The cycle of good impact practice: Research ethics and data protection

Research principles & key questions

Voluntary participation

Do users taking part in your data collection understand they do not have to participate and can leave at any time?

It is important they understand that taking part, or not, will have no bearing on how they are treated or their access to services.

Informed consent

Do users taking part in the data collection understand what they are getting involved with?

Explain the purpose of the research and how the data will be used, before asking for their agreement to take part. Make sure they understand that they are free to stop participating at any time without needing to give a reason.

Do no harm

Do you approach sensitive topics appropriately?

Going over difficult or emotional subjects can trigger episodes of re-living traumatic experiences. Only well-trained researchers should be used when the subject matter is sensitive. If sensitive issues are to be discussed, prepare in advance by making sure you have up-to-date information about sources of support and advice that you can share with participants.

Protected identity

Are you protecting participants’ data?

Nobody except the research team should have access to the data or be able to find out participants’ identities. It is often impossible to provide complete anonymity, as many methods require direct contact with the person conducting the research. Ensuring that responses are kept confidential – changing names to identification numbers, for example – can help you deal with this.

Where will the research take place? Will other people be within earshot? How many people are in this population group? Could their story be identifiable to others because there are only one or two people in this situation? If you believe this could happen, either choose to not carry out the research with this particular person, or agree you will not use any data that could identify them to others. It’s also important to ensure that personal data is only kept for as long as necessary and securely deleted when it is no longer needed.

Neutrality

Have you taken reasonable steps to ensure the researcher remains objective?

This means staying objective and not getting involved, even if the topic is sensitive. It also means avoiding bias – see our guidance on conducting interviews and designing surveys.

Minimalism

Are you only collecting what you need to know?

Don’t collect any more information than you need to answer the main research question. It isn’t fair on participants to collect more of their personal data than you need, as it takes their time and effort, and puts information that is personal to them in the hands of other people. Only hold data for as long as necessary and securely delete data when it is no longer needed.

What does GDPR and data protection policy mean for charities?

Data protection legislation – which is officially referred to as General Data Protection Regulation (GDPR) – applies to anyone with data on staff, volunteers, donors, or service users.

Electronic communication is governed by the Privacy and Electronic Communications Regulation (PECR). This covers when consent should be sought for communication such as marketing. We don’t cover PECR here but further information can be found on the ICO website.

Key actions required by GDPR are set out below:

• As a minimum, you need to understand what personal data is being processed where, by whom, and for what purpose. More guidance from the ICO on getting started with data protection.
• Collecting consent on an opt-out basis is no longer valid. More guidance from the ICO on consent.
• You must document the legal basis on which you process data from the six possible options. For charities, this is likely to be: because you have asked people if you can; because it is part of your contract to deliver a service; or because you have a ‘legitimate interest’. More guidance from the ICO on records of processing and lawful basis .
• Look at the information you give to people about how their data is processed. What you do with data should be set out in a privacy policy or a fair processing notice. More guidance from the ICO on policies and procedures.
• Make sure you clearly explain each individuals’ rights in relation to their data – what they can ask of you and how they can raise any concerns. More guidance from the ICO on individuals’ rights.
• The most common data breaches are caused by human error. Develop or review your data protection policy and train staff in how to keep data safe. Document how you will report any data breaches. More guidance from the ICO on training and awareness.
• People can request the data you hold about them, and you will have a month to comply with their request. Develop procedures for enabling people to access the data you hold about them and test your systems on how to retrieve data. More guidance from the ICO on right of access/subject access requests and other rights.
• Document your processes. The ICO understands that data breaches, such as cyber hacking, can happen to big and small organisations as a consequence of the digital age we live in. It is the process you use to safeguard personal data that is of importance. More guidance from the ICO on records management and security.

We highly recommend that you take time to read the ICO’s guidance on GDPR. The ICO Accountability Framework and SME Advice Hub provides practical guides for organisations.

This webpage has been adapted from the Inspiring Impact programme, which ran from 2011 until early 2022 and supported voluntary organisations to improve their impact practice. More information about the Inspiring Impact programme.