Guidance on Managing Research Records
Why do we need to manage research records?
Records of research projects should be retained and managed in order to:
- To demonstrate that the information is accurate, authentic, credible and verifiable
- To demonstrate compliance with information legislation (e.g. Data Protection Act 1998)
- To demonstrate effective and auditable procedures and practices, ensuring compliance with the requirements of external funders and sponsors, regulatory professional bodies, internal and external auditors
- To protect individual researchers and the University from allegations of professional or research misconduct.
What are research records?
The records of a research project tend to cover four principal areas, namely the research process, research outcomes/products, research project management and the research data itself. Examples of these areas include:
Protocols, Standard Operating Procedures (SOPs), Applications for regulatory approval.
Research project management
Contracts, invoices, staff records, funding applications and budgetary information.
Questionnaires, notes, photographs, samples, databases, recordings (both audio and visual).
Who is responsible for managing research records?
While ultimate responsibility for research records lies with the Principal Investigator (PI), all staff involved in the research project must assume responsibility for ensuring the accuracy, completeness and security of research data. This includes student researchers and supervisors as well as members of staff supporting the research process.
How long should research records be kept?
Research is an often complicated and complex activity and each research project is unique. Records should only be retained for as long as is required, taking into account all administrative, operational, legislative and regulatory needs (including any stipulated by funding bodies). A records retention schedule should be established, in conjunction with the Records & Information Management Service (R&IMS), covering all project records at the commencement of the project. The schedule will provide guidance as to how long the information must be retained and whether it requires to be confidentially destroyed. Ensuring that records are retained only for the required purpose/s also assists in complying with Principle 6 of the Data Protection Act: “personal data processed for any purposes or purposes shall no be kept longer than is necessary for that purpose or purposes”. For further information on records retention, please contact R&IMS at email@example.com .
Keeping information secure
Due to the often sensitive and confidential nature of the information created and managed during research projects it is imperative that appropriate security measures are in place and that all staff are aware of the need to keep information secure. During the research project and on its completion, it is imperative that records and data are stored in a secure and appropriate environment. The selected store should be “fit for purpose” and provide adequate space, security, access control and environmental conditions. Appropriate technical procedures should be established to ensure that instances of unauthorised access, loss or misuse of data do not occur. These procedures should apply to both on and off-campus activity and especially if staff work from home. Access to all personal data should be controlled through the use of passwords, which must be changed on a regular basis (and always when a member of staff leaves the project).
Records must be kept in locked cabinets and in locked offices or storage rooms, if unattended. Access to cabinets, offices and storage rooms must be restricted to authorised personnel only.
Information should be destroyed appropriately, either using a cross-cut shredder or by using the University’s confidential waste service
- Ensure that your PC is locked whenever you are away from your desk
- Passwords should never be shared with other members of staff and should be changed on a regular basis
- Each study database should be password protected, with its own unique password and access to the password restricted to authorised personnel only
- Where identifiable data is not a requirement of the research project, then the data should be retained in an anonymised format
Data Protection Act 1998
If your research project involves live subjects, then the Data Protection Act (The Act) will apply to your project. The Data Protection Act is concerned with the processing of personal data of all living individuals.
The Act provides all individuals (data subjects) with a number of rights regarding the information that organisations hold about them and imposes a number of responsibilities and obligations upon organisations in relation to the processing of personal data. These responsibilities and obligations are enshrined in the eight Data Protection Principles.
Consent for the processing of personal data
The first data protection principle states that personal data must be processed fairly and lawfully. If you obtain informed consent from the data subject you will have satisfied the conditions of the first principle. A sample consent form is available that can be adapted.
For the processing to be deemed to be “fair”, data subjects must be made aware of the following:
- What will be done with the data
- Who will hold the data
- Who will be able to access to or receive copies of the data (if the data is to be shared with 3rd parties, this should be made explicitly clear).
Please note that in the case of processing sensitive personal data additional conditions must be met.
Sensitive personal data is defined as information relating to the data subject’s:
- racial or ethnic origin
- political opinions
- religious beliefs
- trade union membership
- physical or mental health/condition
- sexual life
- commission or alleged commission of any offence
- any proceedings in relation to the commission or alleged commission of any offence, the disposal of such proceedings or the sentence of any court in relation to such proceedings.
For further advice and guidance on any of the areas detailed above, please contact the R&IMS. The DP & FOI Office in conjunction with the Staff Development Service run a training course Managing Research Data and Records throughout the academic year.