skip to primary navigationskip to content

Working with human participants: ethical approval and data protection

If you are planning to collect data from human participants (for example, by conducting interviews or administering surveys), or use data collected from human participants, you will need to plan well in advance to ensure that you have obtained ethical approval before starting work on your project and have given consideration to how you are going to handle the information you collect.

1. Ethical approval

Ethics review is required to ensure that the research conforms to the ethical standards expected by the Department and the University and to the code of ethical principles and standards. It is also used to assist staff and students in reflecting upon and promoting the best possible ethical research practice.

Seeking ethical approval

Undergraduate or graduate students should consult their supervisor in the first instance to identify any ethical issues that might arise from work planned on a dissertation, research paper or project.

Staff, or any other person conducting research on University premises, should seek advice from the local ethics committee or ethics contact in the Department in which the research will be carried out. In HPS the Administrator can provide advice and the Head of Department has responsibility for approving projects which have straightforward ethical issues that are easily addressed at the planning stage. In most cases, ethics approval will be granted at the Department level. However, cases that are particularly complex or sensitive, or those presenting a conflict of interest, will be referred to the School of Humanities and Social Sciences Research Ethics Committee (REC) for formal review. This can take up to three weeks (longer if revisions are required), so advanced planning is crucial if you do not want the start of your project to be delayed. The School REC considers applications on a case-by-case basis, and is governed by the University's policies on research integrity and research ethics. This page provides details on the procedures for ethical review, and links to additional resources:

Research Integrity: Research Ethics

In order for the Head of Department to be able to decide whether to grant ethical approval to your project, or if there is a need to escalate the proposal to the School REC, you should complete an Ethical Approval proforma, and provide details of your research proposal, participant information sheets and consent forms:

Application for ethical approval of a research project

Please submit these materials to the HPS Administrator by email in the first instance. Do NOT send directly to the SHSS.

All ethical review will be undertaken by two members of staff. For those enrolled on the PhD, MPhil, Part III and Part II this will be conducted in the first instance by a supervisor and the Head of Department. For other researchers the review will be conducted by the sponsor and the Head of Department.

Useful information

Further information about ethics in research at the University of Cambridge can be found on the University's Research Integrity website:

Research Integrity: Research Ethics

The HSS REC draws primarily on the ESRC Framework for Research Ethics:

Economic and Social Research Council: Research Ethics

2. Data protection

Any work undertaken involving the processing of data which relates to identifiable living individuals must comply with the Data Protection Act 1998 (DPA), meaning you will need to think carefully about how you are going to manage the data you collect. The Departmental Administrator is Data Protection Officer for HPS and can provide further advice.

The University retains control at all times of any personal data used by staff and students in the course of their work. The data should be stored in the Department for the agreed amount of time, and not used again by the student without written consent from the Head of Department. In practical terms, this means the data collected should be submitted as a confidential appendix to the piece of work concerned. The agreed data retention period should be marked on the front of the appendix so that the data can be deleted or destroyed when it is no longer required. If the intention is that the work should be published at a later date, then a retention period of 5 years is appropriate. If the work is not going to be published then that data should be destroyed after the final marks for the course have been announced. Permission must be obtained from the Head of Department before any data is disclosed to either a research subject or an external party.

Processing of personal data

Personal data is any information which identifies a living individual, either on its own or in conjunction with other information, and can be electronic or hard copy material. The Data Protection Act 1998 (DPA) covers any action performed with personal data (collecting, recording, consulting, amending, using, disclosing, deleting etc).

Consent must be obtained from research subjects being asked to provide personal data. The consent form should explain what information is being collected, what it will be used for, how long it will be retained, who it is likely to be shared with, and whether it is likely to be published. If the work involves sensitive personal data (ethnicity, political opinions, religion, trade union membership, physical or mental health, sexuality, criminal record) then explicit consent must be sought. The consent form should be signed by the individual to indicate their agreement.

Unless required by the nature of the research project, data should be anonymised. The use of a code or key to identify individuals may be appropriate in some scenarios but note that this does not fully anonymise the data; all identifiers need to be destroyed for data to be fully anonymised.

Where work involving personal data is undertaken in collaboration with other bodies or institutions a clear agreement needs to be in place outlining who controls the data, what data will be shared and how. The research subjects need to be made aware of these details.

Eight principles of the Data Protection Act

  1. Personal data shall be processed fairly and lawfully.
  2. Personal data shall be obtained only for one specified purpose.
  3. Personal data should be used in a way that is adequate, relevant and not excessive.
  4. Personal data should be accurate and, where necessary, kept up to date.
  5. Personal data should not be kept for longer than is absolutely necessary.
  6. Personal data shall be handled according to people's rights under this act.
  7. Personal data must be kept safe and secure. Appropriate technical measures must be taken to protect the data from unauthorised or unlawful access, accidental loss or damage.
  8. Personal data should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. If a country does not provide adequate data protection this could breach UK law.

Non-compliance with any of these elements could result in the University breaching UK law, so proposed work involving the processing of personal data must be subject to an approval procedure with the supervisor/sponsor acting as a first line of control.

Suggested reading

  • Thomas, David R. and Hodges, Ian D., Designing and Managing Your Research Project: Core Skills for Social and Health Research (London: SAGE Publications, 2010).