When you are starting a new research project, you will need to consider a number of issues relating to research data management and sharing. These issues are relevant whether your research is funded by an external sponsor or not.
Writing a Data Management Plan is an important first step when you are still in the pre-project stage. Note that:
You can use our templates to write your plan:
Or you can create an account at DMP Online and use it to write your plan.
Our checklist provides a useful summary of the key elements of a Data Management Plan.
Who should plan?
According to the University’s research data management policy a Data Management Plan is compulsory for all research that is conducted at the University. Many research funders, including all UK Research Councils and the European Commission, have research data policies that specify their expectation of how grant holders will manage, preserve and share their data.
Your data management plan is a living document that will change and grow as your research projects progresses. Your initial plan could be very concise.
Why should I plan?
Some of the benefits of planning the management and sharing of your research data as early as possible include that it helps you to
You plan for the entire life of your research data, especially
What should I plan?
A typical research data management plan provides information on (a selection of) the following topics, depending on the funder’s requirements or your specific needs
The Digital Curation Centre has produced an extensive Checklist for a Data Management Plan with all topics that a data management plan could (but not necessarily should) contain.
If you are developing software, then writing a Software Management Plan may be an option to ensure your software is accessible and reusable in the short, medium and long term. A template for a Software Management Plan has been developed by the Software Sustainability Institute.
The general advice for DMPs (given in this video by Peter Dukes of the MRC) is to keep it ‘specific’ as well as ‘simple and short’. For most projects a statement of up to 2 pages is generally sufficient.
If you are using DMPOnline to write your plan, the tool will indicate when you have reached a length that is generally considered to be sufficient for a DMP that is part of a funding application.
If you are applying for UKRI funding the University of Bristol has detailed guidance for each of the seven UKRI (formerly RCUK) funding agencies.
To complete your data management plan you will need to add details of data security measures you are taking and provide links to key policies. For a full list of answers to the questions and policy links see UKRI-data-security-questions
Using a template to write your plan
The templates ask questions which relate to the areas your plan should cover, and give guidance on how to answer the questions.
Generic template for staff projects
Template for research degree plans
If your project is funded, check with the funder about their DMP requirements, including whether they provide a specific form for the DMP
Using DMP Online to write your plan
The Digital Curation Centre has developed an online data management planning tool, DMPOnline. DMPOnline contains
How to get started
If you have never used DMPOnline before, you should first create an account.
How to create a new plan
How to share your plan with others
Once finished, you can share your plan with others, and download (‘export’) it as a pdf or Word document (docx).
You are asked to attach your Data Management Plan to your ethics application. Your plan will be used to identify the support you require, and to make sure that sufficient storage and archival space will be available when you need it.
Examples of data management plans
Informative videos from MRC
The Act became law on May 25th 2018 and governs the processing or using of personal data. Under the law data processing must be lawful, fair and transparent. To ensure fairness, research participants' rights must be protected. This involves ensuring that any data they provide is used in line with the information they have been given about a particular study. In this way transparency about how their data is used is linked to meeting the fairness criterion.
Under the Act researchers may either be
1. a data controller: "determines the purposes and means of processing personal data."or
2. a data processor: "responsible for processing personal data on behalf of a controller."
An important distinction as processors are legally liable if data breaches occur and are required to maintain records of detailing how personal data is processed.
Researchers are likely to fulfill both data controller and data processor roles at different stages of a research process. For example, a funder poses a research question/topic area and provides a budget for the study and a university research team is contracted to address the question. The funder is asking the research team to process data on the funder's behalf. The university team however, decides on what to collect, how to do it, how to analyse and how to present the data. This makes the University team Data Controllers in their own right even although the funder retains overall control of the data as they commissioned it and can determine how they ultimately use the final data report.
This may not always be the case in contract research and role clarification may be necessary. Advice is available from the Data Protection Officer.
UK Research and Innovation - formerly RCUK
UK Research and Innovation (UKRI), formerly Research Councils UK, have agreed a set of Common Principles on Data Policy.
