skip to primary navigationskip to content

Working with human participants: ethical approval and data protection

If you are planning to collect data from human participants (for example, by conducting interviews or administering surveys), or use data collected from human participants, you will need to plan well in advance to ensure that you have obtained ethical approval before starting work on your project and have given consideration to how you are going to handle the information you collect.

1. Ethical approval

Ethics review is required to ensure that the research conforms to the ethical standards expected by the Department and the University and to the code of ethical principles and standards. It is also used to assist staff and students in reflecting upon and promoting the best possible ethical research practice.

Seeking ethical approval

Undergraduate or graduate students should consult their supervisor in the first instance to identify any ethical issues that might arise from work planned on a dissertation, research paper or project.

Staff, or any other person conducting research on University premises, should seek advice from the local ethics committee or ethics contact in the Department in which the research will be carried out. In HPS the Administrator can provide advice and the Head of Department has responsibility for approving projects which have straightforward ethical issues that are easily addressed at the planning stage. In most cases, ethics approval will be granted at the Department level. However, cases that are particularly complex or sensitive, or those presenting a conflict of interest, will be referred to the School of Humanities and Social Sciences Research Ethics Committee (REC) for formal review. This can take up to three weeks (longer if revisions are required), so advanced planning is crucial if you do not want the start of your project to be delayed. The School REC considers applications on a case-by-case basis, and is governed by the University's policies on research integrity and research ethics. This page provides details on the procedures for ethical review, and links to additional resources:

Research Integrity: Research Ethics

In order for the Head of Department to be able to decide whether to grant ethical approval to your project, or if there is a need to escalate the proposal to the School REC, you should complete an Ethical Approval proforma, and provide details of your research proposal, participant information sheets and consent forms:

Application for ethical approval of a research project

Please submit these materials to the HPS Administrator by email in the first instance. Do NOT send directly to the SHSS.

All ethical review will be undertaken by two members of staff. For those enrolled on the PhD, MPhil, Part III and Part II this will be conducted in the first instance by a supervisor and the Head of Department. For other researchers the review will be conducted by the sponsor and the Head of Department.

Useful information

Further information about ethics in research at the University of Cambridge can be found on the University's Research Integrity website:

Research Integrity: Research Ethics

The HSS REC draws primarily on the ESRC Framework for Research Ethics:

Economic and Social Research Council: Research Ethics

2. Data protection

Any work undertaken involving the processing of data which relates to identifiable living individuals must comply with the EU's General Data Protection Regulations 2018 (GPDR), meaning you will need to think carefully about how you are going to manage the data you collect. The Departmental Administrator is Data Protection Officer for HPS and can provide further advice.

The University retains control at all times of any personal data used by staff and students in the course of their work. The data should be stored in the Department for the agreed amount of time, and not used again by the student without written consent from the Head of Department. In practical terms, this means the data collected should be submitted as a confidential appendix to the piece of work concerned. The agreed data retention period should be marked on the front of the appendix so that the data can be deleted or destroyed when it is no longer required. If the intention is that the work should be published at a later date, then a retention period of five years is appropriate. If the work is not going to be published then that data should be destroyed after the final marks for the course have been announced. Permission must be obtained from the Head of Department before any data is disclosed to either a research subject or an external party.

Processing of personal data

Personal data is any information which identifies a living individual, either on its own or in conjunction with other information, and can be electronic or hard copy material. The GPDR 2018 covers any action performed with personal data (collecting, recording, consulting, amending, using, disclosing, deleting etc).

Consent must be obtained from research subjects being asked to provide personal data. The consent form should explain what information is being collected, what it will be used for, how long it will be retained, who it is likely to be shared with, and whether it is likely to be published. If the work involves sensitive personal data (ethnicity, political opinions, religion, trade union membership, physical or mental health, sexuality, criminal record) then explicit consent must be sought. The consent form should be signed by the individual to indicate their agreement.

Unless required by the nature of the research project, data should be anonymised. The use of a code or key to identify individuals may be appropriate in some scenarios but note that this does not fully anonymise the data; all identifiers need to be destroyed for data to be fully anonymised.

Where work involving personal data is undertaken in collaboration with other bodies or institutions a clear agreement needs to be in place outlining who controls the data, what data will be shared and how. The research subjects need to be made aware of these details.

Under the GDPR, there are six principles. Personal data must be processed following these principles so that the data are:

  1. Processed fairly, lawfully and transparently – and only if there is a valid 'legal basis' for doing so.
  2. Processed only for specified, explicit and legitimate purposes.
  3. Adequate, relevant and limited.
  4. Accurate (and rectified if inaccurate).
  5. Not kept for longer than necessary.
  6. Processed securely – to preserve the confidentiality, integrity and availability of the personal data.

Under the Data Protection Act 1998 there were eight principles, but two of these (about the rights of data subjects and transfers of personal data outside the European Economic Area) are covered in different ways in the GDPR. Depending on the context, there are full or partial exemptions from the principles when processing personal data for specific purposes, including academic research.

Non-compliance with any of these elements could result in the University breaching the law, so proposed work involving the processing of personal data must be subject to an approval procedure with the supervisor/sponsor acting as a first line of control.

Suggested reading