Guidance on the Deposition of Sensitive Digital Data

Summary

Written consent:

The Archaeology Data Service (ADS) will accept personal, confidential and sensitive personal data for deposit and immediate dissemination either when it is anonymised and/or when it is accompanied with written consent.

Data Embargos: In some scenarios the depositor, realising the long term value of sensitive data, may wish to embargo its public release for a period of time. This may mean that an anonymised version of the data is made immediately available, but the release of the original version is embargoed for a period of time. The ADS will accept the deposit of such data only where the conditions associated with the embargo are agreed at the time of deposit.

ADS deposit licence: This set of guidance does not alter the terms of the ADS deposit licence.

N.B. All data deposited with the ADS is held on servers at institutions based in the UK.

Sensitive Data in Archaeology

Archaeological archives may sometimes include sensitive or confidential data which relates to identifiable individuals, but which may also provide valuable historiographical or contextual information of importance for an understanding of the context of data collection and, more broadly, for the history of Archaeology. The ADS wishes to preserve such data, and to make it available for research, learning and teaching. At the same time it recognises that this may raise issues of confidentiality and privacy covered by institutional ethics policies and possibly within the scope of the Data Protection Act 1998 and other legislation.

When research involves obtaining data from people it will usually require obtaining informed consent for people to participate in research and for use of the information collected. It is essential that consent also takes into account long-term use of data, such as preserving and sharing data via organisations such as the ADS. Without consent, opportunities for sharing data with other researchers can be jeopardised.

Within archaeology confidential sensitive and personal (digital) data may include:

  • Oral history and personal interviews, either transcripts or audio recordings;
  • Financial data especially where costs can be attributed to an individual;
  • Records pertaining to staff i.e. performance reviews, records of interviews and job applications and other personnel data;
  • Personal correspondence, including emails;
  • Aspects of excavation 'site diaries' where individual archaeologists may be identified;
  • Skeletal or other burial data which can be linked to named individuals.

What do we mean by 'personal, confidential and sensitive personal data'?

At times data may hold sensitive or confidential information. This does not mean that all data containing information about individuals are confidential.

Personal data are defined in the Data Protection Act 1998 as data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (e.g. researcher). This includes any expression of opinion about the individual.

Confidential data are data that:

  • can be connected to the person providing them or that could lead to the identification of a person referred to (names, addresses, occupation, photographs)
  • are given in confidence, or data agreed to be kept confidential between two parties, that are not in the public domain
  • are conditioned by factors such as ethical guidelines, legal requirements or research-specific consent agreements

Sensitive personal data are defined in the Data Protection Act 1998 as data that may incriminate a participant or third party, such as a person's race, ethnic origin, political opinion, religious beliefs, trade union membership, physical or mental health, sexual orientation, criminal proceedings or convictions.

Financial or staffing data relating to living individuals therefore generally fall within the terms of the Data Protection Act and provision for deposition and archiving would require anonymisation or consent procedures (see below). However, it is also necessary for the depositor to consider the research re-use potential of such data and whether it should be removed from data prior to deposit with the archive.

The ADS does not regard simple references to named individuals in site notebooks, or their appearance in site photographs as sensitive personal data and deposit of such data is encouraged. Similarly, email correspondence between named individuals concerning the establishment or operation of a research or fieldwork project is not regarded as sensitive, unless it contains financial or other personal information which can be linked to named individuals.

Survey and interview projects

Strategies for dealing with confidentiality depend upon the nature of the research, but are essentially informed by a researcher's ethical obligations towards participants and society and by legislation.

Legislation that may impact on the sharing of confidential data include:

  • Duty of confidentiality
  • Data Protection Act 1998
  • Freedom of Information Act 2000
  • Human Rights Act 1998
  • Statistics and Registration Services Act 2007 (primarily for governmental data)
  • Environmental Information Regulations 2004

Sensitive and confidential data can be shared ethically if researchers pay attention, from the planning stages of research, to three important aspects:

  • when gaining informed consent, include consent for data sharing
  • where needed, protect people's identities by anonymising data
  • consider access restrictions to data

These measures should be considered jointly and never in isolation. The same measures form part of good research practice and data management, even if data sharing is not envisioned.

Informed consent and data sharing

It is essential that gaining consent takes into account any future uses of data, such as the sharing, preservation and long-term use of research data.

Researchers should:

  • inform participants how research data will be stored, preserved and used in the long-term
  • inform participants how confidentiality will be maintained e.g. by anonymising data
  • obtain informed consent (written or verbal) for data sharing (see Appendix 1 for information about the type of things that should be covered when obtaining informed consent).

To ensure that consent is informed, consent must be freely given with sufficient information provided on all aspects of participation and data use. There must be active communication between the parties. Consent should not be inferred from a non-response to a communication such as a letter.