They are based on the idea that publicly funded research data should be considered ‘a public good, produced in the public interest, which should be made openly available with as few restrictions as possible in a timely and responsible manner that does not harm intellectual property’.
The policy can be summarised as follows.
All UKRI funders require a Data Management Plan when you apply for funding, and most have issued their own requirements for research data management and Data Management Plans. You will find ‘at a glance’ summaries of these requirements on the Digital Curation Centre’s overview of funders’ data policies. The University of Bristol has useful guides for writing Data Management Plans for each of the seven UKRI funding agencies.
You will need to add details of data security measures to your UKRI data management plan. For details see UKRI data security questions .
The policies required for the UKRI plans are:
Data Management Policy & Procedures
Institutional Information Policy
Use this table to find out about requirements for data archiving and data sharing, as well as links to guidance from the funding agencies, and other useful guides.
|Funder||Guidance and policies||Other guides|
|Rubric for AHRC Data Management Plans (Donaldson and Higman)
University of Bristol guidance
Data Management Planning for AHRC applicants (University of St Andrews)
|BBSRC||data sharing policy (this includes guidance for data management plans), and funding guide||University of Bristol guidance
|EPSRC||EPSRC Policy Framework on Research Data||University of Bristol guidance
|ESRC||research data policy, guide for UK Data Service guidance , and guidance for peer reviewers on data management plans||University of Bristol guidance
Two example plans (University of Leeds)
Fictional example plan (University of York)
|MRC||MRC data sharing policy||University of Bristol guidance
|NERC||guidance on data management planning, and their data policy||University of Bristol guidance
|STCF||guidance on writing a Data Management Plan, and their scientific data policy||University of Bristol guidance
Horizon Europe builds on the H2020 Open Research Data Pilot.
Data must be deposited in a suitable repository. For all projects open research data will be the default option. If there are legitimate reasons not to share data, it will be possible to opt out of the open research data requirement, which should be argued in your data management plan. Legitimate reasons include, but are not limited to:
Projects that will not generate or collect research data are also exempted, as are those for which sharing data would jeopardise the outcome of the project. It is also accepted that where regenerating the data at a later date would be cheaper than archiving it then it is not worth the effort to deposit it in a repository.
|Funder||Guidance and policies||Other guides|
|CRUK||data sharing guidelines (including guidelines for a data management and sharing plan) and policy on data sharing and preservation||Data sharing FAQs (CRUK)
|NC3Rs||NC3Rs (National Centre for the Replacement, Refinement and Reduction of Animals in Research) have adopted the UKRI guidance for open publishing and data sharing plus additional MRC terms and conditions – Grant holder Information||
|NIHR||Since 2014, the National Institute for Health Research has a policy on open Access. They also have a policy on data management and sharing|
|Wellcome Trust||Guidance for researchers on developing a data management and sharing plan||
Data sharing (Wellcome Trust)
The SHERPA / JULIET database provides current and comprehensive information about the data archiving and data sharing requirements of all research funders. The database is maintained by the University of Nottingham.
Ethics and approval and consent
If you are working with human participants, the consent that you seek will determine
Personal, confidential and sensitive data may not be shared unless informed consent has been obtained from the participants; sharing those data usually has to happen in anonymised form. It is therefore important to consider ethics in your data management plan.
It is essential that you seek consent from human participants that allows the data to be shared and re-used at the end of the project via participant consent forms. There is usually no ethical or legal reason to destroy research data at the end of a project — except in the case of personal and sensitive personal data as outlined below under keeping personal data — and there is therefore usually no need to promise destruction of data unless your research funder or sponsor requires you to do so.
It may also be that your participants are less reluctant over data sharing than you might think. Explain to your participants the benefits of sharing their data with the research community, highlighting possible restrictions to re-use via licences (which may include not breaching confidentiality, no further sharing of data with other people, and no re-use for commercial purposes). Make it clear that it is entirely their decision, whereby they can decide whether their data can be shared, independent of them participating in the research.
