Skip to content
Skip to navigation menu


FAQs on Data Protection and Writing a Research Protocol or Applying for Research Ethics Approval

The Governance & Compliance Division is often approached by researchers preparing their research protocol or applying for ethical approval with queries about how to meet the requirements of the Data Protection Act.  This advice will assist you in developing your procedures for handling personal data in your project.


1. How should I transfer personal data?

If you’re going to be transferring personal data during your project you will need to take steps to ensure that the data will be secure during transit.  First consider whether it is necessary to transfer the personal data in the first place or whether you can carry out your activities by transferring anonymised data.  

  • If you are thinking of transferring personal data via the web ensure that you use hypertext transfer protocol secure (https).
  • If you are considering transferring personal data via large file transfer protocol ensure that you use secure file transfer protocol (sftp).
  • If you’re going to be transferring personal data on portable media such as CDs, DVDs, laptops, and USB sticks make sure that the data is encrypted to FIPS 140-2 standard (or equivalent) or fully anonymised.  Prior to removal appropriate back-ups should also be considered in case of loss or theft of the portable media.
  • If you plan to send personal data by email to addresses outside of the University’s email system ensure that the personal data contained within the message is encrypted to FIPS 140-2 standard (or equivalent).

For further advice on encryption check out the INSRV Security Team webpage .

Useful techniques for anonymising data can be found as part of the Information Commissioners Anonymisation Code of Practice 


2. Can I share personal data from my project with other organisations?

If you plan to share personal data with other organisations you will need to ensure that the sharing is fair and lawful under the Data Protection Act.

  • Firstly consider whether the sharing is really necessary.  Could your purpose be met by sharing anonymised data?  If so you must do this instead of sharing identifiable data.
  • If you need to share personal data you must ensure that you do not share excessive information with the other organisation – provide only the pertinent information needed in order to carry out the purpose.
  • You will need to ensure that research participants are aware that their information will be shared with the other organisation by including it in your participant information sheet (or consent form, where relevant).  You may also wish to allow participants to opt out of this sharing where possible.
  • The sharing must be fair on the participants and not be for a purpose that is incompatible with your core research purpose.

3. I will need to transfer personal data outside of the European Economic Area, is this allowed?

If you will be exporting personal data outside of the European Economic Area you will need to ensure that you are complying with the 8th Data Protection principle (personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data).  In order to meet this principle you will need to:

  • ensure that you have the explicit consent of the research participants to transfer their data outside of the EEA and have taken reasonable steps to ensure that the data will be transferred and subsequently held securely (see above),
  • ensure that the personal data is being transferred to a country which the Information Commissioner has deemed to have adequate protection (
  • ensure that the transfer is carried out under contract.

In all cases if you are going to be transferring personal data outside of the European Economic Area seek advice from the Governance & Compliance Division first.

4. Do I need to comply with the Data Protection Act when handling participant personal addresses, postcodes, faxes, emails or telephone numbers?

Participant personal addresses, postcodes, faxes, emails and telephone numbers will all be personal data and therefore the Data Protection Act will apply to their handling.  You will need to take steps to ensure that they are held securely and not disclosed inappropriately.

5. Can I publish direct quotations from participants in my research output?

You can use direct quotations in your research output but should make sure that you explain this to participants in your participant information sheet (or consent form, where relevant).  In order to comply with the Data Protection Act you will need to ensure that participants are aware before they participate in your project that their words will be directly quoted in your research output.  You must also ensure that any direct quotations used in your research outputs are portrayed in a fair manner and will not cause the research participant distress.

6. Can I publish data that might allow identification of individual participants?

There may be ethical issues which you should consider before identifying individual participants in your research outputs.  If there is any doubt as to identifiability, to comply with the Data Protection Act, you will need to make participants aware before they participate in your project that they may be identifiable in your research outputs via your participant information sheet (or consent form, where relevant).  

7. Who should be allowed to access personal data during the study?

Access to personal data throughout your project and after its closure should be restricted to the minimum number of staff necessary, see How should I store personal data?  for more guidance.  The use of project generated ID numbers or codes is recommended to limit the extent of access to personal data during the analysis stage of your project as a security measure.  All staff should be signed up to confidentiality agreements.  List the members of staff who will have access to the data in your research protocol.

8. How should I store personal data?

Personal data must be kept secure against unauthorised or unlawful access and safe from accidental damage, loss or theft.

Manual files

Keep paper records containing personal data in lockable cabinets or offices with controlled access, when not under the direct supervision of a member of the research team.  Ensure that access to keys is restricted to only those who require access.  Avoid removing records from secure locations unless strictly necessary.  Avoid unsafe storage locations such as areas containing hazardous chemicals, or exposed water pipes.  Ensure that manual records are destroyed in a secure manner, using the confidential waste service or shredders, once the retention period has passed.

Electronic records

Where possible personal data should be stored in folders on your home drive (H:\), the network shared drive (S:\), or in a dedicated Quickr TeamPlace, with appropriate access control implemented to restrict access to data and records to authorised individuals only.  Both the network shared drive and Quickr TeamPlaces are backed-up regularly by INSRV to:

(i) protect against IT system failure;
(ii) ensure files can be recovered within 3 months of accidental deletion or corruption.