Written or verbal consent?

Whether informed consent is obtained in writing through a detailed consent form, by means of an informative statement, or verbally, depends on the nature of the research, the kind of data gathered, the data format and how the data will be used.

  • For detailed interviews or research where personal, sensitive or confidential data are gathered, the use of written consent forms is recommended to assure compliance with the Data Protection Act and with ethical requirements. Written consent documentation typically includes an information sheet and consent form signed by the participant (see Appendices 1 and 2).
  • For surveys or informal interviews, where no personal data are gathered or personal identifiers are removed from the data, obtaining written consent may not be required. At a minimum an information sheet should be provided to participants detailing the nature and scope of the study, the identity of the researcher(s) and what will happen to the data collected (including any data sharing).
  • If data are collected verbally through audio or video recordings, verbal consent agreements can be recorded together with the data.
  • For audio-visual data where the identity of people may be disclosed from the data, it may be important that informed consent is obtained to use the data unaltered for research purposes, sharing and preservation. Voice alteration or image blurring are usually labour and cost intensive and decrease the research potential of data.
  • For the deposit of images of children under the age of 16, consent for these images to be disseminated on line must be obtained from a parent or guardian.

Research Ethics Committees and data sharing

There is a potential tension between data sharing and data protection. Data archives work to increase availability of, and access to, research data, while the primary purpose of Research Ethics Committees (RECs) is to ensure ethical conduct in research and to protect the safety, rights and well being of research participants. The need to protect personal data and preserve confidentiality - where explicitly required - cannot be overstated. This does not mean, however, that all research data obtained from research with people should be kept confidential, cannot be shared or, worse even, are destroyed. It is important to distinguish between personal or sensitive data collected in research, and research data in general. Personal data should not be disclosed, unless consent has been given for disclosure. Identifiable information may be excluded from data sharing. A REC should, however, not object to the sharing of research data in general. If research data contain sensitive or confidential information, then the sharing of such data must be considered carefully, but should not be dismissed as being impossible.

One-off or process consent?

Discussing and obtaining consent for:

  • participation in research
  • the use of the information gathered for analyses, publications and outputs
  • data sharing beyond the research can be a one-off occurrence or an ongoing process.

One-off consent is simple, practical, avoids repeated requests to participants, and meets the formal requirements of most Research Ethics Committees. However, it may place too much emphasis on 'ticking boxes'. If consent is considered throughout the research process, it assures active informed consent from participants. Thus, consent for participation in research, for data use and for data sharing can be considered at different stages of the research, giving participants a clearer view of what participating in the research involves and what the data to be shared consist of. It may, however, be too repetitive and annoying for some participants.

Sensitive data and human remains

The Data Protection Act also defines personal data as data relating to living individuals. Therefore archives containing medical information about deceased individuals are not covered by the scope of the Act. Nonetheless, the excavation of human remains is subject to both legal and ethical considerations. Under English law a Ministry of Justice licence is required prior to the disinterment of any human remains, as well as a statutory Church Faculty covering works within churches in use and the reinterment in consecrated ground of any human remains which are disturbed. The ethics of disturbing human remains, whether accidentally or by design, is an essential issue for the archaeologist to tackle. One must consider not only the attitudes of contemporary society, but those of the relatives of the deceased and those of the excavators themselves. It is inappropriate for the archaeologist to treat human remains simply as 'artefacts', regardless of her or his own views. The inherent difficulty of fully empathising with everyone else's ideas and beliefs (in the past and the present) makes it necessary that a balanced respectful attitude is taken to the treatment of human remains. The terms of the Home Office licence dictate that the removal should be conducted "with due care and attention to decency". This same criterion should be extended to decisions about publication, archive and online dissemination of information (for example images of coffin plates) pertaining to human remains, especially where such data can be linked to named individuals.

Embargo Periods

When dealing with the archiving of digital data it is important that the data is archived (accessioned and ingested) at the point of deposit. This is to ensure that the data is in the correct format and accompanied by the appropriate documentation to ensure long term preservation and sustainability. This does not mean that the data would be automatically accessible to the public. It may be deemed appropriate to establish an embargo period during which the data will be secured in an archive, but not accessible to the public. The length of the agreed embargo period will depend on the sensitivities involved. For example ongoing research activities may require an embargo being imposed on early results, and embargo periods for relatively short periods of time can be arranged at the point of data deposit. ADS will normally agree to embargo periods of up to 2 years for research purposes, or up to 5 years to maximize commercial exploitation of print publications. But in some cases the sensitivity associated with the data may pertain to personal data; in such cases embargoes of up to 70 years can be arranged, but each case will be assessed against the ‘exemptions from disclosure’ set out under the terms of the Freedom of Information Act 2000.

