Research ethics and data protection

How can you follow ethical research principles, and store and protect data appropriately?

In conducting any kind of research, you will need to understand and follow ethical research principles. If you hold any information about staff, volunteers, donors or service users, you will also need to store and protect this data appropriately.

Here we offer some advice on how to approach research ethics and data protection in your impact practice.

What is research ethics, and why is it important?

Research ethics refers to understanding the ethical issues that come up when users are involved as participants in your research. It involves thinking about whether your plans are appropriate and acceptable. The following checklist outlines key principles you should follow, along with questions you should ask yourself. You should be able to answer ‘yes’ to each question.

Research principles & key questions

Voluntary participation

Do users taking part in your data collection understand they do not have to participate and can leave at any time?

It is important they understand that taking part, or not, will have no bearing on how they are treated or their access to services.

Informed consent

Do users taking part in the data collection understand what they are getting involved with?

Explain the purpose of the research and how the data will be used, before asking for their agreement to take part. Make sure they understand that they are free to stop participating at any time without needing to give a reason.

Do no harm

Do you approach sensitive topics appropriately?

Going over difficult or emotional subjects can trigger episodes of re-living traumatic experiences. Only well-trained researchers should be used when the subject matter is sensitive. If sensitive issues are to be discussed, prepare in advance by making sure you have up-to-date information about sources of support and advice that you can share with participants.

Protected identity

Are you protecting participants' data?

Nobody except the research team should have access to the data or be able to find out participants’ identities. It is often impossible to provide complete anonymity, as many methods require direct contact with the person conducting the research. Ensuring that responses are kept confidential – changing names to identification numbers, for example – can help you deal with this.

Where will the research take place? Will other people be within earshot? How many people are in this population group? Could their story be identifiable to others because there are only one or two people in this situation? If you believe this could happen, either choose to not carry out the research with this particular person, or agree you will not use any data that could identify them to others.


Have you taken reasonable steps to ensure the researcher remains objective?

This means staying objective and not getting involved, even if the topic is sensitive. It also means avoiding bias – see our guidance on conducting interviews and designing surveys.


Are you only collecting what you need to know?

Don’t collect any more information than you need to answer the main research question. It isn’t fair on participants to collect more of their personal data than you need, as it takes their time and effort, and puts information that is personal to them in the hands of other people.

Download the research principles

Keep these key principles and questions to hand to make sure you’re conducting ethical research.

What does GDPR and data protection policy mean for charities?

Data protection legislation – General Data Protection Regulation (GDPR) – applies to anyone with data on staff, volunteers, donors, or service users.

Electronic communication is governed by the Privacy and Electronic Communications Regulation (PECR). This covers when consent should be sought for communication such as marketing. We don’t cover PECR here but further information can be found on the ICO website.

Key actions required by GDPR are set out below:

  • As a minimum, you need to understand what personal data is being processed where, by whom, and for what purpose.
  • Collecting consent on an opt-out basis is no longer valid.
  • You must document the legal basis on which you process data from the six possible options here. For charities, this is likely to be: because you have asked people if you can; because it is part of your contract to deliver a service; or because you have a ‘legitimate interest’.
  • Look at the information you give to people about how their data is processed. What you do with data should be set out in a privacy policy or a fair processing notice.
  • The most common data breaches are caused by human error. Develop or review your data protection policy and train staff in how to keep data safe. Document how you will report any data breaches.
  • People can request the data you hold about them, and you will have a month to comply with their request. Develop procedures for enabling people to access the data you hold about them and test your systems on how to retrieve data.
  • Document your processes. The ICO understands that data breaches, such as cyber hacking, can happen to big and small organisations as a consequence of the digital age we live in. It is the process you use to safeguard personal data that is of importance.

We highly recommend that you take time to read the ICO’s guidance on GDPR.

You might also be interested in

Involve users in your practice

How important is it to involve users in your impact measurement?

Decide what data to collect

What data do you need? How will you collect it?

Sign up to our newsletter

Stay up to date with the latest news from Inspiring Impact