5. Research ethics

What are research ethics? Why are they important?

Research ethics refers to understanding the ethical issues that come up when service users are involved as participants in your research. It involves thinking about whether your plans are appropriate and acceptable. The following checklist outlines key principles you should follow, along with questions you should ask yourself. You should be able to answer ‘yes’ to each question.

Voluntary participation: Do your service users taking part in your data collection understand they do not have to participate and can leave at any time?

Your service users must understand that taking part, or not, will have no bearing on how they are treated or on their access to services. Make sure they understand that they are free to stop participating at any time without needing to give a reason.

Informed consent: Do service users taking part in the data collection understand what they are getting involved with?

You should explain the purpose of the research and how the data will be used before asking for their agreement to take part.

Do no harm: Do you approach sensitive topics appropriately?

Going over difficult or emotional subjects can trigger episodes of re-living traumatic experiences. Only well-trained researchers should be used when the subject matter is sensitive. If sensitive issues are to be discussed, prepare in advance by making sure that you have up to date information about sources of support and advice that you can share with participants.

Protected identity: Are you protecting participants’ data?

Nobody, except the research team, should have access to the data or be able to find out about participants’ identities. It is often impossible to provide complete anonymity, as many methods require direct contact with the person conducting the research. Ensuring that responses are kept confidential, such as changing names to identification numbers, can help you deal with this.

Think about where the research will take place. Will other people be within earshot? How many people are in this population group? Could their story be identifiable to others because there are only one or two people in this situation? If you believe this could happen, then you can either choose not to carry out the research with this particular person or agree you will not use any data that could identify them to others.

Neutrality: Have you taken reasonable steps to ensure the researcher remains objective?

This means staying objective and not getting involved, even if the topic is sensitive. It also means avoiding bias. For more on this, see the Inspiring Impact guidance on conducting interviews and designing surveys.

Minimalism: Are you only collecting what you need to know?

Don’t collect any more information than you need to answer the main research question. It isn’t fair on participants to collect more of their personal data than you need, as it takes their time and effort, and puts information that is personal to them in the hands of other people.

Data protection

What does GDPR and data protection policy mean for charitable research and evaluation?

Data protection legislation—General Data Protection Regulation (GDPR)—applies to anyone with data on staff, volunteers, donors, or service users.

Key actions required by GDPR are as follows:

• As a minimum, you need to understand what personal data is being processed where, by whom, and for what purpose.
• Collecting consent on an opt-out basis is no longer valid.
• You must document the legal basis on which you process data. For charities, this is likely to be: because you have asked people if you can; because it is part of your contract to deliver a service; or because you have a legitimate interest.
• Look at the information you give to people about how their data is processed. What you do with data should be set out in a privacy policy or a fair processing notice.
• The most common data breaches are caused by human error. Develop or review your data protection policy and train staff in how to keep data safe. Document how you will report any data breaches.
• People can request the data that you hold about them, and you will have a month to comply with their request. Develop procedures for enabling people to access the data you hold about them and test your systems on how to retrieve data.
• Document your processes. The ICO understands that data breaches, such as cyber hacking, can happen to big and small organisations as a consequence of the digital age we live in. It is the process you use to safeguard personal data that is of importance.

Further information can be found on the Information Commissioner’s Office (ICO) website.