Research ethics and data protection
Frequently asked questions about research ethics and data protection
As a researcher, you have to comply with numerous requirements - both internal and external. Many of the requirements may seem similar at first glance, but they are based on different considerations. Below, you will find answers to frequently asked questions about the differences and interconnections between research ethics and data protection.
What are research ethics and data protection?
What are research ethics and data protection?
Research ethics are about ensuring compliance with basic principles when research involves people (study participants) and their environment. Research should always be conducted responsibly and safely.
The Aarhus University Research Ethics Committee focuses primarily on the following principles:
Respect for the individual
At a minimum, this entails:
- prior informed consent to participate and the option to withdraw from an ongoing study (real autonomy),
- confidentiality/anonymity with regard to important sensitive matters, and
- adequate protection of study participants and others involved in the process.
Justification of the project in terms of expected scientific benefit versus disadvantages/risks for participants
Besides minimising risks and discomfort for participants as much as possible while also taking account of the feasibility of the study, the expected scientific benefits of the project must also be able to justify any unavoidable inconvenience and discomfort of both a physical and psychological nature.
Data protection (right to privacy) is a human right alongside the freedom of expression, the freedom of association and the freedom of assembly. More specifically, data protection is about ensuring the protection of information about natural persons (also known as personal data).
This means that all natural persons, known as data subjects in data protection regulation, are entitled to have their data protected when Aarhus University processes their data for research purposes.
When conducting research that uses personal data, you must always comply with data protection rules.
When do data protection rules apply and when can/should I obtain research ethical approval?
When do data protection rules apply and when can/should I obtain research ethical approval?
Below is an overview to help you determine which rules apply for you and whether you can get/need ethical approval for your research project from Aarhus University’s Research Ethics Committee.
(You can open a larger version by clicking on the illustration)
What do I do if I cannot get approval from Aarhus University's Research Ethics Committee, but I still face requirements from external parties?
What do I do if I cannot get approval from Aarhus University's Research Ethics Committee, but I still face requirements from external parties?
If you encounter requirements from external parties, e.g. funders, journals or others, for research ethics approval that lies outside the framework that Aarhus University's Research Ethics Committee assesses and approves, you can find an exemtion letter here.
What is consent?
What is consent?
Consent is a person's acceptance of someone/something. Consent must be given on an informed basis, which means that the person must be able to recognise and understand the consequences of saying yes or no.
Furthermore, consent must be voluntary, regardless of its nature. If not, then it is not valid consent.
Why is consent to participate in a survey not necessarily the same as consent under data protection regulation?
Why is consent to participate in a survey not necessarily the same as consent under data protection regulation?
As a researcher, you should be aware that consent under data protection regulation must meet specific requirements in order for the consent to be valid and thereby a basis for processing personal data. Special rules also apply to the information your research ethical (informed) consent must contain.
The purpose and considerations behind research ethical (informed) consent and consent under data protection regulation are different even though both are about individuals participating in a research study.
Therefore, research ethical (informed) consent in itself is not a sufficient legal basis for processing personal data. Conversely, consent under data protection regulation is not sufficient to constitute ethical consent.
Data protection advice for your informed participant consent
Data protection advice for your informed participant consent
If you as a researcher apply for research ethics approval from AU's Research Ethics Committee, it is important to be aware that research ethics and data protection (GDPR) are two different 'sets of rules', each with its own purpose and requirements. They often overlap, but there are important differences.
This guide concerns the material you prepare in the context of research ethics. Your information material and your consent form are important for both the communication of the research ethics requirements and the processing of personal data.
Here are some key points of attention and some advice on what is a good idea to consider:
Purpose
Purpose
You must describe the purpose in both areas. There may be a difference in the scope of the purpose descriptions, as the research ethics part assessed by the Research Ethics Committee does not necessarily concern the entire research project.
Good advice:
- You should be aware that it may be necessary to prepare two descriptions of purposes – one covering the research ethics aspect (the purpose of the study) and one for the fulfilment of the infromation duty under data protection law (the purpose of processing personal data).
- If more descriptions are needed, clearly indicate which of the two is involved
Example of wording: "1. Purpose of the investigation The survey aims to [...] 2. Purpose of the processing of personal data When you participate in the survey, it means that we process personal data about you in the study itself and for the research project of which the survey is a part. You can read more about how we process your personal data [...]" |
Duration
Duration
In some cases, for reasons of research ethics, you will need to inform participants about how long their data will be processed. Please note that you must always provide this information in relation to the processing of personal data.
