICO) can impose huge fines for data leaks and breaches. There are also potential significant fines for failing to report a data breach to the ICO.
What is my legal basis for collecting personal data?
Under the Data protection Act there are six legal bases which can be used to justify the collection of personal data. It is advisable to identify and document the legal bases which you will rely on at the start of a project and include it in your ethics application
- Necessary for a contract
- Necessary to comply with a legal obligation
- Necessary to protect vital interests
- Necessary for a task carried out in the public interest or in the exercise of official authority
- legitimate interests
Whilst it is important for ethical reasons to ensure that participants are clear what personal data is being collected and for what purpose, ethical consent is not the same as consent to process personal data. For the latter consent must be very specific and be active (eg a signature or click on a specific box is required). Consent to personal data collection bundled as part of ethical consent could not necessarily be relied upon as data collection consent. In addition consent can be withdrawn. In most cases it is advisable to identify a legal basis other than consent upon which to rely.
The University is a public authority for the purposes of data protection legislation. Research is part of our public task and our research becomes publically available and is in the public interest. Therefore the legal basis for collecting personal data in university funded research is that it is necessary for a task carried out in the public interest.
Research carried out for a commercial organisation for its own internal use could not rely on this legal basis.
Special category (sensitive) personal data
If special category personal data is being collected you must provide an additional legal basis for collecting it.
Article 9(2)(j) allows for collection of special category personal data "where the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes."
The Data Protection Act schedule 1, paragraph 4 allows for collection which is "necessary for archiving purposes, scientific or historical research purposes or statistical purposes.."
It is important to make sure that you
- Have ethical approval for the collection of personal data
- Have put in place the appropriate safeguarding to ensure the security of the data
- Anonymise or destroy the data as soon as it is appropriate to do so
- Do not collect any personal data for which you do not have a clear documented reason to collect
- Only use the data for the stated reasons, not for any other purpose
In order to rely on these bases the research must clearly be in the public interest and the intent should be to make the research publically available (Eg through publication in the academic literature). A research project which, for example, was entirely for the benefit of a commercial company would probably not be able to rely on these bases and an alternative basis (eg consent) would need to be found.
To help you to make these decisions St Mary's has a Privacy Notice Guide which should be completed at the start of a research project
St Mary's RDM Policy
The St Mary's RDM policy requires researchers to
- Register details of each new research project with Research Services to ensure record-keeping of University research activity and enable planning of support service provision
- Create a Data Management Plan (DMP) for every research project regardless of the project's funding status. DMPs outline how data collected for a project will be handled both during and after the project. Use of the Digital Curation Centre's DMP Online tool is recommended to assist with creation of DMPs
- Update the DMP during the research project as and when circumstances change, maintaining the DMP as a 'living document'
- Maintain metadata and descriptive documentation on the data during and after the research project. This should provide sufficient information on the structure, context and file format of the data to enable it to be located and reused by future researchers. Any proprietary software required to read and use the data should be clearly stated
- Store and manage research data in line with legal, ethical, contractual, regulatory and intellectual property requirements as relevant to the specific project. These requirements will vary greatly according to the subject matter of the research and include meeting any specific requirements laid down by external funders. Additional security measures will be necessary in some cases for research involving personal or sensitive information
- Store working research data in a manner that preserves its integrity and minimises risk of data loss. This includes making regular backup copies of research data and not relying on a single storage location
- Deposit the 'selected' research data (i.e. that which supports the conclusions of the research) in an appropriate data repository or archive at the conclusion of the project, together with the appropriate descriptive metadata to enable discovery by others. The metadata should ideally include a Digital Object Identifier (DOI), thereby providing a stable identifier and link back to the data. External services designed to facilitate data deposit include Figshare and Zenodo, as well many discipline-specific data repositories. Data may also be deposited in the St Mary's University Open Research Archive.
- Preserve the deposited research data for at least 10 years after publication of the research it supports
- Make the deposited research data openly accessible in the chosen repository wherever possible, unless there are specific legal, ethical, contractual or intellectual property-related reasons to do otherwise
- Provide a Data Access Statement in the published research output (e.g. journal article or book) giving details of where the supporting data or material can be accessed, the DOI for the data and any restrictions placed on access to the data due to legal, ethical, contractual or regulatory requirements