Ethical consent should follow University policies and procedures
Under the GDPR legislation, when gaining individual consent from participants for gathering your data you will now need to include a Privacy Notice with your ethical consent material. See GDPR Guidelines for Researchers document below for further information.
The UK Data Service has guidance on consent, confidentiality and ethics.
The General Data Protection Regulation (GDPR) provides a framework to ensure that personal and sensitive personal data is handled responsibly and with regard to the rights of individuals. It also gives individuals the right to know what information is held about them and how it is used.
All researchers must adhere to the requirements of the GDPR when they collect, manage, keep and share their research data. The GDPR applies to all personal and sensitive personal data. Personal data is data that relates to living individuals who can be identified from that data. Sensitive personal data includes information about racial or ethnic origin, physical or mental health or condition, political opinions, religious belief, sexual life and information about offences, alleged offences and any related court proceedings. The General Data Protection Regulation does not apply to general, non-personal research data, and it also does not apply once personal data has been anonymised or to data about the deceased. However the GDPR still applies to pseudonymised data. Further guidance on anonymisation and psuedonymisation is available from the ICO Anonymisation code of practice
Keeping personal data
The GDPR states that personal and sensitive personal data ‘processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes’. However, there is an exemption if the data is used for research as long as it satisfies two conditions
The exemption therefore allows personal and sensitive personal data to be kept indefinitely for research purposes.
However, the 7th data protection principle (which relates to security) and the 1st data protection principle (which requires that data is only processed where it is necessary for a legitimate purpose) still apply. Researchers should, therefore, retain primary data which consists of or includes personal and sensitive personal data in line with the retention periods specified in the University’s records retention schedule and review the data at the end of the retention period; researchers may consider extensions on a case by case basis depending on the ongoing value to the University and the wider research community. Where the research is governed by a legal contract, the retention period specified in the contract overrides the records retention schedule.
Where possible, personal and sensitive personal data should be modified as early as possible in the processing of data so as to safeguard data against accidental or mischievous disclosure. For some research projects there is no need to associate data with the data subjects and the data can be collected anonymously. In other cases, it may be possible to anonymise the data at a later stage of the project. For more information on anonymisation see
The right of subject access
The GDPR gives data subjects a right to obtain copies of all their personal and sensitive personal data that a data controller holds (the right of subject access). The GDPR recognises, however, that this may be difficult for researchers, so there is an exemption from the right of subject access where
Provided these conditions are met, researchers are not required to provide personal data from research files in response to a subject access request.
The copyright of your data, or parts of your data, may be owned by various parties: Sheffield Hallam University, academic collaborators, commercial partners, your interviewees and (if you are using existing datasets) data providers. Establishing ownership early on in your project will be useful later on if questions arise about what can be done with a particular piece of data and by whom. This is particularly important when you want to archive and share your data.
Generally, all outcomes of research work carried out by University employees are owned by the University and not by the individual or individuals who created these outcomes. If you are re-using existing data sources, it is important to check under which conditions you can use these data. If you are planning on sharing (large extracts from) interviews, it is advisable to ask your interviewees for transfer of their copyright (a signed form) or a license to use the data obtained through the interviews, as the possibility exists that the interviewee may at some point wish to assert the right over their words.
The UK Data Service provides a useful copyright overview.
For single-institution projects ownership initially lies with the University but may utlimately lie with your funder or sponsor. In multi-partner projects, you should outline which partner owns what intellectual property and what rights the other partners have to use it, which may depend on your funder’s or sponsor’s terms. This should have been set out in your collaboration agreement. If you are using secondary data (ie data produced by somebody else) then please give an idea of the licensing restrictions that apply. Please refer to the University’s Intellectual Property Policy (staff).
