Why do we need Research Ethics and Data Protection (REDP) procedures?

One of the principal and essential functions of a university is the carrying out of research. The University of Malta (UM) recognises its responsibility to researchers and the wider community to ensure that the highest standards of integrity and professionalism are observed in the conduct of research carried out under its auspices. A detailed description of the standards that are expected of all UM staff, students, and anyone else carrying out research under its auspices, can be found in the UM Research Code of Practice .

Additional resources on research ethics and data protection.

Why is it important for me to follow research ethics and data protection procedures?

All researchers have a duty to be ethical in the conduct of research in keeping with standards established through international and supranational conventions and directives, as well as those set by academic and professional associations in the respective disciplines and fields of practice. Researchers should adhere to the UM Code of Practice, which provides guiding principles and standards of good practice in research across all subject disciplines and areas of study in the University.

There are also legal requirements (both local and EU) when collecting and processing 'special categories of personal data'/'sensitive personal data'. Also, as of January 2018, all research-related UM dissertations must contain the following statement: 'I declare that I have abided by the UM's Research Ethics Review Procedures.' Failure to comply with REDP procedures and to be able to accurately include this statement can thus have consequences for successful graduation. 

Which activities are covered by Research Ethics & Data Protection procedures?

Any research activity being conducted by staff, students, visiting or affiliate staff, associates, contractors and consultants either on UM premises or elsewhere are subject to these procedures. Research activities are defined in the UM Research Ethics Review Procedures  and include any systematic investigation, such as research development, testing and evaluation, designed to develop or contribute to scholarly and/or generalisable knowledge. In this context, knowledge refers to research output that is published, disseminated, made available or retained so that it can form the basis of further study.                     

How do I ensure that my research conforms to UM Research Ethics & Data Protection Procedures?

The UM Research Ethics Review Procedures require all researchers to carry out self-assessment of the ethics and data protection issues relating to their research. This is done by filling in a Research Ethics & Data Protection (REDP) form in the online URECA system used by the UM. This online form guides the researcher to consider issues relating to research ethics and data protection. If the form does not highlight any issues that require further scrutiny, the application will be filed 'for records' and the research may proceed. If there are issues that require review, the application is sent 'for review' by a Faculty/Institute/Centre Research Ethics Committee (F/REC). The F/REC will then guide the researcher as to what needs to be done to conform with research ethics and data protection requirements.                     

Should consultancy projects follow the REDP procedure?

If a consultancy project conducted at the UM has components that are intended to be published (in any form) as "research", then the UM Research Ethics Review Procedures  apply by default. This follows as the procedures apply "to all UM staff, students, and anyone else carrying out research under its auspices". In other cases, where there is no initial intention to publish research, the procedures may still be followed to cater for the eventuality that data/findings from the consultancy are later used in this way. Should a researcher later wish to utilise data/findings from any consultancy project that has not followed REDP review, then the procedures for use of secondary data apply. In such instances, it should be noted that, if ethics or DP issues are identified by FREC/UREC when it is too late to address them, the work will be considered unsuitable for research publication.  

How do I know if my work conforms to acceptable principles of ethical research conduct?

Students should discuss these issues in detail with their supervisor. The University of Malta Research Code of Practice , also provides clear guidance. Information can also be obtained from the ethics guidelines and other publications of the academic and professional associations in your discipline and field of studies. Standard texts on research methodology discuss good ethical practice and should be consulted.

Additional resources.

Are there guidelines for research which involves interaction with disabled people?

Yes. Ethical issues in disability research go beyond ensuring that the disabled people participating in one's research do not encounter any risk or harm. It also involves being attentive to disabled people's perspectives and their concerns, and catering for their impairment-related requirements throughout the research process.

Visit the UREC resources page for these guidelines.

What is the purpose of an ethics and data protection audit?

A primary function of both the University Research Ethics Committee (UREC) and the Faculty Research Ethics Committees (FRECs/RECs) is to carry out systematic audits of the ethics and data protection applications, both those submitted for review and those submitted for records.

These audits are essential so that the University (UM) can ensure the highest standards of integrity and professionalism are observed in the conduct of research carried out under its auspices. UREC intends to conduct audit exercises each year in which a sample of applications submitted across all disciplines will be examined. Individual FRECs/RECs will also decide on specific auditing parameters. In order to conduct an audit, full documentation on each application must be available. See below for details on what documentation needs to be provided during the application process.                                            

If research entails collecting data at different stages, is approval needed at each stage?

Yes, unless the entire project was covered by a single application made at the start and covering the different stages.                

Do data collection exercises carried out as normal part of teaching and learning need to receive REDP clearance?

Activities that occur as part of normal teaching and learning are not required to go through the research ethics and data protection review procedures (REDP) unless data from those activities are made accessible to others, either by direct publication or storage so that they persist and become viable sources for subsequent research. If teaching activities do give rise to such data, then an application should be made, with the staff member responsible for the teaching activities (e.g. study-unit coordinator, or lecturer) named as the researcher.

Even though teaching activities may not require to go through REDP, it is clearly the responsibility of individual staff members to make sure that all research-based activities are conducted in accordance with ethical and data protection guidelines as laid down in the UM Research Code of Practice , applicable legislation and more general ethical guidelines relevant to the area of activity.      

I cannot find the answer to my question. What should I do?

Please be aware that this FAQs list is being updated regularly. In the meantime, unanswered student queries should be directed to the relevant academic supervisor, while other researchers should contact the appropriate Faculty Research Ethics Committee (FREC/REC) chair.

Do I need to follow UM Research Ethics and Data Protection (REDP) procedures?

The UM REDP procedures apply to all those undertaking research on the University’s premises using its facilities, or on behalf of the UM, including staff, students, visiting or affiliate staff, associates, contractors and consultants.

Who is ultimately responsible for the research that is conducted?

For student applications, the primary supervisor is responsible for guiding the student to ensure that research ethics and data protection procedures have been followed. In all other instances, the applicant is responsible for providing accurate self-assessment and, where appropriate, providing a detailed assessment to the relevant Faculty Research Ethics Committee (FREC/REC). Failure to abide by the University’s  Research Code of Practice  and Research Ethics Review Procedures  is considered a serious breach of University regulations.  Should a subsequent audit either by FREC/REC or UREC determine that research ethics or data protection procedures have not been followed, disciplinary measures may be taken.

Who can make use of UM research ethics and data protection procedures?

These procedures are available to all University of Malta (UM) staff, students, and anyone else carrying out research under its auspices. This includes visiting staff and students from other institutions (in Malta or overseas) who intend to conduct research in Malta. In addition, requests for ethics and data protection review by researchers external to the UM may also be considered. Such reviews of external projects will incur a fee unless the research team includes UM staff or students, in which case no payment shall apply.

When a student project has more than one supervisor, who takes responsibility?

If a student project has more than one supervisor, the University always designates one of the supervisors as the principal supervisor. The principal supervisor should advise the student on the application process and take responsibility for signing the form.                

For work involving different faculties, who submits the application?

The researcher who is primarily responsible for the work should submit the application. However, the nature of the work, and where it will be carried out, should mostly determine where the application is made. For example, if the researcher is from the Faculty of Arts, but the study involves working with live animals, it would be more appropriate to submit the application to the Faculty Research Ethics Committee of the Faculty of Science. 

Are there different versions of the application form for students and faculty researchers?

No. The form is the same for all applicants, regardless of status. Students are required to fill in some additional fields and to seek their supervisor's approval via the form completion process.

