Guidance on Managing Research Records
Guidance on Managing Research Records
Why do we need to manage research records?
Records of research projects should be retained and managed in order to:
- Demonstrate that the information is accurate, authentic, credible and verifiable
- Demonstrate compliance with information legislation (e.g. Data Protection Act 1998)
- Demonstrate effective and auditable procedures and practices, ensuring compliance with the requirements of external funders and sponsors, regulatory professional bodies, internal and external auditors
- Protect individual researchers and the University from allegations of professional or research misconduct
What are research records?
The records of a research project tend to cover four principal areas: the research process, research outcomes/products, research project management, and the research data itself. Examples of these areas include:
protocols, Standard Operating Procedures (SOPs), applications for regulatory approval.
Research project management
contracts, invoices, staff records, funding applications and budgetary information.
questionnaires, notes, photographs, samples, databases, recordings (both audio and visual).
Who is responsible for managing research records?
While ultimate responsibility for research records lies with the Principal Investigator (PI), all staff involved in the research project must assume responsibility for ensuring the accuracy, completeness, and security of research data. This includes student researchers and supervisors, as well as members of staff supporting the research process.
How long should research records be kept?
Records should only be retained for as long as is required, taking into account all administrative, operational, legislative and regulatory needs (including any stipulated by funding bodies). A records retention schedule should be established, in conjunction with the Records & Information Management Service (RIMS), covering all project records at the commencement of the project.
The schedule will provide guidance on how long the information must be retained, and whether it must be confidentially destroyed. Ensuring that records are retained only for the required purpose(s) also assists in compliance with Principle 5 of the Data Protection Act: "personal data processed for any purpose or purposes shall not be kept longer than is necessary for that purpose or purposes". For further information on records retention, please contact RIMS at firstname.lastname@example.org .
Keeping information secure
Due to the often sensitive and confidential nature of the information created and managed during research projects, it is imperative that appropriate security measures are in place and that all staff are aware of the need to keep information secure. During the research project and on its completion, records and data must be stored in a secure and appropriate environment. The selected store should be “fit for purpose” and provide adequate space, security, access control and environmental conditions. Appropriate technical procedures should be established to ensure that instances of unauthorised access, loss or misuse of data do not occur. These procedures should apply to both on and off-campus activity, especially if staff work from home. Access to all personal data should be controlled through the use of passwords, which must be changed on a regular basis (and always when a member of staff leaves the project).
Records must be kept in locked cabinets and in locked offices or storage rooms. Access to cabinets, offices, and storage rooms must be restricted to authorised personnel only.
Information should be destroyed appropriately, either using a cross-cut shredder or by using the University’s confidential waste service. Please see our A to Z entry on disposal of records for further guidance.
- Ensure that your PC is locked whenever you are away from your desk
- Passwords should never be shared with other members of staff, and should be changed on a regular basis
- Each study database should be password protected, with its own unique password and access to the password restricted to authorised personnel only
- Where identifiable data is not a requirement of the research project, the data should be retained in an anonymised format
Data Protection Act 1998
If your research project involves live subjects, then the Data Protection Act 1998 (DPA) will apply to your project. The Data Protection Act is concerned with the processing of personal data of all living individuals.
The DPA provides all individuals, or "data subjects", with a number of rights regarding the information that organisations hold about them, and imposes a number of responsibilities and obligations upon organisations in relation to the processing of personal data. These responsibilities and obligations are enshrined in the eight Data Protection Principles.
Consent for the processing of personal data
The first data protection principle states that personal data must be processed fairly and lawfully. If you obtain informed consent from the data subject, you will have satisfied the conditions of the first principle. We provide a sample consent statement, which can be adapted as required.
For the processing to be deemed "fair", data subjects must be made aware of the following:
- What will be done with the data
- Who will hold the data
- Who will have access to or receive copies of the data (if the data is to be shared with third parties, this should be made explicitly clear).
Please note that in the case of processing sensitive personal data additional conditions must be met.
Sensitive personal data is defined as any information relating to the data subjects':
- racial or ethnic origin
- political opinions
- religious beliefs
- trade union membership
- physical or mental health/condition
- sexual life
- criminal offences or record
Contact the Data Protection & FOI Office for further DP or records-related questions.
JISC Legal has an extensive question and answer document which provides guidance on data protection and research records.
Our A to Z guide on research dealing with personal data also provides additional information and guidance.