Good advice:
- Remember that the end of a study or research project does not necessarily constitute the time when you stop processing personal data, e.g. because you must store it in accordance with the rules on responsible conduct of research (The Danish Code of Conduct for Integrity in Research).
- If you specify a fixed end date, you must (in the context of data protection law) stop processing on that date – even if research data must be stored subsequently. Therefore, consider whether you can express yourself in a different way.
Example of flexible wording: "We process your data for as long as it is necessary to achieve the research purpose, communicate results and document the correctness of the research." |
Sharing data
Sharing data
For reasons of both research ethics and data protection law, you will be required to provide information if you are going to share data with others.
Good advice:
- Avoid writing that data is never shared unless you are absolutely sure.
- The need for sharing may arise later – e.g. when changing jobs, collaborating or publishing.
Example of a more flexible wording: "If necessary – e.g. through collaboration with external parties or by publication – your data will only be shared with others than researchers at Aarhus University" |
Anonymity
Anonymity
Many researchers promise "anonymity", but this can be misleading. Anonymity means that participants cannot be identified – either directly or indirectly. Often, it is instead a case of pseudonymization, where data can be traced back to the person via a key, e.g. in cases where you store a link key between name and ID.
Good advice:
- Do not use words such as anonymous, anonymized or similar.
- If you still want to use such terms, be precise in your description. Ask yourself: Is the information really anonymous, or is it pseudonymous?
- Instead, consider describing how you will ensure confidentiality.
Example of a wording: "Aarhus University process your information confidentially. We do this, among other things, by removing information that can be directly used to identify you." |
Revocation of participant consent
Revocation of participant consent
In research projects where informed consent is obtained from participants, it is important to be aware that the withdrawal of consent has different consequences depending on whether you look at it from a research ethics or a data protection law perspective.
In terms of research ethics, participants have the right to withdraw their consent and withdraw from the study, but such withdrawal does not necessarily mean that the personal data cannot continue to be processed.
Good advice:
- Remember that there is a difference between research ethics and data protection law.
- Be clear in the information material about what it means to withdraw consent, including what consent it is if you also process personal data based on a consent.
- Explain that data that has already been included in analyses or publications cannot be removed if this is the case.
Can I combine research ethical consent and consent under data protection regulation?
Can I combine research ethical consent and consent under data protection regulation?
If you need both ethical (informed) consent and consent under data protection regulation, it is generally a good idea to obtain them at the same time. The reason for this is when using consent under data protection regulation as our basis for processing, the participation in the research project will be intertwined with the processing of personal data.
Example: A participant chooses to give their consent to participate, but they do not want you to process their personal data. |
How can I as a researcher combine ethical consent to participate with processing of personal data on the basis of the scientific research purposes provision?
How can I as a researcher combine ethical consent to participate with processing of personal data on the basis of the scientific research purposes provision?
Since ethical (informed) consent is not consent under data protection regulation and therefore does not constitute a legal basis for processing personal data, you will instead need to obtain research ethical consent and process personal data on the basis of scientific research purposes.
Example A researcher who conducts a series of empirical studies in the form of interviews as part of a research project wants to obtain research ethical approval in order to comply with the requirements of a research framework programme. |
What approvals do I need/can I get?
What approvals do I need/can I get?
Research ethical approval is used to assess whether the proposed study is ethically sound. There may be various reasons why you want/need to obtain ethical approval for a study in your research project.
Research projects are increasingly experiencing external requirements to obtain research ethical approval from the institution they belong to. The requirements stem mainly from funders, international journals and the EU’s framework programmes.
You will not always need or be able to obtain research ethical approval. You can use the decision tree to determine whether you can obtain research ethical approval.
As a general rule, you do not need approval to conduct research using personal data. However, there are a few situations that will require you to apply for approval to process personal data:
- If you need to disclose personal data covered by one of the three authorisation requirements from the Danish Data Protection Agency. On this page, you can see if this applies to you.
- If you process personal data covered by special rules that stipulate you must obtain authorisation, for example if you want to use personal data from a patient record.
- If your department has internal rules that stipulate your research must receive prior approval.
Although you will not often need authorisation to use personal data in your research, remember that you must register research that processes personal data with AU records.