I am not directly associated with a Faculty. Where should I send my form?

All Institutes, Centres and Schools will have made arrangements with Faculties that carry out research in similar areas for research ethics and data protection audits and reviews to be carried out by an appropriate Faculty Research Ethics Committees (FREC/REC). If you are a student, your supervisor will be able to indicate the relevant FREC/REC. Staff and affiliates should ask the Director or senior members of staff for the appropriate FREC/REC, given the nature of the intended work.

Who oversees Research Ethics and Data Protection (REDP) procedures at UM?

The University Research Ethics Committee (UREC) is a Senate appointed body tasked with the overall management and auditing of both research ethics and data protection activities at the University of Malta. Access the list of the UREC members and a detailed description of UREC's role .

What is the role of the Faculty Research Ethics Committees (FRECs)?

The FRECs directly manage the research ethics review process within their area. In all instances, individual applicants should communicate directly with the relevant FREC, not UREC, if they have questions or concerns about their research or their application. Access the list of FREC contacts which includes a detailed description of the composition of FRECs and their mandate can be found on the Research Ethics Review Procedures  document.

When should applications be submitted directly to UREC?

Never. Applications are only reviewed by the University Research Ethics Committee (UREC) when they are forwarded by a Faculty Research Ethics Committee (FREC/REC). All forms should be submitted to the relevant FREC/REC. Access the list of FREC/REC contacts here


When do the FRECs/RECs refer applications to UREC?

When the self-assessment signals that there are no issues, the FREC/REC will simply file the documentation for potential audit purposes. When the self-assessment signals a need for a detailed evaluation, the FREC/REC will review the full application and will decide if the research can be approved or if further information/changes are required. Once the FREC/REC is satisfied, it can (normally) authorise the research to proceed and sign the approval. UREC gets involved only if the researcher and FREC/REC absolutely cannot reach an agreement.

The only other case where a FREC/REC needs to refer an application to UREC, and cannot authorise the research, is when the researcher intends to process ‘special categories of personal data' (also referred to as 'sensitive personal data'). In such cases, UREC-DP (the data protection stream of UREC) reviews the application to ensure compliance with relevant local and EU data protection legislation. UREC-DP then submits its recommendation to the Information and Data Protection Commissioner (IDPC), and communicates the IDPC’s decision to the FREC/REC, which will advise the Researcher on how to proceed. For further information about the UREC-DP Review process, please refer to the University of Malta Research Ethics Review Procedures ,  Section 5.3.


At which point of the research should a REDP form be submitted?

All research projects should submit a REDP form once the research design is sufficiently developed to enable the applicant to complete the form but prior to data collection.  In cases where the application is submitted for review, sufficient time should be allowed for the respective FRECs to review the application, based on their published meeting dates (available on FREC/REC web pages). In cases where the application indicates potential data protection issues, it is important to consider the meeting dates of the UREC-DP board.


How do I begin my Research Ethics & Data Protection (REDP) application?

The procedure commences with the applicants reading the relevant documentation and familiarising themselves with the application on URECA, using the downloadable replica if needed. The form includes information about the applicant and the project (Part 1), a self-assessment checklist (Part 2),and submission details (Part 3) If the applicant identifies any issues in Part 2, then further details are required on those issues. Once the form is completed, applicants can keep track of its progress on URECA. All updates will also be communicated to applicants by email. In the case of supervised research, the supervisor is also alerted automatically by URECA in order to review and endorse the form.                      

How long does it take for an application to be approved?

Applicants whose self-assessment signals no ethics or data protection issues may SUBMIT the form to the FREC/REC for filing and may commence right away. Applicants whose self-assessment signals that there are some issues, are required to provide details on those issues (in Part 2 - Self-Assessment). They will then need to submit to the FREC/REC for review and may NOT commence data collection until the FREC/REC gives its approval. This shall normally take no more than two months from the time of submission of the application to the FREC/REC.

How is a 'Researcher' defined for the purposes of REDP and what is their role?

The 'Researcher' is defined in the Senate document 'Research Ethics Review Procedures ' (Section 1.0) as the 'primary individual responsible for the preparation, conduct, and administration of a research project'. This may or may not be the senior scientist involved, depending on the norms in your area of research. In the case of student projects, the researcher is the student, duly guided by an academic supervisor.

Who do I contact if I have questions about an application?

If you are a student at the University of Malta (UM), you should direct your questions to your primary supervisor. If you're a member of staff or affiliated researcher within a UM Faculty, you should contact the relevant Faculty Research Ethics Committee (FREC).


If you are working within an Institute, Centre or School then you will also need to direct your questions to the appropriate FREC. If you are unsure which FREC has been assigned to your area, please contact the director of your Institute, Centre or School.
If you are NOT affiliated with the UM and are considering making an application, you should first contact the research ethics committee.

Can I begin data collection before undertaking a research ethics & data protection review?

No. It is essential to submit the application via URECA. This includes a self-assessment. If the outcome of the self-assessment clearly indicates that research can commence, the data collection can begin. If additional information and assessment is required by a Faculty Research Ethics Committee (FREC/REC), data collection must wait until a FREC/REC decision has been made and communicated to the applicant.

Can I use data collected before I carry out a research ethics and data protection review?

Absolutely not. It is a violation of the University of Malta Research Code of Practice  to conduct research and collect data prior to completing the REDP review process.

Can I submit my application before my student research proposal has been approved?

No. You should only complete the research ethics and data protection (REDP) review once your research proposal has been approved by your department. Your supervisor can give you more information on this, but they will not approve your application until the proposal itself has been accepted.

What is the distinction between primary and secondary data?

The term 'primary data' refers to data collected directly by a researcher/institution during the course of a research study, specifically for the purposes of that research study. Secondary data are those data, originally collected by researcher/s and/or institutions, which are made available to other researchers (like yourself), who did not collect the data themselves. These data may have already been processed and made public through publication or Open Access, etc., or may be unpublished and held in data repositories. Unpublished secondary data are not accessible, except by permission. In either case, the data will have been collected for purposes other than the project for which you are making secondary use of them. When you use secondary data, you are usually using these data collected in the past for a different purpose, to analyse and interpret them for the new purpose of your project.


Should my application include a Data Management Plan?

A Data Management Plan (DMP), is a brief (typically two-page) document that explicitly describes how the data for a particular research project will be stored, processed and protected. DMPs can help ensure that data collected adheres to the FAIR (findable, accessible, interoperable and reusable) data principles and that data is being collected and managed securely and in line with legal requirements. When UM REDP (research ethics and data protection) applications are reviewed by FRECs (and for those with special categories of personal  data, additionally by UREC-DP) a DMP can also assist by directly answering questions related to data handling and storage. Finally, as many external funding agencies (e.g., European Research Council) now require a DMP as part of their application process, it may be useful to become familiar with them as a general research tool. You can read more about how to construct a DMP and find links to example templates on the UREC resources page.


What is risk of harm to participants and how may it be addressed?

Participating in research may carry some risks to some participants. These risks may manifest in a number of ways, including physical, psychological, legal, economic, or social harms. To determine if your planned research involves possible risk of harm, please read the specific FAQs below and/or consult with your FREC/REC. It is the duty of a researcher to assess any such risks and to plan measures to minimise and mitigate them, and, if necessary, to provide compensation. If minimisation, mitigation, or compensation are not possible, then the research may need to be amended or not carried out at all.
Measures could include planning safety measures, taking out insurance coverage, providing access to psychological counselling, providing reimbursement for participation, or other measures specifically taken to address the respective harms. In each case, a risk assessment should be carried out and submitted as part of the Ethics application. If necessary, additional documents could be attached (e.g., copies of insurance coverage, of psychological supports available, of safety protocols regarding clinical tests, etc.).

