Ethics and data protection


When collecting, using and sharing research data, ethical considerations and legal obligations guide the way.

Ethics are an integral part of a research project, from the conceptual stage of the research proposal to the end of a research project. Within the EU the RESPECT project has drawn up professional and ethical guidelines (Institute for Employment Studies, 2004) for conducting socio-economic research. The RESPECT Code of Practice is based on three main guidelines:

Researchers should always seek to take account of all the relevant evidence and present their research without omission, misrepresentation or deception.

This means in practice that researchers should ensure that when they are formulating their research questions, designing surveys, questionnaires or interviews they do not predetermine or prejudice the outcome through their choice of questions or actions.

Researchers need to ensure that they are aware of all the relevant national and international laws that may affect their research project. With collaborative projects which cross legal borders, this may involve various laws. Ones of particular relevance (and to be aware of) will be in regards to data protection and intellectual property. These will be discussed in more depth in this chapter.

Researchers should aim to avoid or minimise social harm to groups or individuals when conducting their research projects. This means that the research project should be designed responsibly and consider participants throughout. For example, participation in the research project should be voluntary and on the basis of fully informed consent.

Depending on the type of data you collect you will have to deal with different laws. Whereas Intellectual Property legislation applies to all data, the collection of personal data has its own laws to adhere to. Importantly, since 25 May 2018, the General Data Protection Regulation (GDPR; European Union, 2016a) applies to any EU researcher or researcher in the European Economic Area (EEA) who collects personal data about a citizen of any country, anywhere in the world, as well as any researcher worldwide who collects personal data on EU citizens.

Archiving and publishing personal data

If you collect research data that enables you to identify a person, then this is classified as personal data. Within the General Data Protection Regulation (GDPR, European Union, 2016a) personal data is defined as any information relating to an identified or identifiable natural person known as ‘a data subject’. It is further specified that an identifiable natural person is someone who can be identified, either directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal data can include a variety of information, such as names, address, phone number and IP addresses.
The GDPR applies only to the data of living persons. Data which do not count as personal data do not fall under data protection legislation, though there may still be ethical reasons for protecting this information.

Sensitive personal data

Certain personal data are considered particularly sensitive and thus require specific protection when they reveal information that may create important risks for the fundamental rights and freedoms of the involved individual. Examples of sensitive personal data include data revealing religious affiliation, sexual orientation, or racial or ethnic origin. Within the GDPR the following categories are defined as ‘special categories of personal data’:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Genetic data;
  • Biometric data;
  • Data concerning health;
  • Data concerning a natural person's sex life or sexual orientation.

There are other data which may contain sensitive information which do not fall under the special categories of personal data but should still be treated as such, including, for example, confidential business data and secret data concerning state security.

Many research funders and journals expect or require data sharing (i.e., data to be made available in a data repository). Especially for (sensitive) personal data, there may be a perceived tension between data sharing and data protection. In the coming paragraphs, we will show how a combination of gaining consent, anonymising data, gaining clarity over who owns the copyright to your data and controlling access to data can enable the ethical and legal sharing of data.


First, we will get you started on the topic of ethical review. Starting with an ethical self-assessment will help you identify the key ethical and legal issues in your study beforehand, which will maximise your data's value whilst protecting your participants.