As part of your research, you are probably creating, encoding, storing, analysing, and archiving data about individuals. This comes with the responsibility to maintain participants’ privacy and to use data about them in a fair and responsible way. In the United Kingdom and the European Union, the GDPR (General Data Protection Regulation) provides a legal framework for doing so. We will use GDPR-related terminology in this section; however, we think that researchers from non-EU countries can also think about how these regulations can be adopted for research in their respective areas.
Child-based research does often involve the processing of personal data.1
Personal data is information which relates to a living individual who can be identified from that information, whether directly or indirectly, and in particular by reference to an identifier.
This includes a person’s:
The GPDR also considers certain types of data to be especially private and can expose participants to potential discrimination. These include data about a person’s:
Extra care is needed for these special category personal data.
The purpose of anonymising datasets is to ensure that a participant cannot be re-identified based on the data they supply. Typically, researchers assign participant IDs and remove obvious identifiers such as names, addresses, and contact details from datasets to achieve this. While many researchers consider this to be enough to achieve participant anonymity, full anonymisation is actually difficult to achieve. We often collect additional data that makes it easier to trace data back to an individual, such as age, regional origin, and medical condition. In reality, most of the typical research practice is considered pseudonymisation, which is a way to disguise the participants’ identities and make it a bit harder to retrace.
Some practices for responsible pseudonymisation:
Audio or video recorded data present additional challenges. Participants might reveal personal information about themselves or other people during the recording. Additionally, participants’ voices and faces make them more readily identifiable than pen and paper or questionnaire-based data collection methods. The CHILDES database lists different levels of data access for audio and video data2. This includes audio bleeping, video blurring, and the replacement of last names and addresses in transcripts. Importantly, research involving photo, audio, or video recordings should have consent forms that explicitly ask for participants’ agreement for these recordings to be made and used for specified purposes. You can access a sample template at the University of Oxford website.
When processing personal data, it is important to adhere to the following data protection principles:
| Data protection principle | Description |
|---|---|
| Fair, lawful, and transparent data processing | Researchers must be clear about who will process or view their data, for what purpose(s), and for how long. Participants must also be aware of their right to withdraw consent at any time. |
| The data is collected for specific, explicit, and legitimate purposes | Personal data collected for a specific purpose should NOT be used for something else unless there is consent for the new purpose. The use of personal data for other research is usually exempted from this principle. |
| Data minimisation | This discourages researchers from collecting more personal information than is necessary. Even within research teams, not all members might need access to the non-anonymised dataset to carry out their research duties. If it’s possible to work using a dataset with fewer pieces of identifying information, then the researcher should do so. |
| Personal data is accurate and up-to-date (if needed) | Inaccurate data must be corrected or deleted without delay. Researchers are normally interested in a person’s situation at a particular point in time; as such, there might be no need to update this information later on. |
| Identifiable data is destroyed when no longer needed | It is good practice to decide on a time when participant lists are destroyed. This is normally done towards the end of the research project. |
| Personal data is processed securely | Secure processing means that only authorised people can access and process personal data and within the scope of their duties. It also means that lost personal data can still be recovered if accidentally lost or destroyed. A researcher should have access to suitable technological resources, organisational measures, and staff training to be able to process data securely. |
For collaborations that involve the sharing and transfer of data between organizations, it is a good practice to create a written agreement (called a ‘data sharing agreement’) that specifies the roles and responsibilities of each organization concerning data processing.
Some grant applications require a research data management plan. Even if your institution, funding agency, or ethics committee do not require one, writing a data management plan is a good way to think about the type of data you’re collecting, how they are organised, stored, archived, and shared, and what ethical and legal issues need to be considered. The Digital Curation Centre provides a checklist for creating a data management plan for your project.
Examples of incidents that could put the safety and confidentiality of your data at risk are:
Check with your research team or organisation if you have a policy for reporting possible data breaches. Even if you don’t, it is always a good idea to talk to your supervisor or research team for guidance on what to do if it happens. For example, there may be an option to wipe data remotely from lost laptops or mobile devices or to recover hacked accounts and put stronger protections in place. The IT department of your organisation may also be able to help with these matters.
Under the GDPR, there is a requirement to report personal data breaches within 72 hours of knowing about it5. Check if your research team or organisation has similar requirements that apply to you.
As you can see, research integrity and ethics cover every stage of the research process. It requires a good working knowledge of the latest professional and ethical standards in research, including the use of technologies to process data securely. It also requires the extensive planning and documentation of procedures and protocols that work for all individuals and organisations involved in the research project, whether it’s for a student project or a multi-year international collaboration like TalkTogether.
This may be a lot of information to digest now but applying these research integrity and ethical principles can make your research more rigorous and trustworthy overall.