Skip to Main Content

Library Research Support


When you are starting a new research project, you will need to consider a number of issues relating to research data management and sharing. These issues are relevant whether your research is funded by an external sponsor or not.

Writing a Data Management Plan is an important first step when you are still in the pre-project stage. Note that:

  • your Data Management Plan is a living document — you can refer to it later on in the project, and make changes to it when necessary
  • if your project is funded your plan should refer to the research data management requirements from your funders and sponsor(s)
  • your plan should take note of any legal and ethical aspects of your research data such as copyright and ethical approval

You can use our templates to write your plan:

Or you can create an account at DMP Online and use it to write your plan.

Our checklist provides a useful summary of the key elements of a Data Management Plan.

Data management plans

Who should plan?

According to the University’s research data management policy a Data Management Plan is compulsory for all research that is conducted at the University. Many research funders, including all UK Research Councils and the European Commission, have research data policies that specify their expectation of how grant holders will manage, preserve and share their data.

Your data management plan is a living document that will change and grow as your research projects progresses. Your initial plan could be very concise.

Why should I plan?

Some of the benefits of planning the management and sharing of your research data as early as possible include that it helps you to

  • identify issues and strategies early in your research project
    • Under the new GDPR legislation, when gaining individual consent from participants for gathering your data you will now need to include a Privacy Notice with your ethical consent material. See GDPR Guidelines for Researchers below for further information.
  • ensure that you have documented your compliance with institutional and funder policies and ethics approval requirements
  • make sure that your data remains useful and is stored securely during the lifetime of your project and beyond, so that you can find and understand your data when you need to use it, so that you avoid data loss or data corruption, so that there is continuity if project staff leave or new researchers join, and to avoid unnecessary duplication by re-collecting or re-working data
  • think about data sharing and reuse opportunities of your research data

You plan for the entire life of your research data, especially

What should I plan?

  • storing your data safely during your project
  • keeping it for the long-term and possibly sharing your data after your project
  • explaining it through careful documentation of your data, so that you and others can make sense of it

A typical research data management plan provides information on (a selection of) the following topics, depending on the funder’s requirements or your specific needs

  • data collection
  • documentation and metadata
  • ethics and legal compliance
  • storage and backup
  • selection and preservation
  • data sharing
  • responsibilities and resources

The Digital Curation Centre has produced an extensive Checklist for a Data Management Plan with all topics that a data management plan could (but not necessarily should) contain.

If you are developing software, then writing a Software Management Plan may be an option to ensure your software is accessible and reusable in the short, medium and long term. A template for a Software Management Plan has been developed by the Software Sustainability Institute.

General advice

The general advice for DMPs (given in this video by Peter Dukes of the MRC) is to keep it ‘specific’ as well as ‘simple and short’.  For most projects a statement of up to 2 pages is generally sufficient.

If you are using DMPOnline to write your plan, the tool will indicate when you have reached a length that is generally considered to be sufficient for a DMP that is part of a funding application.

UKRI applications

If you are applying for UKRI funding the University of Bristol has detailed guidance for each of the seven UKRI (formerly RCUK) funding agencies.

To complete your data management plan you will need to add details of data security measures you are taking and provide links to key policies. For a full list of answers to the questions and policy links see UKRI-data-security-questions

Using a template to write your plan

The templates ask questions which relate to the areas your plan should cover, and give guidance on how to answer the questions.

Generic template for staff projects

Template for research degree plans

If your project is funded, check with the funder about their DMP requirements, including whether they provide a specific form for the DMP

Using DMP Online to write your plan

The Digital Curation Centre has developed an online data management planning tool, DMPOnline. DMPOnline contains

  • templates for each major research funder that requires a data management plan as part of a funding application
  • a generic SHU template for all other research conducted at Sheffield Hallam University
  • a generic SHU template for research students
  • SHU specific guidance that will help you to fill out the form
  • suggested answers for certain questions for you to copy and paste
  • example answers taken from previous data management plans written by SHU researchers

How to get started

If you have never used DMPOnline before, you should first create an account. 