For research students, the copyright in the thesis submitted for examination remains with the candidate, but all other Intellectual Property rights lie with the University and/or the funder of the research project — including those over the research data produced for the thesis. See the Regulations for the Awards of the University’s degrees of Master of Philosophy and Doctor of Philosophy (pdf), the Student Intellectual Property Policy, and the Student Terms and conditions
Commercially sensitive information
It may be that your data is commercially sensitive, for example when you are seeking patent or a third party has a legitimate interest. In this case, data sharing may be restricted — you may foe example consider making your data available to others subject to a suitable legally enforceable non-disclosure agreement.
Nonetheless, it is always advisable to make sure your published findings can be validated by others, especially when you are working with public funding. The EPSRC, for example, states that
Research organisations and researchers have a responsibility to ensure that publicly funded research involving third parties is planned and executed in such a way that published findings can be scrutinised and if necessary validated by others. […] Third parties who collaborate in publicly funded research should be made aware of the importance of ensuring that published findings can be validated by others.
SHU has achieved the Cyber Essentials certification and there are specific areas with more stringent controls (e.g. IG Toolkit - NHS contracts) and we align with ISO 27001 standards. As well as additional contractual controls implemented by CRESR, CEDARE, CENTRIC & C3RI GDPR has also been a driving factor in the assessment and introduction of further controls for access to personally identifiable information (PII)
The main risk to data security is unauthorised access to PII and other sensitive/confidential materials whether it's from malicious actors, accidental exposure by someone within the institution, or potentially vulnerable systems.
The University operates a Security Risk Management process where all risks to the University Information Security are recorded and tracked in a dedicated and secure risk register. In addition, risk of security or data breach is recorded as a corporate risk to ensure visibility at the highest level of the University.
Risk: Unauthorised access to the data at rest (medium risk before controls)
Access to research data on Q or J must be specifically authorised by the data owner (PI?)
All users of University IT must authenticate with an individual username and password.
Workstations will lock after 10 minutes of inactivity to protect against unauthorised use.
Unauthorised equipment cannot be connected to the University network, it must use a network designed for untrusted equipment and denied access to central data stores.
Risk: Unauthorised access to data in transit (medium risk before controls)
The University Encryption Policy covers all data in transit and how it can be safely moved.
All mobile equipment that will go off campus is encrypted to FIPS-140/2.
The University provides an encrypted email service for use with confidential data.
All USB sticks issued by the University are encrypted.
Risk: Loss of data through accidental deletion or change (medium risk before controls)
Data is backed up daily and can be quickly restored if required.
Risk: Loss of data through equipment or facilities failure (low risk before controls)
Data is backed up daily and can be quickly restored.
Data is synchronously replicated to an alternate datacentre and can be accessed in the event of a major incident.
Risk: Access by malicious actor (high risk before controls)
Unified Threat Management firewall appliances on the network edge provide proactive protection from internet attacks
Firewalls on the datacentre edge provide further protection from internal users.
All UTM and firewall output is monitored for threats and action taken and recorded.
Security patching is covered by a policy. All patches are deployed within one month of release in the datacentre. Services can be withdrawn if critical patches are not deployed in a timely manner.
Datacentre networks and equipment are scanned for vulnerabilities every month and risks acted upon.
Risk: Virus or other malware (high risk before controls)
Anti-malware tools are deployed on the firewall, in the email system and on workstations.
Anti-malware tools report centrally and are monitored by the Security Team for new threats or infections.
Snapshot copies of changes are taken throughout the day in case of damage to central file-store by malware allowing a fast rollback.
If the above control measures fail the University has a robust incident management process in place. This is regularly scenario tested to make sure that it is correct and up to date and that staff are aware of their roles and tasks
Details of SHU IT policies can be found at https://eisf.shu.ac.uk
Some key policies:
Data Management Policy & Procedures
Data Security Policy
Data Sharing Policy
https://www.shu.ac.uk/research/ethics-integrity-and-practice/research-data-management-policy , https://www.shu.ac.uk/about-this-website/privacy-policy
Institutional Information Policy