An example of the embargo agreement can be found at Appendix 3.

Acknowledgements

This guidance is based on 'Managing and Sharing Data: a best practice guide for researchers' by the UK Data Archive, University of Essex 2009. Thanks to the UKDA for permission to re-use their guidance.

Further information

G Duncan and L Stokes (2009) 'Data masking for disclosure limitation' in Wiley Interdisciplinary Reviews: Computational Statistics, Volume 1, No. 1, p83-92 at http://dx.doi.org/10.1002/wics.3 .

UK Data Archive (2009) 'Managing and Sharing Data: a best practice guide for researchers', University of Essex.

Appendix 1

Notes based on information at http://www.brookes.ac.uk/res/ethics/consent viewed 01/01/2009.

Guidelines for informed consent

Potential recruits to your research must be given sufficient information to allow them to decide whether or not they want to take part.

Participation Information Sheet

Where research involves face to face interviews, focus groups, direct observation or similar methods of data collection, participants should normally be given an information sheet (or leaflet) and asked to sign a consent form. Details of what should normally be included in each are given below. An information sheet should be written in simple, non-technical terms and be easily understood by a lay person. While it is always important to ensure that adequate information is given, the way in which the information is presented will need to be adapted to the individual circumstances of the study.

Similarly, clear evidence must be obtained that the participant has given informed consent to take part in the study. This will normally be in the form of a signed consent form, example at Appendix 2, although other evidence may be acceptable (for example by audio recording consent).

Where participants are asked to complete and return a questionnaire, the questionnaire should be accompanied by a covering letter but no consent form is needed: consent is implied by returning the questionnaire. The covering letter, however, should include the information given below.

The information sheet, covering letter or leaflet should be printed on headed paper (where appropriate) with full contact details and should normally contain the following information:

Study title

The title should be simple and self-explanatory to a lay person.

Invitation paragraph

This should explain that the individual is being asked to take part in a research study. The following is an example of how this may be phrased:

'You are being invited to take part in a research study. Before you decide whether or not to take part, it is important for you to understand why the research is being done and what it will involve. Please take time to read the following information carefully'.

What is the purpose of the study?

The background and the aim of the study should be given here. You should say how long the study will run and outline the overall design of the study.

Why have I been invited to participate? You should explain how the individual was chosen to take part in the study and how many other people will be asked to participate.

Do I have to take part?

You should explain that taking part in the research is entirely voluntary. For example, you could say:

'It is up to you to decide whether or not to take part. If you do decide to take part you will be given this information sheet to keep and be asked to sign a consent form. If you decide to take part you are still free to withdraw at any time and without giving a reason'.

If your study involves the recruitment of students or pupils you must explain that by choosing to either take part or not take part in the study will have no impact on their marks, assessments or future studies.

What will happen to me if I take part?

You should explain your methods of data collection, including what the individual will be asked to do and how much time will be involved.

What are the possible disadvantages and risks of taking part? (where appropriate)

You should describe any disadvantages or 'costs' involved in taking part in the study, including the time involved.

What are the possible benefits of taking part?

You should outline any direct benefits for the individual and any other beneficial outcomes of the study, including furthering our understanding of the topic.

Will what I say in this study be kept confidential?

You should explain that all information collected about the individual will be kept strictly confidential (subject to legal limitations) and describe how confidentiality, privacy and anonymity will be ensured in the collection, storage and publication of research material. Data generated by the study must be retained in accordance with the University's policy on Academic Integrity.

If it is a condition of your research funding that the research data must be shared and stored in a repository, you must explain how the data will be stored (for example with the ADS) and explain it will be anonymised.

What should I do if I want to take part?

Explain exactly how the participant should 'opt in' for the study.

What will happen to the results of the research study?

You should tell the individual what will happen to the results of the research. Will they be used in your dissertation or thesis? For what degree? Will they be published? How can they obtain a copy of the published research?

Who is organising and funding the research?

You should explain that you are conducting the research as a student or member of staff at ****** University. Give your department name as well as the school name. You should also state the organization that is funding the research (e.g. EH, AHRC, Tesco, etc) if appropriate.

Who has reviewed the study?

You may state that the research has been approved by the University Research Ethics Committee, ******* University.

Contact for Further Information

You should give the individual a contact point for further information. This can be your name or that of your supervisor. You should add that if they have any concerns about the way in which the study has been conducted, they should contact the Chair of the University Research Ethics Committee.

Thank you

Remember to thank the individual for taking time to read the information sheet.

Date

The information sheet should be dated.

Appendix 2

Example of a completed consent form: Download as a PDF file .

Save Resource


Please login or register a myADS account to use this feature.

Share This Page


Please login or register a myADS account to use this feature.

Newsfeeds

Help