What is considered risk of physical harm?

Risks of physical harm include pain, injury, illness, or impairment and may arise from seemingly benign activities like taking part in sport or outdoor activities, or from more direct research interventions, such as having electrodes placed on the head to stimulate a neurological/cognitive response or use of invasive imaging techniques, such as PET scans. There may also be risk of physical harm for participants who are in situations which make them prone to violence from others (even simply if they are known to have communicated with researchers); examples of such participants include victims of domestic violence or those involved in criminal activities. Research carried out in countries that are politically unstable (e.g. where there is ethnic conflict or war) also raises similar risks of physical harm to participants.                      

Which types of non-harmful physical intervention also raise ethical concerns?

Some forms of physical intervention may not be harmful, but may still raise ethical concerns, due to their nature. For example, requiring participants to undress for an examination or to have monitoring equipment attached, could cause excessive embarrassment, awkwardness, or be culturally insensitive. Protocols that take place late at night, or that last unusually long may cause excessive drowsiness, which could affect participants immediately after taking part in your research. Some forms of physical stimulation, such as excessive movement while wearing a virtual-reality headset, are known to cause motion sickness and nausea.

If your research involves physical intervention that goes beyond normal interaction or may be considered unusual or excessive in some way, then you will need to provide details during your ethics application and these will be reviewed by your FREC/REC.
Please be aware that many forms of physical intervention are neither harmful nor excessive/unusual. For example, measuring body weight and mass, taking blood pressure, placing an electrode cap on the scalp to measure EEG, providing food and drink during a focus group, all involve physical intervention, but do not raise ethical issues. Please consult with your supervisor and/or FREC/REC if you need further information as to what is considered 'normal' physical intervention in your field of research.                      

What is considered risk of psychological harm?

Participants may be subject to psychological harm by research, by nature of their own vulnerability, by nature of the research and its questions (sensitivity), or by both.  Children, patients, any person subject to discrimination, minorities, people with mental health conditions, those unable to give consent, sex workers, and incarcerated persons may all be considered to be vulnerable.  With the guidance of your supervisor and/or FREC/REC, you should determine who, in your field of study, would be considered vulnerable.
Note that most research with these categories of participants does not place them at risk of psychological harm. Moreover, these participants have a right to be heard and to participate in research. This will help ensure that policies which affect them will be informed by their perspectives. There is, however, some research which, by nature of its substantive research question, may cause psychological distress. This type of research could also cause distress to others who are not in vulnerable categories. For example, research that asks a person about his or her experience of having a sibling who committed suicide may distress the person. Asking children about cyberbullying, may, especially in qualitative research, provoke feelings of distress. Asking participants to recall traumatic aspects of their lives or to reveal information that would normally be considered private (such as about income or marital life) may be an affront to the dignity of the person and may cause distress. Using stigmatising language regarding disability, ‘race’, ethnicity, and appearance, amongst others, may also be distressing.

A number of measures may be taken to reduce psychological harm. These may include: i) finding psychologically and physically safe places to be with participants; ii) offering the possibility for participants to participate in privacy; iii) careful wording of interview and other questions; iv) negotiation of 'process consent', whereby the researcher constantly checks that the participant is comfortable with the research process; v) allowing plenty of time for debriefing and for ending research, especially if it is participatory research; vi) offering access to psychological support.


What is considered risk of legal harm?

Research participants may be harmed if, for instance, what is required of them involves doing something illegal or reporting on illegal activities already carried out, both of which may leave them open to prosecution. In the first case, it would be unethical to ask anyone to do something which would leave them open to legal harm, including to divulge information which is protected by data protection legislation or any professional/organisational secrets, regulations, etc. In the second case of reporting on legally dubious past activities, there are many studies which do need to understand the nature of these activities, which may be classified as ‘illegal’ or legally dubious. Additionally, a participant may divulge that s/he is about to commit an illegal act (such as harm another person).

In any of these situations, researchers need to: i) check what their own obligations to report these activities are (mandatory reporting); ii) check what promises and guarantees they are able to give to participants (including about mandatory reporting, wherever applicable); iii) account for how they will protect participants’ identity and third party confidentiality (both in their records and in their data); iv) make sure that, in dissemination, no incriminating data may be attributed to specific participants, groups of participants, or third parties (such as others apart from research participant who may also be involved in these activities).

What is considered risk of economic harm?

Participating in research comes at a cost of time, as well as other possible costs related to travel, child care expenses, costs related to buying refreshments and to take time off work, amongst others. Especially, but not exclusively, for those who are poor or economically disadvantaged, researchers should ensure that they do not suffer economic harms. This can be done by offering monetary compensation for travel, child care, and refreshment costs incurred. If participants have to take time off work to participate, it is ethically just to offer adequate compensation for this too.

Note that compensation differs from inducement in that inducement through economic means encourages a participant to do something that person would not normally do.  It may lead to a bias in recruitment. However, in cases where 'hard to reach' populations can only be reached by inducement, then this is regarded as an ethical way of reducing research bias.

Details of how you will compensate those at risk of economic harm or whether you will be offering inducement and why you will do so should be included in Part 2 of the application on URECA.               

What is considered risk of social harm?

Research participants may experience social harm in a number of ways. These include being stigmatised when researchers target individuals or groups that are already in a social minority, especially when other populations should also be considered, e.g., when researchers look at crime rates among black males only, or study HIV among prostitutes only (a stereotype bias). Social harm may arise from participants being identified by members of their own community as having been research subjects in studies on sensitive issues, e.g.,  a footballer, who, as a child, was sexually abused by a coach.

Any focus on a single person in a study within an organisation, where the person is seen to be the sole informant, or in a relationship of over-rapport with a researcher, such as a child who is speaking to a researcher about school violence, or a factory worker who is participating in research on labour market irregularities, may leave the participant prone to social harm of ostracisation, exclusion, and other social harms.

Similarly, participants who talk about life-styles or experiences which they have not divulged to family and community members (such as rape, addiction, communicable illness, or sexual orientation) and who may become identifiable, may be at risk of social harm. Additionally, whole communities may be at risk of social harm if they are identified with crime, violence, poverty, or any undesirable social characteristics, such that the community itself and members within it are shunned or made to suffer from negative stereotypes.

In Part 2 of the application on URECA you should list the types of social harms that may ensue and the corresponding measures you will take to mitigate them.

What is a person in a situation of vulnerability?

Situations of vulnerability arise from the environment, negative attitudes and practices. Certain persons may be more at risk of being in situations of vulnerability than others. These include, for example, children, older persons and persons living with dementia, patients, any person subject to discrimination, minorities, persons with disabilities and mental health conditions, those unable to give consent, persons in prostitution, and incarcerated persons.

While the participant themselves may not be vulnerable, the actual topic of the research might pose a risk of harm, thus rendering the participant vulnerable in the specific research context. Furthermore, where a strong power difference that could have negative repercussions exists between the prospective participant and the researcher, with the participant having less power, then this participant is to be considered vulnerable.

If you are unsure of who in your field of study would be considered vulnerable, you should consult with your supervisor (in the case of students/supervised applicants) and/or your FREC/REC.


What is defined as a mental health disorder?

