Research ethics and data protection
Frequently asked questions about research ethics and data protection
As a researcher, you have to comply with numerous requirements - both internal and external. Many of the requirements may seem similar at first glance, but they are based on different considerations. Below, you will find answers to frequently asked questions about the differences and interconnections between research ethics and data protection.
What are research ethics and data protection?
Research ethics are about ensuring compliance with basic principles when research involves people (study participants) and their environment. Research should always be conducted responsibly and safely.
The Aarhus University Research Ethics Committee focuses primarily on the following principles:
Respect for the individual
At a minimum, this entails:
- prior informed consent to participate and the option to withdraw from an ongoing study (real autonomy),
- confidentiality/anonymity with regard to important sensitive matters, and
- adequate protection of study participants and others involved in the process.
Justification of the project in terms of expected scientific benefit versus disadvantages/risks for participants
Besides minimising risks and discomfort for participants as much as possible while also taking account of the feasibility of the study, the expected scientific benefits of the project must also be able to justify any unavoidable inconvenience and discomfort of both a physical and psychological nature.
Data protection (right to privacy) is a human right alongside the freedom of expression, the freedom of association and the freedom of assembly. More specifically, data protection is about ensuring the protection of information about natural persons (also known as personal data).
This means that all natural persons, known as data subjects in data protection regulation, are entitled to have their data protected when Aarhus University processes their data for research purposes.
When conducting research that uses personal data, you must always comply with data protection rules.
When do data protection rules apply and when can/should I obtain research ethical approval?
Below is an overview to help you determine which rules apply for you and whether you can get/need ethical approval for your research project from Aarhus University’s Research Ethics Committee.
(You can open a larger version by clicking on the illustration)
What do I do if I cannot get approval from Aarhus University's Research Ethics Committee, but I still face requirements from external parties?
If you encounter requirements from external parties, e.g. funders, journals or others, for research ethics approval that lies outside the framework that Aarhus University's Research Ethics Committee assesses and approves, contact the secretariat via researchdata@au.dk.
The secretariat can help prepare an explanation that you can submit to the person/body requesting research ethical approval. This can be necessary in the following situations:
- You have already collected data that cannot be assessed by Aarhus University's Research Ethics Committee
- Your study does not have the character of an empirical study
What is consent?
Consent is a person's acceptance of someone/something. Consent must be given on an informed basis, which means that the person must be able to recognise and understand the consequences of saying yes or no.
Furthermore, consent must be voluntary, regardless of its nature. If not, then it is not valid consent.
Why is consent to participate in a survey not necessarily the same as consent under data protection regulation?
As a researcher, you should be aware that consent under data protection regulation must meet specific requirements in order for the consent to be valid and thereby a basis for processing personal data. Special rules also apply to the information your research ethical (informed) consent must contain.
The purpose and considerations behind research ethical (informed) consent and consent under data protection regulation are different even though both are about individuals participating in a research study.
Therefore, research ethical (informed) consent in itself is not a sufficient legal basis for processing personal data. Conversely, consent under data protection regulation is not sufficient to constitute ethical consent.
Can I combine research ethical consent and consent under data protection regulation?
If you need both ethical (informed) consent and consent under data protection regulation, it is generally a good idea to obtain them at the same time. The reason for this is when using consent under data protection regulation as our basis for processing, the participation in the research project will be intertwined with the processing of personal data.
Example: A participant chooses to give their consent to participate, but they do not want you to process their personal data. |
You will soon be able to find a template on how to obtain both research ethical (informed) consent and consent under data protection regulation.
How can I as a researcher combine ethical consent to participate with processing of personal data on the basis of the scientific research purposes provision?
Since ethical (informed) consent is not consent under data protection regulation and therefore does not constitute a legal basis for processing personal data, you will instead need to obtain research ethical consent and process personal data on the basis of scientific research purposes.
Example A researcher who conducts a series of empirical studies in the form of interviews as part of a research project wants to obtain research ethical approval in order to comply with the requirements of a research framework programme. |
What approvals do I need/can I get?
Research ethical approval is used to assess whether the proposed study is ethically sound. There may be various reasons why you want/need to obtain ethical approval for a study in your research project.
Research projects are increasingly experiencing external requirements to obtain research ethical approval from the institution they belong to. The requirements stem mainly from funders, international journals and the EU’s framework programmes.
You will not always need or be able to obtain research ethical approval. You can use the decision tree to determine whether you can obtain research ethical approval.
As a general rule, you do not need approval to conduct research using personal data. However, there are a few situations that will require you to apply for approval to process personal data:
- If you need to disclose personal data covered by one of the three authorisation requirements from the Danish Data Protection Agency. On this page, you can see if this applies to you.
- If you process personal data covered by special rules that stipulate you must obtain authorisation, for example if you want to use personal data from a patient record.
- If your department has internal rules that stipulate your research must receive prior approval.
Although you will not often need authorisation to use personal data in your research, remember that you must register research that processes personal data with AU records.