How to Work with Sensitive Data

Sharing sensitive data is not always a hard no, but there are some legal and ethical considerations.

Researchers who collect research data are principally legally and ethically responsible for the proper management and protection of those data, regardless of funding source, university affiliation, publishing venue of any related outputs, and any other connection to another entity. 

For certain projects, university policies, funder policies, state laws, federal laws, or some combination of these will dictate if and how research data can be shared. These are legally enforceable mandates that supersede lower-level requirements, such as journal data sharing mandates. Researchers who are engaged in collaborative research should also ensure that they are in compliance with any policies that apply to collaborators based on those individuals’ funding, institutional affiliation, and/or country of residence. If you have questions about legal policies, the best resources are the funding body (for funder policies) or OVPR (for all other policies).

Even in the absence of legal prescriptions or prohibitions around how researchers disseminate their data, researchers working with sensitive data have an ethical obligation to ensure that data are not inappropriately disseminated and reused.

Federal funders require data sharing, but don't always address ethical barriers/safeguards. The National Institute of Health (NIH) has a policy statement on protecting sensitive and confidential information. The NIH has also asked researchers to address it in their Data Management & Sharing Plans: "Researchers should decide which scientific data to preserve and share based on ethical, legal, and technical factors that may affect the extent to which scientific data are preserved and shared. Provide the rationale for these decisions." from the Supplemental Information to the NIH Policy for Data Management and Sharing: Elements of an NIH Data Management and Sharing Plan.

Other agencies do not always directly address sharing sensitive data. It's up to the researcher to be proactive about protecting sensitive data.

When conducting research with vulnerable populations whose identification could cause them significant harm (ex: children, people who criticize political parties, prisoners, sex workers), extra safeguards must be put in place such as collecting as little data as possible about the population, keeping working data access limited, and storing data in secure environments.

• Data Protection Laws: Govern how personal data can be collected, stored, and used. It's your responsibility to understand and comply with these regulations
  • FERPA (Family Educational Rights and Privacy Act) Governs the privacy and security of student education records in the U.S.
  • GDPR (General Data Protection Regulation) Governs the handling of personal data for research conducted in the European Union or involving EU citizens.
  • HIPAA (Health Insurance Portability and Accountability Act) Regulates the use of health-related data in the United States, ensuring that personal health information (PHI) is securely managed.
  • or local equivalents.
• Informed Consent: Ensure participants are fully informed about how their data will be used and have given explicit consent.
• Institutional Review Board (IRB): Obtain approval from an ethics committee or IRB before starting research involving human subjects.