Research Data Service, University of Glasgow
With contributions by: Gemma Tougher (Deputy Head of Data Protection & Freedom of Info) and Georgina Wardle (Head of University Ethics Committee, School of Education), University of Glasgow
We have been asked recently about appropriate sharing of data from SoTL projects – when can datasets be shared with other researchers and when can’t they?
I want to make clear the assumptions that we’re making here. We’re assuming that the project is making provision for future publication / presentation / application outside of the original setting so has determined that ethical approval is necessary. We’re assuming that there will be living human participants involved in the project, so data protection needs to be considered. We’re not dealing with the non-data-reuse nuances of ethics approval. The points below are the aspects of data protection and ethics approval which need to be considered when contemplating data sharing and reuse. This guidance has been co-produced by the data management team, the data protection team and the University ethics team.
While every project is unique and there will undoubtedly be occasions that don’t conform to the norms, the basic guidance is as follows:
When your research or scholarship involves human participants, the ability to reuse, repurpose and/or share the data from the project depends entirely on how your project was set up. This really boils down to the information provided to participants in three key documents – the consent form, the participant information sheet or plain language statement (PIS / PLS) and the privacy notice. Please note that data protection and ethics approval are completely separate processes that happen to share some common language. They should not be considered to be interchangeable and it’s helpful to keep them separate when discussing the requirements.
The privacy notice is a legal requirement which sets out when, why, where and how a person’s personal and/or special category data are being used within the University. More information about privacy notices can be found here. When adapting a privacy notice template for your work, try to consider future reuse of the data being collected (either by yourself or other people) to ensure that future reuse is allowed for. It is also important to indicate how long you intend to retain data for in the privacy notice.
Your ethics documentation should be clear on the differences between how any personally identifying information about the participants will be handled and how the other information collected will be used for the purposes of the project, eg personally identifying information about participants may be destroyed upon completion of the project, but the de-identified project data will be retained for future reuse (this is an example – other scenarios are possible).
As part of the consent form and PIS/PLS you should make clear to your participants what parts of the data they supply will be retained within the University and for how long. You should also make clear who will have access to different parts of the datasets and when (eg identifying information may only be visible to project members whereas deidentified project data will be make available for open reuse once the initial project is completed). Finally, you should make it clear to participants what purposes any data available for reuse can be used for. In all of these cases, the more open you can make the data (with your participants’ consent) the simpler it will be to share your data with colleagues and others, and the wider range of applications it can be used for.
Current and legacy datasets – if you have an existing dataset where the consent form, PIS and privacy notice did not make clear provision for reuse outside the project for which it was collected, or which did not make provision for reuse by other people, then it’s imperative that the data is not shared or reused in these contexts. It is important to abide by the terms of what we promised our participants. Not doing so could seriously damage trust in research at the University of Glasgow. There are some limited exceptions to data protection requirements which may apply when certain conditions can be fulfilled. More information on exceptions for reuse can be found on the ICO website. However, even when these conditions are met, ethics requirements must also be satisfied.