[See document: Guidelines for research involving persons with mental disorders issued by the Commissioner for the Promotion of Rights of Persons with Mental Disorders.]

The Diagnostic and Statistical Manual of Mental Disorders (DSM-5) describes a mental disorder as a ‘syndrome characterized by clinically significant disturbance [emphasis added] in an individual’s cognition, emotion regulation, or behaviour that reflects a dysfunction in the psychological, biological, or developmental processes underlying mental functioning’. Such disorders are usually associated with significant distress in occupational, social, or other important activities.

Responses to a common stressor or loss, that are expectable or culturally approved such as the death of a loved one, are not a mental disorder. Socially deviant behaviour (e.g., political, religious) and conflicts that are primarily between the individual and society are not mental disorders unless the deviance or conflict results from a dysfunction in the individual, as described above.

The following link provides a list of mental health disorders according to the DSM-5. Please note that
there has been the addition of ‘prolonged grief disorder’ to the list above in the revised text version


What is an identifiable participant?

In some areas of study, research participants may be directly identified or identifiable, for example by having specific quotations or ideas attributed to them. You might also include example photographs of a research event or experimental set-up when publishing data that clearly reveals the identity of participants. Less directly, a description of a participant, such as 'a well know sportswoman who represented her country in heptathlon', may make identity obvious if there is only one such individual of a given age.

In all such cases, explicit consent should be obtained in order for you to reveal identity in this way. If explicit consent will not be obtained for some reason, you will asked to provide details in the form on URECA as to why such revelation is justified, why you will not obtain consent, and what measures you will take to minimise any negative consequences.

Please note: This question refers to research data not research records. Please see the relevant FAQ  for the distinction. Importantly, this question does not refer to signed consent forms or other records that are kept securely UNLESS these items are intended for publication/dissemination or will be distributed or made available with the intention of becoming part of another researcher’s research data.

Is my use of published secondary data in conformity with research ethics?

Most data which are in published sources have already gone through ethics review. If you are using these data, you would simply need to check in the publication or source, what reference there is to ethics review and if this covers secondary use. If not, you may need to obtain permission from the data controller for secondary use of these data, as well as establish whether the controller had permission, such as consent from participants, to make the data available for secondary use.

You would also need to ensure that where these data, in a disaggregated form, do not identify natural persons, no further work on them i.e. in aggregating them, will lead to the unethical identification of a natural person or persons. 

Is my use of unpublished secondary data in conformity with research ethics?

In the case of unpublished data made available for secondary use by a data controller, such as a hospital, data repository, statistics office, or other agency, once you get permission to access these data, you would need to: i) acquire a copy of the original research proposal and of its ethics approval; ii) check whether these cover secondary use; iii) check under what conditions this secondary use is granted and whether your own use of these data fits the criteria established.

Where the data have not been collected as part of a research project but are part of routine information collection by the institution (such as a hospital) you would need to: ii) establish whether that institution has the consent of natural persons to pass on any data or materials from them to be used in research studies; ii) confirm that the data controller is conforming to legal requirements of data protection legislation, especially regarding special categories of personal data (sensitive personal data).

In the case of secondary use of data or materials (such as tissue samples) collected from human subjects, you should also review copies of templates of information sheets and consent /assent forms which were used with the human subjects in the original collection of data to acquire their consent for secondary use of the data collected.

In cases where the original consent form did not provide for secondary data processing, or if data was not collected for research purposes (e.g., medical records), then an appropriate intermediary (someone who has the right to access the data and contact the participants) may be used to obtain such consent.

If this is not possible, then it may be permissible to process secondary data if it is justifiable under the legal basis provided in the General Data Protection Regulation (GDPR) Article 9(2)(j). This stipulates that defined 'special categories of personal data' (sensitive personal data) may be processed 'for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes', in accordance with Article 89, subject to the conditions laid down in the GDPR. Such processing must be subject to appropriate safeguards for the rights and freedoms of the data subject. Those safeguards must ensure that technical and organisational measures are in place, in particular in order to ensure respect for the principle of data minimisation. The data minimisation principle stipulates that the amount of personal data collected should be limited to what is necessary to achieve the purpose(s) for which the data is gathered and further processed.

If the purpose of your research can be fulfilled using pseudonymised data, then personal data should be pseudonymised. Where the purpose of your research can be fulfilled using anonymous or anonymised data, then the data should be anonymous or anonymised. If personal data is anonymised, then that data will no longer permit the identification of the data subjects (directly or indirectly). You should consult with your FREC/REC and provide appropriate justification and safeguards when submitting your application on URECA.
Additionally, you need to ensure that in converting disaggregated data into aggregated data, you do not inadvertently identify natural persons. For example, if processing gives rise to a description of a participant, such as “a well know sportswoman who represented her country in heptathlon”; this may make identity obvious if there is only one such individual of a given category.

What are 'appropriate safeguards'?

Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The 'appropriate safeguards' must ensure that technical and organisational measures are in place, in particular in order to ensure respect for the principle of data minimisation.

There are several ways appropriate safeguards may be provided for. Appropriate safeguards may, for example, include the pseudonymisation and encryption of personal data.

What is meant by 'human tissue/samples' in this context?

'Human tissue/samples' refer to any constituent parts of the human body including whole organs, parts of organs and organ systems (such as heart valves, corneas, arteries, veins), bones, skin, blood, lymph, cerebrospinal fluid, cells and foetal tissue including cord blood; it also includes products of the human body such as urine, sweat, tears, milk, hair and nails.                

What is 'voluntary informed consent' and how do I make sure I obtain it from my participants?

Voluntary informed consent is a very important concept within the context of the research ethics process with human subjects. Potential research participants need to be given sufficient information about a study, in a format they can understand, to enable them to make an informed decision about whether or not to participate.   

How can I ensure that informed consent/assent is voluntary?

Researchers should ensure that consent/assent is obtained voluntarily, without any coercion or pressure on participants, by upholding all ethical freedoms, including the freedom to withdraw from participation and/or to ask for data about him/herself to be removed from the record. It must also be ensured that there will be no detriment if there is a refusal to participate. This also implies that if any inducement is offered to participants, it should not diminish the 'voluntary' principle. To keep to the spirit of the 'voluntary' element, when parental consent is granted by parents of minors (under 18 years of age) for their children to participate in research projects, the assent of children should also be sought. No child should be coerced into participation, even if parental consent has been forthcoming. If you are not intending to obtain their assent for some reason, it will be important to explain why. 


How do I obtain consent from online or remote participants?

When data collection is taking place online or remotely, researchers must adapt their method of obtaining consent.  Details of appropriate steps can be found in the document entitled 'Obtaining consent from online/remote participants '.


What is the distinction between 'opting-in' and 'opting-out' when obtaining consent?

Both 'opt-in' and 'opt-out' methods of obtaining consent follow fundamental principles in that the consent must be obtained from participants who are free to give this voluntarily, after they have received appropriate and honest information about the research project and the nature of what is required of them. They should be given some time to reply to the request to participate before the research may commence. Additionally, regardless of whether the consent is obtained by the ‘opt-in’ or the ‘opt-out’ method, researchers are obliged to keep all standard promises and guarantees to participants regarding privacy, confidentiality and anonymity, no detriment arising from refusal to participate or withdrawal, etc.

The difference between the two forms lies in the manner in which participants give consent.  In the ‘opt-in’ method, participants signal their active consent by either signing a consent form, or agreeing verbally before a witness or in an audio-recorded manner.  This ensures a verbal or written record of the consent/assent, which is often a standard requirement.