Quickr Teamplaces have a maximum file size of 100MB .  If continued access to records held in the Quickr TeamPlace will be required for a lengthy period (e.g. beyond 2014), INSRV should be consulted before the formulation of detailed research bid proposals.

If the network shared drive or a Quickr TeamPlace is not suitable a project-specific shared drive should be set up where access is limited to authorised individuals such as a secure server which is backed-up regularly.  Where back-ups are implemented locally, they should be stored securely in a different location from the original data, and checking procedures should be established to ensure that they work effectively.  It is recommended that IT needs are discussed with School IT support staff, and then with INSRV, before the formulation of detailed research bid proposals, to discuss feasibility and adequate funding for the project’s IT needs.

Before using any other storage media for electronic data and records, including computer hard disks, consideration must be given to appropriate security and back-up of the data.  Hard drives of computers owned by other organisations such as the NHS should be avoided because they are not under the control of Cardiff University.  University computer and laptops should not be used to store personal data unless encrypted.  Small media devices such as USB sticks and CDs are not considered suitable as the primary storage location for personal data and should be encrypted to FIPS 140-2 standard (or equivalent) as above if used for transporting or transferring personal data.  In addition, if the personal data will be needed for a long period (e.g. 6 years or more), consideration should be given to the expected lifespan of the storage media used as media degradation and technological advances may make the records stored on it inaccessible in the future. In either case, consult your School IT support staff and/or INSRV before the formulation of detailed research bid proposals for the project.

The use of cloud computing and software as a service provider to store research records can carry significant data protection and management risks.  Consult with the Governance & Compliance Division if this is being considered.

Access to electronic data and records should be controlled by passwords and, where appropriate, access to individual files/databases should also be password protected.  Passwords should be known only to authorised individuals and changed at regular intervals.  Access controls should be regularly reviewed and updated as individuals join, leave or change roles within the project.  Computers and software should not be left logged in and unattended.

Ensure that any storage media used in the project is wiped before disposal or reuse in compliance with Governance & Compliance Division’s guidelines.

For further guidance on the storage and retention of research records see GOVRN’s Managing Research Records and Data guidance  and INSRV/GOVRN's Storage Advice .

9. How long should I keep my data?

You should follow any stipulations concerning records and data retention made by your project funding body (set out in the funding contract or terms and conditions).  Most funding bodies specify whether they or the institution is responsible for the resulting dataset long term and in some cases require the dataset to be sent to them on project completion.  The requirements of research funders are available in summary from page seven of JISC’s Guidance on Managing Research Records and further details are available on the Digital Curation Centre’s website. 

In the absence of any stipulation from the funding body, data for non-clinical and non-public health research projects should be kept for a period of no less than 5 years or at least 2 years post-publication (as appropriate) to allow for further analysis and review, and aid any future queries or disputes regarding intellectual property, research conduct or the actual results of the research.  If any patents emerge from the research, the records and data may need to be retained for a longer period to support the patent or other protected intellectual property.

Research data obtained from clinical research projects or projects relating to public health should be kept for a minimum of 15 years from the end of the project.  If any patents emerge from the research, the records and data may need to be retained for a longer period to support the patent or other protected intellectual property.

Financial and administrative research records should be kept in line with the research section of the University’s Records Retention Schedule.  Some financial and administrative records from projects funded by European Structural Funds will need to be retained until the payment of the final balance of structural funds by the European Commission + 3 years.  Confirmation should be sought from WEFO prior to destruction.  For further information on WEFO’s records requirements see their  guidance note on the Retention and Management of Documents.  

In instances of doubt as to how long data must be retained contact the University Records Manager within the Governance & Compliance Division.

10. Do I need to keep my original digital/audio tape as well as my transcripts?

Yes, the University’s Research Governance Framework does not explicitly state that original digital/audio tapes should be kept but it does include the expectation that researchers will keep clear and accurate records of all results obtained including primary data.  It is therefore advisable to retain any original digital/audio recordings as well as any transcripts made for the full retention period.  This will ensure that the original material is available should any queries arise after publication and guard against any allegations of fabrication or falsification of data.  Some research councils (such as MRC) also require raw data to be kept in its original form alongside transcripts, so it is advisable to check any guidance from your funder.  If your tapes and transcripts relate to a clinical trial there are specific requirements as set out in the University’s Standard Operating Procedure for Archiving records from Clinical Trials of Investigational Medicinal Products .

If you are considering destroying original digital/audio tapes it is advisable to assess the risk of only retaining transcripts.  If you do not have any documented transcription procedures and do not carry out verification checks it may be difficult to prove that the transcripts are a true reflection of the original recording.

11 What should I put in my research protocol about the physical security arrangements I’ll be making  for personal data during my study?

Make sure that you include a detailed description of the physical security measures that you will be taking in your research protocol based on the guidance provided in How should I store personal data above.  Include details of any back up procedures as well as any organisational and technical security measures that you shall take to protect the personal data.  Check if your funder has any requirements regarding security and ensure that your proposed systems will accordingly comply.  Some funders require information to be kept securely in compliance with ISO 27002.  If you need assistance in checking whether your proposed set up will meet funder requirements contact the INSRV Security Team.