Library Services
There are three tiers of access control and data is: open (contains no personal or disclosive information), safeguarded (there may be a residual risk of disclosure) or controlled (data may be disclosive).
Controlled data is only accessible to authorised individuals in secure trusted research environments as detailed in the Five Safes Framework.
Withholding research data means taking a decision not to openly publish it, even if there are obligations to funders or publishers to openly share the outputs of research. Taking this step requires justification and full consideration.
Research funders with data sharing policies typically require that research data is made as openly available as possible, whilst recognising that there may be legal, ethical, or commercial reasons why access may be restricted. These restrictions typically apply at all stages of a project so that the research process is not damaged by inappropriate release of data.
Research data does not have to be completely open and with justification subsets of your data could be shared either through the use of consent and anonymisation, or by regulating and restricting access to specific users. This should always be considered in preference to a blanket restriction.
Even if data is unsuitable for open access, other data management requirements will still apply. Your data management plan should be used to identify and document reasons for withholding data and publications should still include a data availability statement. The data availability statement should explain why the data is not openly available and, any conditions for access being granted where this is appropriate.
Before making a decision about making your data openly available, please email the library research support team to discuss.
The legislation that surrounds data protection includes:
Common law
Data Protection act (DPA) 2018
General Data Protection Regulation GDPR (EU and UK)
Digital Economy Act
Freedom of Information Act 2000 (FOI)
Environmental Information Regulations 2004
Human Rights Act 1998
Commercial data contracts
The University is required to share data relating to safeguarding and Prevent Duty in Higher Education in higher education.
Personal data must be handled (collected, analysed, and stored) in accordance with EU (GDPR) and UK (DPA 2018) data protection legislation. Researchers are required to respect any duty of confidence when accessing and sharing confidential data under common law.
Personal data must not be shared with any third party without the valid consent of the person to which it relates. The UK Data Service has produced a step-by-step guide for researchers around GDPR compliance. If you are collaborating internationally, you need to be aware of the data protection legislation for each country.
What counts as personal data? This is complicated and there are grey areas! In essence, any information that relates to a person who could be identified using direct identifiers (such as name or location) or indirect identifiers (such as occupation or passport number) could be personal data. A person’s image (photographic or video) and voice is their personal data. Some identifiers may become a risk in combination with other categories of data, including that already in the public domain. With GDPR and the Statistics & Registration Services Act, corporate bodies are also considered as individuals.
Personal data can be shared, processed, and preserved for research as under the public trust (UKRI funded) or legitimate interest. Good research practice and ethics also require that valid consent has been gained and data that could cause disclosure has been anonymised or deidentified. Anonymisation and deidentification should remove both direct identifiers (names, addresses) and use categorisation or coding with indirect identifiers such as occupation and age, via so that identifiers cannot be combined to reveal an individual’s identity.
GDPR also highlights special categories of personal data that are more sensitive in nature a higher level of protection, for example: race, political opinions trade union membership, genetic data, and health data.
Sensitive data might include the locations of endangered plant or animal species, organisational information or information that could pose a security risk in addition to personal data.
Access control and anonymisations should be planned as part of the research design and data management planning process.
You must not share your data if you do not have the right to do so, or if this would be in breach of Intellectual Property Rights, your funding contract or collaboration agreement, or a confidentiality clause. However, it may be possible to share such data with other researchers, subject to non-disclosure agreements. For advice on the University’s Intellectual Property policies, guidelines, and processes, please see the Cranfield University Policy on Intellectual Property.