In the 'opt-out' method, once participants are given information sheets/recruitment letters with relevant contact information, a time-limit is set during which they may signal either verbally, or through an ‘opt-out form’, that they do not wish to participate in this research.  This ‘opt-out’ declaration should be kept in the record and fully respected by researchers. If the time during which participants could indicate their decision has elapsed, and they have not opted-out, then it will be taken for granted that they have opted-in. Of course, participants may still opt-out at a later date, if they so choose.                      

When may opt-out consent be used?

There is no one standard answer to this, since research ethics are context specific. You should ask your FREC/REC to guide you on this. Additionally, reviewing the type of decisions taken by researchers in your field of studies regarding this will add further insight. Usually, when research with human subjects involves direct contact, such as with interview or focus group research, the opt-in method is preferred. It is also preferred when you are working with children or with groups who may be considered vulnerable in your field of studies.
The opt-out method is often used to increase the size of a sample for a survey. However, it would be discouraged if the survey included the collection of data from children or vulnerable adults about sensitive topics. In this case or others like it, the opt-in method with parents/legal guardians and with children, would be preferred. The opt-out method is also used to collect data in observational studies which include participants who are 'hard to reach'. For example, an observational study of youth who may not easily return consent/assent forms, might avoid sample bias by using the 'opt-out' method.

What if my research requires permission from one or more cooperating institutions?

If your research involves a cooperating institution (such as a school or hospital), you may be required to obtain permission from the cooperating institution before being able to proceed with your research. If you are unsure of whether such permission will be required for your research, please check with your FREC/REC.
If permission is required, you should always ensure that it is granted by an appropriate person holding relevant responsibilities within the organisation. Copies of permissions should be provided to your FREC/REC prior to the start of your research.

Be aware that permission is always required if you intend to recruit participants from the University of Malta by contacting them through the Registrar's Office or by having that office distribute questionnaires or other research materials on your behalf.

If you are a student applicant and need to have research materials distributed by the Registrar's Office, or to recruit research participants through that office, then you must seek prior approval from your FREC/REC, before contacting the Registrar's Office (Please see the following FAQ for details on when students need prior FREC/REC permission before approaching cooperating institutions).

Non-student applicants may contact the Office of the Registrar directly. However, if your REDP application requires FREC/REC approval for any reason (e.g., use of vulnerable participants, risk of harm), please await the outcome of that assessment and forward the approval along with your request to the Office of the Registrar. If your REDP self-assessment indicates you can begin your research without FREC/REC approval, please indicate this when contacting the Office of the Registrar.                      

What if my research requires FREC's/REC's prior permission before I can approach cooperating institutions?

If you are a student applicant and need to have research materials distributed by the UM Registrar's Office, or to recruit research participants through that office, then you must seek prior approval from your FREC/REC, before contacting the Registrar's Office.

Importantly, some FRECs/RECs also require students to obtain prior approval from them BEFORE approaching ANY cooperating institutions. Please check with your FREC/REC whether such approval is required if your research involves cooperating institutions.

If prior FREC/REC approval is required, you will need to respond 'Yes' to the relevant question on the REDP form (Q17) and provide drafts of the letters you intend to send. You must wait for approval from the FREC/REC before contacting the institution. Once you have FREC/REC approval, send your request letter to the institution.  When they respond with permission, forward this to FREC/REC for their records prior to the start of your research.

If prior approval is not required by your FREC/REC, you should answer 'No' to the relevant question on the REDP form (Q17). Simply include relevant materials (i.e. your letter asking for permission) with your REDP submission and proceed as above, that is, send your request letter to the institution and once you have obtained permission, forward this to FREC/REC for their records prior to the start of your research. 


What if there are possible risks to the researcher or to members of the research team?

It is important in any research project to ensure the safety of all researchers involved. There may be various types of risk that researchers may face, including: i) Risks to physical safety (e.g. accidents, assault, disease); ii) Risks of psychological trauma (e.g. threats, traumatising disclosures); iii) Risks of being placed in compromising situations (e.g. being implicated in illegal activities); iv) Risks of causing harm to others.

The nature of risks involved will vary depending on the subject area of the research. Examples of situations in which risks may arise include working with potentially dangerous substances in a laboratory, conducting fieldwork in remote or high-risk locations, or interviewing research subjects in their homes.

You are advised to reflect carefully on any risks that the research may pose to you and/or to other members of the research team, and if necessary, to discuss suitable safeguards/mitigation measures with your supervisor and/or FREC/REC. In all cases, suitable risk avoidance and/or minimisation measures should be identified. For example, if working in a laboratory, you should ensure that you are adequately trained and aware of safety protocols to be adopted in case of accidents. If your research involves work in isolated or risky areas or potentially dangerous or compromising situations, you should ideally avoid conducting fieldwork alone and/or ensure that others are aware of your whereabouts.
When filling in the form, you should elaborate on the nature of the risks involved, why such risks are unavoidable, and related mitigation measures. 

What is considered to constitute harm to the environment and what should I do?

Certain types of research could potentially lead to significant harm to the environment, for example by employing destructive or intrusive research techniques, or by using elements that may cause harm to species or to other living or non-living components of the natural environment. You should carefully reflect on whether your work poses any such risks of significant harm to the environment, and how you can avoid or reduce these.

This applies, in particular (but not exclusively) if your research involves any of the following: i) Endangered, vulnerable or otherwise threatened or restricted, species, populations, or habitats; ii) Introduction of biological material into an area where this is not native, or risk thereof; iii) Relocation of biological material, or risk thereof; iv) Introduction or release of genetically modified material, or risk thereof; v) Release of toxic, radioactive, cumulative, and/or persistent pollutants, or risk thereof; v) Depletion of scarce natural resources.

When filling in the form, you should elaborate on the nature of the risks involved, why such risks are unavoidable, and related mitigation/compensation measures.                               

What are commercially sensitive data?

If your research makes use of data that may be commercially sensitive (i.e., has economic value or could cause economic harm if known), specific aspects need to be considered to ensure that relevant commercial interests are adequately safeguarded. Commercially sensitive data may include: i) Confidential intellectual property (including know-how, trade secrets – e.g. product formulas, programs, customer lists, marketing strategies, etc.); ii) Commercial confidences (e.g. financial data, contracts, a company’s development plans, pending mergers, identity of shareholders, etc.).

As a first step, the researcher should ensure that the principle of data minimisation is being respected, i.e., can the research purposes be achieved without such processing? If yes, then no such processing should take place. If, however, there is no way to achieve the research objectives without processing of such data, related safeguards may include: i) Ensuring adequate security measures are in place to limit access to the data only to yourself and/or other members of the research team (e.g., encryption); ii) Limiting the extent to which commercially sensitive information can be deduced from published outputs of the research, potentially through means such as limiting access to raw data, presenting data in aggregated form, or even potentially embargoing certain aspects of your work. In specific cases, it may be possible to make available certain data to interested parties subject to non-disclosure agreements.

It is furthermore critical to ensure that entities/individuals who may be affected by the publication of your work are fully informed of the potential implications, as well as the measures that you are taking to safeguard their interests, and that you obtain their prior informed consent.

When completing the application form, you should provide details regarding the nature of the commercially sensitive data, why processing of such data is necessary, and of safeguards that you plan to implement. You should also explain how you will ensure that those potentially affected are fully informed and how you intend to obtain their consent.

If you are unsure as to whether the data you are using may be commercially sensitive, please consult your FREC/REC.  

