Legal And Ethical Aspects Of Research Data Management

Protection Of Personal Data (GDPR)

A central issue is the protection of personal data. In the European context, the General Data Protection Regulation (GDPR) sets strict rules on how such data can be collected, stored, and reused. The applies to any data that can identify a living person directly or indirectly. Here are some common examples of personal data in research contexts:

• Audio or video recordings of interviews
• Survey responses or psychometric test results
• Medical imaging, photographs, or biological samples linked to identities
• Sociodemographic or behavioural data
• Email addresses collected for research purposes

❗If your project involves this type of data, you are subject to GDPR requirements.

👦👧 What Should You Do If Your Project Involves Personal Data?

1. Limit data collection to what is strictly necessary: Ask yourself: do I really need this information? Apply the principle of data minimisation.
2. Obtain informed consent from participants: Clearly explain the purpose of the research, how long the data will be kept, the participants' rights (access, rectification, withdrawal), and how their data will be shared or published. Use a GDPR-compliant consent form.
3. Anonymise or pseudonymise the data as early as possible: Remove all identifying information where feasible. If you use coded identifiers, keep the key in a separate, secure file.
4. Declare the data processing activity: Contact your university or lab’s Data Protection Officer (DPO) or GDPR contact to ensure your project is registered and compliant.
5. Store and transfer personal data securely: Use approved institutional servers or secure platforms. Never store personal data on unencrypted USB drives or personal cloud services like Google Drive or Dropbox.

🔎 When Are Data Anonymous And When Pseudonymous?

Anonymous data: An individual data unit (person) cannot be re-identified with reasonable effort based on the data provided or by combining the data with additional data points. Completely anonymous data do not exist, but with well-executed procedures one can achieve a result where individual persons cannot be identified with reasonable effort. Anonymisation refers to the various techniques and tools used to achieve anonymity. Anonymized data is no longer sensitive information, so its processing does not require GDPR-compliant actions.

Pseudonymous data: An individual data unit cannot be re-identified based on the pseudonymised data without additional, separate information. Pseudonymisation refers to the removal or replacement of identifiers with pseudonyms or codes, which are kept separately and protected by technical and organisational measures. The data remain pseudonymous as long as the additional identifying information exists.

💡 Key takeaway: When in doubt, contact your DPO or supervisor. GDPR compliance is a shared responsibility between the researcher and their institution. Careful handling of personal data protects participants and upholds the scientific integrity of your work.

Sensitive Data And Ethically Sensitive Content

Under the GDPR, sensitive data are a specific category of personal data (Article 9).

🎎 Typical examples of sensitive data include:

• • Health data: medical records, clinical measurements, diagnoses, disability status, mental health information, EEG, MRI or other physiological signals, genetic or biometric health indicators.
  • Genetic and biometric data: DNA sequences, genetic variants, fingerprints, facial recognition data, voiceprints, gait or other biometric identifiers used for identification.
  • Racial or ethnic origin: information explicitly or implicitly revealing ethnicity or ancestry.
  • Political opinions: party affiliation, voting intentions, political activism, expressed political views.
  • Religious or philosophical beliefs: religious affiliation, spiritual practices, philosophical convictions.
  • Trade union membership: membership lists, participation in union activities.
  • Sex life and sexual orientation: sexual behaviour, sexual orientation, gender identity, intimate relationships.

When data are fully anonymised and individuals are no longer identifiable, they no longer fall within the scope of personal data and therefore cannot be considered “sensitive data” in a legal sense. However, even non-personal data may raise ethical concerns because of their content, the context in which they were collected, or the potential consequences of their dissemination or reuse. Such concerns may arise when data relate to vulnerable populations, minority groups, controversial topics, intimate experiences, or situations that could lead to stigmatisation, discrimination, or misuse.

For this reason, ethical issues should be anticipated at the project design stage. Researchers should assess whether the data — even if anonymised — could expose individuals or groups indirectly, carry social or reputational risks, or require specific precautions in interpretation and dissemination.

Where appropriate, the research protocol may be submitted to a competent ethics committee. Depending on the nature of the project, this may include an institutional research ethics committee, a disciplinary ethics body, or, for studies involving human participants in the health domain, a Comité de Protection des Personnes (CPP). When individuals are directly involved, they must be clearly informed about the objectives of the study, the data processing methods, their rights (including withdrawal where applicable), and the conditions under which data will be anonymised, archived, or shared.

All ethical considerations and procedures should be documented in the Data Management Plan (DMP). This includes the committees consulted, the documents produced (e.g. information sheets, consent forms, confidentiality agreements), and the specific measures adopted for data storage, security, access control, and dissemination. Particular attention should also be paid to how data are described and interpreted in publications, visualisations, or repositories, in order to avoid biased representations or unintended stigmatisation of the individuals or groups concerned.

Other Regulatory Or Contractual Issues

Beyond ethical, legal or personal data protection aspects, certain research projects may be subject to other regulatory or contractual constraints that affect data management. It is important to have a clear overview of these factors in order to anticipate restrictions on dissemination, conservation obligations, or specific requirements imposed by project partners.

Some contractual documents may contain clauses relating to ownership, sharing or confidentiality of data. This is often the case in consortium agreements, which allocate responsibilities among partners in a European project, or in collaboration contracts signed with companies, NGOs or museums. Material Transfer Agreements (MTAs) may also govern the use of biological or technical samples, specifying conditions for storage, analysis or return.

Intellectual property issues must also be taken into account. Some data may be part of a valorisation strategy, such as patent filing or technology transfer, which can impose a temporary embargo on dissemination or limit access.

In other cases, obligations arise from national or international regulations. For example, archaeological, biological or genetic samples may be subject to specific conventions such as the Nagoya Protocol, or may have to be returned at the end of the project. Similarly, some institutions impose minimum data retention periods or specific deposit policies in repositories such as HAL or Recherche Data Gouv.

Finally, funders — and in particular the European Commission under Horizon Europe — may impose precise requirements: mandatory open data at the end of the project, deposit in an OpenAIRE-compatible repository, or systematic mention of the grant agreement number in metadata.

💡This section of the DMP is the place to list all such specific constraints, whether legal, contractual, institutional or disciplinary, and to describe how they will impact the way you manage, document, share or preserve your data.

Self-Assessment Quiz