  • Go to
  • Sign up. You will be asked to fill out a short form to create your DMPOnline account. This includes your email address and any password
  • You will be sent a confirmation email with a link that you will have to click in order to activate your account

How to create a new plan

  • Go to and sign in
  • Click on ‘Create plan’
  • Give your plan a title
  • Select your funder or tick the ‘No funder associated with this plan or my funder is not listed’ box
  • If you have ticked the ‘No funder…’ box, select the template from the list offered: SHU template or SHU doctoral template as appropriate.
    • if you have entered a funder, DMP Online should provide you with an appropriate template

How to share your plan with others

Once finished, you can share your plan with others, and download (‘export’) it as a pdf or Word document (docx).

You are asked to attach your Data Management Plan to your ethics application. Your plan will be used to identify the support you require, and to make sure that sufficient storage and archival space will be available when you need it.

Examples of data management plans

Informative videos from MRC



The EU General Data Protection Regulation (GDPR): Guidance for Researchers

The Act became law on May 25th 2018 and governs the processing or using of personal data. Under the law data processing must be lawful, fair and transparent. To ensure fairness, research participants' rights must be protected. This involves ensuring that any data they provide is used in line with the information they have been given about a particular study. In this way transparency about how their data is used is linked to meeting the fairness criterion.

Under the Act researchers may either be

1.  a data controller: "determines the purposes and means of processing personal data."or

2.  a data processor: "responsible for processing personal data on behalf of a controller."

An important distinction as processors are legally liable if data breaches occur and are required to maintain records of detailing how personal data is processed.

Researchers are likely to fulfill both data controller and data processor roles at different stages of a research process. For example, a funder poses a research question/topic area and provides a budget for the study and a university research team is contracted to address the question. The funder is asking the research team to process data on the funder's behalf. The university team however, decides on what to collect, how to do it, how to analyse and how to present the data. This makes the University team Data Controllers in their own right even although the funder retains overall control of the data as they commissioned it and can determine how they ultimately use the final data report. 

This may not always be the case in contract research and role clarification may be necessary. Advice is available from the Data Protection Officer. 

Research data funder requirements

UK Research and Innovation - formerly RCUK

UK Research and Innovation (UKRI), formerly Research Councils UK, have agreed a set of Common Principles on Data Policy.

They are based on the idea that publicly funded research data should be considered ‘a public good, produced in the public interest, which should be made openly available with as few restrictions as possible in a timely and responsible manner that does not harm intellectual property’.

The policy can be summarised as follows.

  • Data with ‘acknowledged long-term value’ should be preserved and remain accessible and usable for future research.
  • In line with Open Access to publications, UKRI require that you include a statement in your published paper on how and on what terms the underlying research data can be accessed by third parties.
  • If there are reasons to limit access to the data, these reasons should be included in the statement. UKRI recognises ‘that there are legal, ethical and commercial constraints on release of research data’ and that it is important ‘to ensure that the research process is not damaged by inappropriate release of data relating to these constraints’. UKRI also recognises that ‘those who undertake Research Council funded work may be entitled to a limited period of privileged use of the data they have collected to enable them to publish the results of their research’.
  • The research data should be sufficiently documented to enable the data ‘to be discoverable and effectively re-used by others’.
  • It is appropriate to use public funds to support the management and sharing of publicly-funded research data.

All UKRI funders require a Data Management Plan when you apply for funding, and most have issued their own requirements for research data management and Data Management Plans. You will find ‘at a glance’ summaries of these requirements on the Digital Curation Centre’s overview of funders’ data policies. The University of Bristol has useful guides for writing Data Management Plans for each of the seven UKRI funding agencies.

You will need to add details of data security measures to your UKRI data management plan. For details see UKRI data security questions .

The policies required for the UKRI plans are:

Data Management Policy & Procedures 

Data Security Policy 

Data Sharing Policy 

Institutional Information Policy 

Use this table to find out about requirements for data archiving and data sharing, as well as links to guidance from the funding agencies, and other useful guides.