What if I need research tools that have specific criteria or require permission/licenses for use?

Some research tools cannot be used unless explicit permission for such use has been granted by those who have created them or who hold intellectual property rights/copyrights. For example, if you wish to use a scoring tool developed by another researcher, you may first need to obtain the researcher’s permission for such use.

In some cases, research tools may only be used by researchers meeting specific criteria. For example, the authors may specify that a particular research tool should only be used by researchers at postgraduate level and above, or who have had training in particular subject areas.

If you plan to use any such research tools, please provide details in the form provided, including, as relevant, what permissions are required, whether any criteria apply, and how you meet these criteria. If permissions are needed, you should provide proof that such permissions have been obtained, or if this is not possible, explain how you plan to obtain the necessary permissions.

What if I’m collaborating with low or lower-middle income countries?

The World Bank assigns the world’s countries to four income groups – high, upper-middle, lower-middle, and low income. You can check the income status of a country via the World Bank Open Data website. Note that income classifications are revised periodically, and you should therefore check for any updates to country status before submitting your form.While research collaborations with low/lower-middle income countries are encouraged, it is necessary to ensure that such research does not raise ethical concerns. In the first place, it is important to ensure that such countries are not utilised for research that would not normally be permitted elsewhere. It is therefore important to confirm that the research activity to be carried out could have been legally carried out within the EU. It is also important to consider whether the research activities to be carried out could potentially put collaborators or research subjects at risk in any way. Please refer to the FAQ on harm for further details. When collaborating with low/lower-middle income countries, researchers are also strongly encouraged to consider how they could contribute to local capacity building, and to demonstrate responsiveness to local research needs.

If your research involves the use of resources (data or materials) from such a country, it is particularly important that any benefits arising from research are shared with the relevant countries and when applicable, that intellectual property rights are shared in a fair manner. It is also important that use of resources from any country respects local law and/or customs and that any necessary permissions are obtained. If your research involves human subjects, you will need to provide evidence of ethics approvals from the country in question, if relevant. There are also specific legal requirements concerning the use of genetic resources, of plant, animal, bacterial, or other origin, or of traditional knowledge associated with such resources. If your research involves such resources, you should carefully consult the EU Regulation on Access and Benefit Sharing (ABS).

 When completing the form, you should specify the countries involved and provide details of the collaboration, including of specific activities involved. Please provide details of any planned capacity building actions. If no such actions are planned, a reasoned justification should be provided.  Furthermore, if your research involves the collection of data/materials from low income and/or lower-middle income countries, you should indicate this when completing the form, specify the countries involved and the nature of data/materials to be collected, provide proof of permissions/licenses (if applicable), and provide details of any benefit-sharing measures to be implemented. If no such measures are envisaged, a reasoned justification should be provided. If relevant, details should also be provided regarding allocation of intellectual property rights. 

What if I plan to import/export records, data or materials?

Importation and exportation involve moving resources into or out of a country, from/to another country. If you plan to import and/or export any records, data or materials, it is important to ensure that these can be lawfully imported/exported to/from the countries concerned, and to obtain any necessary permissions for doing so.

When completing the form, please provide details of the records, data or materials involved, indicate when in the project import/export are expected to occur, and specify the countries involved. If necessary, you should also provide copies of import/export permissions. Note that there may be additional requirements for/restrictions applying to import/export of certain types of records, data or materials, including human cells or tissues and personal data. If your research requires such imports/exports, you should familiarise yourself with relevant legislation of all countries involved and, if necessary, seek further guidance from your supervisor and/or FREC/REC. 

What if my research involves the transfer or sharing of personal data with researchers outside of the EU?

If you are planning to transfer or share (i.e., export) identifiable personal data of any kind with researchers outside of the EU or EEA, then you will need to provide evidence that such data will be given the same level of protection as that afforded within the EU by virtue of the GDPR.

This not only applies to physical transfers of records, but also to the situation where data held on a server within the EU is made available to researchers in a third country.

The rules governing the transfer of personal data outside of the EU are set out in Chapter 5 of the GDPR

However, given the complexity of the issue, you are strongly advised to seek the guidance of the UM legal office to ensure that any international data transfers comply with EU law. 

There are some additional notes about data transfer outside of the EU on the UREC resources page. 

Briefly, such transfer are only permitted if you can show that o) there is an "adequacy decision" in place between the EU and the country in question, or; ii) “appropriate safeguards” have been put in place for your specific data transfer, or iii) your planned data transfer falls under a list of explicit “exceptions” detailed in Article 49 of the GDPR. 

An adequacy decision is a finding by the EU that a given country provides a level of protection that is sufficient to warrant safe data transfer. The list of countries with such adequacy decisions is updated periodically, and can be found here

The list of appropriate safeguards is given in detail in Article 46 of the GDPR. Briefly, these may consist of i) Legally binding and enforceable instruments between public authorities or bodies; ii) binding corporate rules iii) approved standard data protection clauses; iv) approved codes of conduct or certification, together with binding and enforceable commitments on behalf of the receiver to apply the appropriate safeguards; v) specific contractual clauses or administrative arrangements between data controllers and prospective data processors or between public authorities/bodies, which include enforceable and effective rights for the individuals whose personal data is to be transferred. 

Finally, the list of exceptions which allow for data transfer outside of the EU is given in Article 49 of the GDPR. These include i) situations in which the individual has given his or her explicit, informed consent to the transfer and has been made aware of the lack of an adequacy decision and appropriate safeguards; ii) there is or will be a specific contract in place that requires such data transfer; iii) the transfer is necessary for important reasons of public interest; iv) the transfer is necessary for the establishment, exercise or defence of legal claims; v) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; vi) the data transfer is being made from a publicly available source; vii) the data transfer is of a restricted nature and can be shown to be in the applicants compelling, legitimate interests.

Again, given the complexity of the issues surrounding international data transfer, you are strongly advised to seek the guidance of the UM legal office to ensure full compliance with the GDPR.

Further information for researchers intending to harvest social media data can be found here: Data Transfer Additional Information

What if I plan to harvest social media data?

Use of social media has grown significantly in recent years and these can provide rich sources of data for research. This data can be harvested, i.e., extracted from online sources for subsequent use. However, use of such data can potentially raise ethical concerns. Some areas of concern include the following: i) Whether such data should be considered private or public; ii) Whether social media users can be considered to have provided informed consent for their data to be used for the research; iii)The extent to which data can be fully anonymised, such that original sources cannot be deduced; iv) Potential risk of harm to social media users, particularly when data involve personal or sensitive data, or the disclosure of a user’s posts to new audiences; v)Data potentially obtained from vulnerable participants; vi) Issues of data ownership and intellectual property.

Further information for researchers intending to harvest social media data can be found here:  UM Research Ethics and Data Protection on the Use of Data from Social Media .

What are 'special categories of personal data'?

‘Special categories of personal data’ (SCPD) are personal data (as explained below) that need more protection because they are sensitive. The GDPR defines special categories of personal data as: personal data revealing racial or ethnic origin; personal data revealing political opinions; personal data revealing religious or philosophical beliefs; personal data revealing trade union membership; genetic data; biometric data (where used for identification purposes); data concerning health; data concerning a person’s sex life; and data concerning a person’s sexual orientation. 

SCPD do not include data about criminal allegations, proceedings or convictions, because separate rules apply. Please refer to the Guidelines on Research with Incarcerated Persons. 

