The cycle of good impact practice: Research ethics and data protection

How can you follow ethical research principles, and store and protect data appropriately?

In conducting any kind of research, you will need to understand and follow ethical research principles. If you hold any information about staff, volunteers, donors or service users, you will also need to store and protect this data appropriately.

Here we offer some advice on how to approach research ethics and data protection in your impact practice.

What is research ethics, and why is it important?

Research ethics refers to understanding the ethical issues that come up when users are involved as participants in your research. It involves thinking about whether your plans are appropriate and acceptable. The following checklist outlines key principles you should follow, along with questions you should ask yourself. You should be able to answer ‘yes’ to each question.

Research principles & key questions

Voluntary participation

Do users taking part in your data collection understand they do not have to participate and can leave at any time?

It is important they understand that taking part, or not, will have no bearing on how they are treated or their access to services.

Informed consent

Do users taking part in the data collection understand what they are getting involved with?

Explain the purpose of the research and how the data will be used, before asking for their agreement to take part. Make sure they understand that they are free to stop participating at any time without needing to give a reason.

Do no harm

Do you approach sensitive topics appropriately?

Going over difficult or emotional subjects can trigger episodes of re-living traumatic experiences. Only well-trained researchers should be used when the subject matter is sensitive. If sensitive issues are to be discussed, prepare in advance by making sure you have up-to-date information about sources of support and advice that you can share with participants.

Protected identity

Are you protecting participants’ data?

Nobody except the research team should have access to the data or be able to find out participants’ identities. It is often impossible to provide complete anonymity, as many methods require direct contact with the person conducting the research. Ensuring that responses are kept confidential – changing names to identification numbers, for example – can help you deal with this.

Where will the research take place? Will other people be within earshot? How many people are in this population group? Could their story be identifiable to others because there are only one or two people in this situation? If you believe this could happen, either choose to not carry out the research with this particular person, or agree you will not use any data that could identify them to others. It’s also important to ensure that personal data is only kept for as long as necessary and securely deleted when it is no longer needed.


Have you taken reasonable steps to ensure the researcher remains objective?

This means staying objective and not getting involved, even if the topic is sensitive. It also means avoiding bias – see our guidance on conducting interviews and designing surveys.


Are you only collecting what you need to know?

Don’t collect any more information than you need to answer the main research question. It isn’t fair on participants to collect more of their personal data than you need, as it takes their time and effort, and puts information that is personal to them in the hands of other people. Only hold data for as long as necessary and securely delete data when it is no longer needed.


Download this checklist

Research ethics and principles

This checklist outlines the key research ethics principles you should follow, along with questions you should ask yourself.

Size: 43.73 KB


What does GDPR and data protection policy mean for charities?

Data protection legislation – which is officially referred to as General Data Protection Regulation (GDPR) – applies to anyone with data on staff, volunteers, donors, or service users.

Electronic communication is governed by the Privacy and Electronic Communications Regulation (PECR). This covers when consent should be sought for communication such as marketing. We don’t cover PECR here but further information can be found on the ICO website.

Key actions required by GDPR are set out below:

We highly recommend that you take time to read the ICO’s guidance on GDPR. The ICO Accountability Framework and SME Advice Hub provides practical guides for organisations.


The cycle of good impact practice defines what impact practice is and articulates a clear path to success. It follows a four-step cycle. This page is part of Plan, the first step in the cycle.

Other resources from this step in the cycle

decorative banner

This webpage has been adapted from the Inspiring Impact programme, which ran from 2011 until early 2022 and supported voluntary organisations to improve their impact practice. More information about the Inspiring Impact programme.