Funder Guidance and policies Other guides
AHRC Application guidance



Rubric for AHRC Data Management Plans (Donaldson and Higman)


Summary of policy stipulations (DCC)

BBSRC data sharing policy (this includes guidance for data management plans), and funding guide  

Summary of policy stipulations (DCC)

EPSRC EPSRC Policy Framework on Research Data  

Summary of policy stipulations (DCC)

ESRC research data policy, guide for UK Data Service guidance , and guidance for peer reviewers on data management plans

Two example plans (University of Leeds)

Fictional example plan (University of York)

Summary of policy stipulations (DCC)

MRC MRC data sharing policy  

Summary of policy stipulations (DCC)

NERC guidance on data management planning, and their data policy

Summary of policy stipulations (DCC)

STCF guidance on writing a Data Management Plan, and their scientific data policy

Summary of policy stipulations (DCC)

Horizon Europe

Horizon Europe builds on the H2020 Open Research Data Pilot. 

  • 'Under Horizon Europe (Work programmes 2021 and onwards), grantees of all ERC projects that generate research data have to submit a DMP (at the latest six months after the start of the project), deposit such data in a ‘trusted’ repository and provide access to them, under the principle “as open as possible, as closed as necessary” '

Data must be deposited in a suitable repository. For all projects open research data will be the default option. If there are legitimate reasons not to share data, it will be possible to opt out of the open research data requirement, which should be argued in your data management plan. Legitimate reasons include, but are not limited to:

  • Issues around commercial or industrial exploitation
  • Confidentiality connected to security
  • Incompatibility with rules protecting personal data

Projects that will not generate or collect research data are also exempted, as are those for which sharing data would jeopardise the outcome of the project. It is also accepted that where regenerating the data at a later date would be cheaper than archiving it then it is not worth the effort to deposit it in a repository.

Other funders

Funder Guidance and policies Other guides
CRUK data sharing guidelines (including guidelines for a data management and sharing plan) and policy on data sharing and preservation Data sharing FAQs (CRUK)


Summary of policy stipulations (DCC)

NC3Rs NC3Rs (National Centre for the Replacement, Refinement and Reduction of Animals in Research) have adopted the UKRI guidance for open publishing and data sharing plus additional MRC terms and conditions – Grant holder Information  



NIHR Since 2014, the National Institute for Health Research has a policy on open Access.  They also have a policy on data management and sharing  
Wellcome Trust Guidance for researchers on developing a data management and sharing plan

Data sharing (Wellcome Trust)

Summary of policy stipulations (DCC)

The SHERPA service provides current and comprehensive information about the data archiving and data sharing requirements of all research funders. The database is maintained by the University of Nottingham.

Research data - legal and ethical aspects

Ethics and approval and consent

If you are working with human participants, the consent that you seek will determine

  • how you need to manage your data
  • if and how it should be kept for the long-term
  • whether it can be shared and how

Personal, confidential and sensitive data may not be shared unless informed consent has been obtained from the participants; sharing those data usually has to happen in anonymised form. It is therefore important to consider ethics in your data management plan.

It is essential that you seek consent from human participants that allows the data to be shared and re-used at the end of the project via participant consent forms. There is usually no ethical or legal reason to destroy research data at the end of a project — except in the case of personal and sensitive personal data as outlined below under keeping personal data — and there is therefore usually no need to promise destruction of data unless your research funder or sponsor requires you to do so.

It may also be that your participants are less reluctant over data sharing than you might think. Explain to your participants the benefits of sharing their data with the research community, highlighting possible restrictions to re-use via licences (which may include not breaching confidentiality, no further sharing of data with other people, and no re-use for commercial purposes). Make it clear that it is entirely their decision, whereby they can decide whether their data can be shared, independent of them participating in the research.

Ethical consent should follow University policies and procedures

Under the  GDPR legislation, when gaining individual consent from participants for gathering your data you will now need to include a Privacy Notice with your ethical consent material. See GDPR Guidelines for Researchers document below for further information.

The UK Data Service has guidance on consent, confidentiality and ethics.

Data protection

The General Data Protection Regulation (GDPR) provides a framework to ensure that personal and sensitive personal data is handled responsibly and with regard to the rights of individuals. It also gives individuals the right to know what information is held about them and how it is used.