Anonymous data do not constitute SCPD, even if they form part of any of the above-mentioned special categories. Therefore, applications that propose the processing of special categories of data in an anonymous form do not require UREC-DP review and the IDPC’s approval. However, a number of conditions must be met to classify data as truly anonymous. Please read the FAQs below that define personal, anonymous and pseudonymous data.


What are ‘personal data’?

 ‘Personal data’ are defined as information relating to an identified or identifiable person (Article 4(1) GDPR). Recital 26 of the GDPR specifies that: 

"To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments."

If a natural person is identifiable, then the data has not been anonymised and therefore remains in the scope of the GDPR.

In Breyer (C-582/14, 43) the CJEU (Court of Justice of the European Union) set out that the wording of the law “suggests that, for information to be treated as ‘personal data’ […], it is not required that all the information enabling the identification of the data subject must be in the hands of one person.” In that case, the CJEU further noted that the test of means reasonably likely to be used to identify a natural person would not be met “if the identification of the data subject was prohibited by law”.

Data first considered anonymous may be (re-)identified. That is, the same piece of data may legitimately be considered anonymous at the time of collection, but be classified as personal data at a later point in time, simply by virtue of technological progress. Therefore, the assessment must be context-dependent.


What are ‘anonymous / anonymised data’ and ‘pseudonymous / pseudonymised data’?

Anonymous or anonymised data are data that do not relate to an identified or identifiable person, or to personal data ‘rendered anonymous in such a manner that the data subject is not or no longer identifiable’ (Recital 26 GDPR). Data protection law (including the GDPR) does not apply to anonymous data.

Pseudonymous or pseudonymised data are data that “can no longer be attributed to a specific data subject without the use of additional information” (Article 4(5) GDPR), such as linked pseudonyms or codes, provided that such additional information is kept securely and separately from the personal data. Pseudonymous or pseudonymised data still pertain to an identifiable person and are thus subject to data protection law (Recital 26 GDPR).

A distinction may be made between:

(a) Anonymity at data collection stage, i.e., where data are collected in an anonymous format, for example: i) Through online surveys that do not record any online identifiers (such as email or IP addresses) or personal or demographic data that may lead to the identification of respondents; ii) Through other data collection methods where participants are identifiable to the researchers but their personal data are not recorded anywhere (e.g., on consent forms, data collection sheets, or audio/video recordings).

Data protection law does not apply to these types of data, even if they fall into any of the special categories specified by the GDPR.

(b) Anonymity / anonymisation, or pseudonymisation, during data processing (including storage and analysis), i.e., where data are collected in an identifiable format, but then anonymised or pseudonymised.

(c) Anonymity or anonymisation at publishing stage, i.e., in research outputs.

Researchers should note that, for as long as they retain personal data (including consent forms) and codes / pseudonyms linking the data to identifiable research participants, that data is considered to be pseudonymised not anonymised, and participants remain identifiable to whoever has access to the codes and personal data. It is only if and when all personal data (information relating to an identified or identifiable natural person) are deleted that the research data is considered to be anonymised.


In terms of 'special categories of personal data'/'sensitive personal data' what is meant by 'philosophical beliefs'?

Philosophical beliefs refer to beliefs about morality and ethics, or norms and values, such as humanism, atheism, liberalism, feminism, amongst others.  They refer to beliefs about such issues as the death penalty, euthanasia, abortion, capitalism or anything in the field of morals or ethics which derive from a specific philosophy.

What ethical issues should I consider regarding the retention and destruction of research records, data and materials?

General ethical principles regarding the retention and destruction of research records, data and materials should be followed. These includes giving accurate information to human subjects regarding   your retention and destruction plans and upholding the promises made when these subjects gave consent to participate as research subjects.  Materials should be kept safely and for specified lengths of time. Research records should be stored securely and separately from data and materials. The principles of necessity, minimisation and proportionality should be followed.

Apart from general principles, you should also adhere to discipline specific guidelines established by the professional and academic associations in your field of study, since research ethics are context specific.                      

What is the distinction between research records, data and materials?

Research records refer to documents that are kept regarding the process of collecting data. They include permission and information letters, signed consent/assent forms, field note diaries or log books, list of names, addresses and other contact details   of participants and others.  Since these records often hold sensitive and other personal data, special care must be taken to keep them secure from unauthorised use.  Some research records, such as anthropological field diaries or laboratory log books, may, with time, become historical data of scientific value in their own right.

Research data include the data collected during the research period which will be used for the purposes of analysis and prepared for publication.  Research data from human subjects may be either collected in forms in which they are already anonymised (as with those surveys where respondents cannot be identified) or converted into forms (as with pseudonymisation or coding) that make it difficult, but not impossible, to trace back to an identifiable natural person.   Researchers will have to determine in what form data will be retained and destroyed such that research subjects will be protected. Whether the identification of natural persons is reversible or irreversible will impact decisions regarding the length of the retention of such records and data.

Other data include materials such as tissues, plants and other materials.  Here, safety and integrity of the data become paramount issues in the retention and destruction of them.

In all cases, principles of necessity, proportionality and minimisations will need to be considered in a Data Management Plan.

Why are research records, data and materials retained and not automatically destroyed on publication of a research study?

Research records, data and materials may be kept for ongoing scientific and/or scholarly research, for determining or defending intellectual property rights and/or for upholding the rights of research subjects to make legal claims (i.e. regarding research misconduct).

Additionally, the University of Malta and/or other funders may seek to access these records for audit purposes or to defend claims made against them as sponsors of research that may be deemed unethical. These records, data and materials may also be of lasting scientific and academic value, or have value as historical sources (i.e., in the history of a discipline).

How long should research records, data and materials be retained?

There is no single answer that covers all types of records, data and materials. The decision regarding retention of research records, data and materials can only be taken after discipline specific issues are considered and weighed up with reference to discipline specific guidelines and legal requirements. Your FREC/REC should guide you on this.
Many international universities recommend periods from 6 to 10 years retention after publication. Extensions of these limits are encouraged, especially regarding   research records, when the research has involved invasive procedures or psychiatric or similarly delicate studies. This also applies to research that may be considered sensitive, and with vulnerable subjects, especially children, where it is often recommended that records and data are retained for 10 years after the child participant has reached the age of majority (18 years of age). Routine studies with children which are not of this type or do not directly engage with individual children, should keep shorter time limits for retention of records, in keeping with the criterion of necessity and purpose, and the right to be forgotten.

Thus, regarding the retention and destruction of personal data, a balance should be sought between the retention of records and data no longer than is necessary (as per GDPR) and retaining them long enough to protect the rights of claimants to make claims, should there be unethical research.

Is retaining research data through Open Access research consistent with ethical standards regarding the retention and destruction of research data?

Currently, it is widely held that since large amounts of public funds are poured into research, then efforts should be made, within stringent ethical and other considerations (such as privacy, confidentiality, intellectual rights, commercialisation) to make research data available through Open Access. This is consistent with the ethical principles of proportionality and minimisation since it makes optimal use of data already collected. Here, data and materials that have been processed (i.e. coded, pseudonymised   and/or made safe) become available to other researchers for periods that exceed the lifetime of the project.   Data such as oral histories or other interview data, even when they are attributable, may, with the explicit voluntary informed consent of participants, be kept for posterity.

How can I organise my research regarding the ethical retention and destruction of research records, data and materials?

You should develop a UREC Data Management Plan  as part of the research process. You are expected to develop and record the appropriate procedures for the collection, storage, use, re-use, access and retention of research records, data and materials, in keeping with ethical standards set by your discipline/area of studies and by respective professional associations, as well as national and international law and other regulatory procedures (i.e. regarding invasive procedures or psychiatric studies).
The Data Management Plan should include a short account of the measure you will take regarding security of storage and access, where the records, data and materials are stored, how long they will be retained and what will happen to them after the study is complete, whether deletion will be reversible or irreversible, what data backup policies will be used, and what special measure taken regarding personal data.


When do I need to engage an intermediary?

A fundamental principle of research involving human participants is that participation should be voluntary, i.e., free of coercion and undue influence. There are some circumstances when a researcher should avoid contacting potential participants directly and should instead engage an intermediary to do so. 

When a power relationship exists between a potential participant and a researcher, real or perceived pressure to participate may occur. For example, patients may feel pressured to participate in a study if consent is requested directly by the physician/health care professional by whom they are being treated. A similar circumstance is the power relationship between educators and students. Even in the absence of overt coercion, participants might consent merely because of deference to the researcher’s position of power or because they fear being treated differently should they refuse to participate (even though they may be assured that this is not the case). 

When such a power imbalance exists, the researcher may need to engage an intermediary who will provide potential participants with information about the study and with instructions on how to contact the researcher, should they wish to take part. The intermediary should be well-informed about the study but should not be involved in the research itself, nor in direct patient/client care. 

There may also be other situations where an intermediary should be considered - for example, when this is required or expected by cooperating institutions (such as schools or hospitals) or where there are language or cultural barriers that may impede participation. Conversely, there may be situations where an intermediary may not be necessary, even though there is a power imbalance - for example, in the case of a lecturer asking students to voluntarily fill in an anonymous online questionnaire. 

Researchers are advised to check with their faculty/institute to see whether an intermediary is required for their research. 

What is the purpose of ethics review of research involving primary data from animals?

The ethical review process for research involving primary data from animals is intended to ensure compliance with relevant legislation, specifically  Legal Notice 161 of 2017 (Protection of Animals Used for Scientific Purposes Regulations).

What is the Joint FREC Animal Research Sectoral Subcommittee (JFARSS)?

The Joint FREC Animal Research Sectoral Subcommittee (JFARSS) is a specialised subcommittee set up to advise FRECs on animal research ethics. If your research involves harm to living animals and/or the use of non-legally obtained animals/tissue, then your FREC will consult with the JFARSS. You may be required to provide the JFARSS with additional information on your animal research. The JFARSS will advise the FREC on how to proceed with the animal research aspects of your submission.

The JFARSS may provide informal advice concerning the use of animals in research during the formulation of a research project. You can contact JFARSS here.

For purposes of ethics review, what is considered an animal?

The Animal Regulations (ARs) only apply to: A) Live cephalopods; B) Live non-human vertebrate animals, including: i)Independently feeding larval forms; and ii) Foetal forms of mammals as from the last third of their normal development. The ARs also apply to animals at an earlier stage of development than that referred to above, but only if the animal is to be allowed to live beyond that stage of development and may experience pain, suffering, distress or lasting harm after this stage.The ARs apply until animals falling within any of the above categories are killed, rehomed, or returned to a suitable habitat or husbandry system.   

Are relevant ethical considerations when working with dead animals/tissues?

The Animal Regulations only apply to live animals; there are therefore no relevant provisions regarding the use of dead animals/tissues in research arising from this legislation. However, you still need to ensure that the animals/tissues have been obtained legally or from a legal source. Legal sources may be licensed commercial outlets, or donations by persons or institutions who have themselves obtained the animals legally and who are authorised to donate them. Furthermore, if working with protected species, whether dead or alive, in whole or in part, you are responsible for ensuring that all necessary permits have been obtained.

What is considered to constitute use of animals for scientific purposes?

The Animal Regulations (ARs) apply only to animals that are used or intended to be used in procedures. A procedure is defined by the ARs as any use, invasive or non-invasive, of an animal for experimental or other scientific purposes (with known or unknown outcome), or educational purposes, which may cause the animal a level of pain, suffering, distress or lasting harm equivalent to, or higher than, that caused by the introduction of a needle in accordance with good veterinary practice.  

Can some animal work not involve procedures?

Yes. The following are NOT considered procedures: a) Observing animals in nature; b) Capture to take non-invasive measurements and subsequent release; c) Practices undertaken for the primary purpose of identifying an animal; d) Non-experimental agricultural/clinical veterinary practices; e) Practices undertaken for the purposes of recognised animal husbandry.   

It should be noted that, even if anaesthesia, analgesia or other methods are successfully used during procedures, animals remain subject to the provisions outlined in the Animal Regulations.  

Do animal regulations apply if I use anaesthesia, analgesia or similar methods?

Yes. Even if anaesthesia, analgesia or other methods are successfully used during procedures, animals remain subject to the provisions outlined in the Animal Regulations.                      

Can any animal be used in procedures?

No. According to the Animal Regulations, animals taken from the wild, and stray/feral animals of domestic species should not be used in procedures. There are also restrictions on the use of endangered species and non-human primates. 

What are the ways that animals can be harmed other than the ‘procedures’ as defined in the legislation?

Harm to live animals can take various forms, including: i) Direct physical harm, i.e., a level of pain, suffering, distress or lasting harm equivalent to, or higher than, that caused by the introduction of a needle in accordance with good veterinary practice; ii) Prolonged fear and/or psychological distress; iii) Loss of the animal’s ability to fulfil natural behaviours and/or social deprivation; iv) Death, or risk thereof.

In the case of research involving free-living animals in their natural habitats, harm can also arise from excessive disturbance to the animals being investigated, or to other animals.

In the case of animals captured from the wild and subsequently re-released to their natural environment, harm can also result if the ability of the re-released animal to survive in the wild is compromised in any way. This can occur due to interventions that result in permanent disruption of social groups/dynamics, permanent disruption of interactions between/within species and/or between species and their habitats, permanent displacement of individuals, rejection of the released individual by conspecifics, and/or habituation of animals to humans, among others. Such consequences may be immediate or delayed. Harm can also arise from incidental capture of animals other than those being investigated.

When determining whether your research poses a risk of harm, you should consider all of the following: i) Harm arising specifically as a result of the procedures and/or research undertaken;  ii) Contingent harm not directly related to the research (e.g. stress resulting from capture, handling, transport, or from being housed in a cage); iii) Cumulative harm, i.e., the net result of all impacts arising from the research and contingent harm over the entire lifetime of the animal.

If your research poses any risk of harm to animals, please indicate this on the form and consult your FREC/REC. If there is no alternative to the use of animals in your research, you should ensure that you apply all necessary precautions and employ best practices to minimise harm to the greatest degree possible.

My research does not require detailed review. Is there anything else I need to know?

Even when detailed review is not required, University researchers are expected to abide by general ethical principles concerning the use of animals in research. In particular, please ensure that you have given due consideration to the following principles of Replacement, Reduction and Refinement:

Replacement: Wherever possible, a scientifically satisfactory method or testing strategy, not entailing the use of live animals, should be used instead of a procedure.

Reduction: The number of animals used in projects should be reduced to the minimum possible without compromising research objectives.

Refinement: Methods of breeding, accommodation and care, and methods used in procedures, should eliminate or reduce to the minimum possible any pain suffering, distress or lasting harm to animals.

Please click here to open an expanded version of these FAQs that may be searched by keyword (use Ctrl+F  for PC or ⌘ + F for Mac).