All researchers must adhere to the requirements of the GDPR when they collect, manage, keep and share their research data. The GDPR applies to all personal and sensitive personal data. Personal data is data that relates to living individuals who can be identified from that data. Sensitive personal data includes information about racial or ethnic origin, physical or mental health or condition, political opinions, religious belief, sexual life and information about offences, alleged offences and any related court proceedings. The General Data Protection Regulation does not apply to general, non-personal research data, and it also does not apply once personal data has been anonymised or to data about the deceased. However the GDPR still applies to pseudonymised data. Further guidance on anonymisation and psuedonymisation is available from the ICO Anonymisation code of practice

Keeping personal data

The GDPR states that personal and sensitive personal data ‘processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes’. However, there is an exemption if the data is used for research as long as it satisfies two conditions

  • the data must not be used to ‘support measures or decisions with respect to particular individuals’
  • the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be caused to any data subject’

The exemption therefore allows personal and sensitive personal data to be kept indefinitely for research purposes.

However, the 7th data protection principle (which relates to security) and the 1st data protection principle (which requires that data is only processed where it is necessary for a legitimate purpose) still apply. Researchers should, therefore, retain primary data which consists of or includes personal and sensitive personal data in line with the retention periods specified in the University’s records retention schedule and review the data at the end of the retention period; researchers may consider extensions on a case by case basis depending on the ongoing value to the University and the wider research community. Where the research is governed by a legal contract, the retention period specified in the contract overrides the records retention schedule.


Where possible, personal and sensitive personal data should be modified as early as possible in the processing of data so as to safeguard data against accidental or mischievous disclosure. For some research projects there is no need to associate data with the data subjects and the data can be collected anonymously. In other cases, it may be possible to anonymise the data at a later stage of the project. For more information on anonymisation see

  • the Anonymisation Code of Practice published in 2012 by the Information Commissioner’s Office
  • L. Corti, V. Van den Eynden, L. Bisshop, M. Woollard (2014). Managing and Sharing Research Data: A Guide to Good Practice. London: Sage, pp. 118-124. Available from both Adsetts and Collegiate Libraries via Library Search

The University has a privacy policy and provides useful guidance on data protection.

The right of subject access

The GDPR gives data subjects a right to obtain copies of all their personal and sensitive personal data that a data controller holds (the right of subject access). The GDPR recognises, however, that this may be difficult for researchers, so there is an exemption from the right of subject access where

  • the data must not be used to ‘support measures or decisions with respect to particular individuals’
  • the data are not processed in such a way that substantial damage or substantial distress is, or is likely to be caused to any data subject’

and where

  • ‘the results of the research or any resulting statistics are not made available in a form which identifies the data subjects or any of them’

Provided these conditions are met, researchers are not required to provide personal data from research files in response to a subject access request.

Intellectual property

The copyright of your data, or parts of your data, may be owned by various parties: Sheffield Hallam University, academic collaborators, commercial partners, your interviewees and (if you are using existing datasets) data providers. Establishing ownership early on in your project will be useful later on if questions arise about what can be done with a particular piece of data and by whom. This is particularly important when you want to archive and share your data.

Generally, all outcomes of research work carried out by University employees are owned by the University and not by the individual or individuals who created these outcomes. If you are re-using existing data sources, it is important to check under which conditions you can use these data. If you are planning on sharing (large extracts from) interviews, it is advisable to ask your interviewees for transfer of their copyright (a signed form) or a license to use the data obtained through the interviews, as the possibility exists that the interviewee may at some point wish to assert the right over their words.

The UK Data Service provides a useful copyright overview.


For single-institution projects ownership initially lies with the University but may utlimately lie with your funder or sponsor. In multi-partner projects, you should outline which partner owns what intellectual property and what rights the other partners have to use it, which may depend on your funder’s or sponsor’s terms. This should have been set out in your collaboration agreement. If you are using secondary data (ie data produced by somebody else) then please give an idea of the licensing restrictions that apply. Please refer to the University’s Intellectual Property Policy (staff).


For research students, the copyright in the thesis submitted for examination remains with the candidate, but all other Intellectual Property rights lie with the University and/or the funder of the research project — including those over the research data produced for the thesis. See the Regulations for the Awards of the University’s degrees of Master of Philosophy and Doctor of Philosophy (pdf), the Student Intellectual Property Policy, and the Student Terms and conditions

Commercially sensitive information

It may be that your data is commercially sensitive, for example when you are seeking patent or a third party has a legitimate interest. In this case, data sharing may be restricted — you may foe example consider making your data available to others subject to a suitable legally enforceable non-disclosure agreement.

Nonetheless, it is always advisable to make sure your published findings can be validated by others, especially when you are working with public funding. The EPSRC, for example, states that

Research organisations and researchers have a responsibility to ensure that publicly funded research involving third parties is planned and executed in such a way that published findings can be scrutinised and if necessary validated by others. […] Third parties who collaborate in publicly funded research should be made aware of the importance of ensuring that published findings can be validated by others.

UKRI data security questions

SHU has achieved the Cyber Essentials certification and there are specific areas with more stringent controls (e.g. IG Toolkit - NHS contracts) and we align with ISO 27001 standards. As well as additional contractual controls implemented by CRESR, CEDARE, CENTRIC & C3RI GDPR has also been a driving factor in the assessment and introduction of further controls for access to personally identifiable information (PII)

The main risk to data security is unauthorised access to PII and other sensitive/confidential materials whether it's from malicious actors, accidental exposure by someone within the institution, or potentially vulnerable systems.

The University operates a Security Risk Management process where all risks to the University Information Security are recorded and tracked in a dedicated and secure risk register. In addition, risk of security or data breach is recorded as a corporate risk to ensure visibility at the highest level of the University.

Risk: Unauthorised access to the data at rest (medium risk before controls)

                Access to research data on Q or J must be specifically authorised by the data owner (PI?)

                All users of  University IT must authenticate with an individual username and password.

                Workstations will lock after 10 minutes of inactivity to protect against unauthorised use.

                Unauthorised equipment cannot be connected to the University network, it must use a network designed for untrusted equipment and denied access to central data stores.

Risk: Unauthorised access to data in transit (medium risk before controls)

                The University Encryption Policy covers all data in transit and how it can be safely moved.

                All mobile equipment that will go off campus is encrypted to FIPS-140/2.

                The University provides an encrypted email service for use with confidential data.

                All USB sticks issued by the University are encrypted.

Risk: Loss of data through accidental deletion or change (medium risk before controls)

                Data is backed up daily and can be quickly restored if required.

Risk: Loss of data through equipment or facilities failure (low risk before controls)

                Data is backed up daily and can be quickly restored.

                Data is synchronously replicated to an alternate datacentre and can be accessed in the event of a major incident.

Risk: Access by malicious actor (high risk before controls)

                Unified Threat Management firewall appliances on the network edge provide proactive protection from internet attacks

                Firewalls on the datacentre edge provide further protection from internal users.

                All UTM and firewall output is monitored for threats and action taken and recorded.

                Security patching is covered by a policy. All patches are deployed within one month of release in the datacentre. Services can be withdrawn if critical patches are not deployed in a timely manner.

                Datacentre networks and equipment are scanned for vulnerabilities every month and risks acted upon.

Risk: Virus or other malware (high risk before controls)

                Anti-malware tools are deployed on the firewall, in the email system and on workstations.

                Anti-malware tools report centrally and are monitored by the Security Team for new threats or infections.

                Snapshot copies of changes are taken throughout the day in case of damage to central file-store by malware allowing a fast rollback.

If the above control measures fail the University has a robust incident management process in place. This is regularly scenario tested to make sure that it is correct and up to date and that staff are aware of their roles and tasks

Details of SHU IT policies can be found at

Some key policies:

Data Management Policy & Procedures

Data Security  Policy 

Data Sharing Policy ,

Institutional Information Policy

Adsetts Library [map pdf]
Collegiate Library [map pdf]

Sheffield Hallam University
City Campus, Howard Street
Sheffield S1 1WB
Sheffield Hallam Library Signifier