Ethics and your research data

We encourage you to discuss any questions regarding research ethics with the SFU Office of Research Ethics

Identifying how ethical requirements for your data will be satisfied is an important component of planning for data management.

Ethical guidelines for research data

Some of the primary ethical guidelines relating to research data in Canada include:

Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans – TCPS 2
There are implications for data management across the entire Statement, but in particular see Chapters 3, 5, and 9. The Statement and associated policies are managed by the Tri-Agencies Panel on Research Ethics.  

Tri-Agency Framework: Responsible Conduct of Research
Policies and requirements, from applying for funds to responding to allegations of a breach. 

First Nations Principles of OCAP®
The First Nations Information Governance Centre provides a set of standards that establish how First Nations data should be collected, protected, used, or shared. The OCAP® principles have existed since 1998, and refer to the Ownership, Control, Access, and Possession of First Nations data. 

CARE Principles for Indigenous Data Governance
Drafted by the Global Indigenous Data Alliance, these principles advance Indigenous self-determination in relation to data management and sharing by addressing Collective benefit, Authority to control, Responsibility, and Ethics.  

Legal constraints, human subjects, populations at risk

There could be legal constraints preventing you from sharing your data, if for example your data contains trade secrets or commercial information. If your research involves human subjects or other populations at risk (e.g., endangered species), you need to ensure their confidentiality. 

For data from human participants, risk can be broadly categorized into the following levels as described in Part 2: Human Participant Research Data Risk Matrix of the Sensitive Data Toolkit developed by the Digital Research Alliance of Canada: 

Low Risk

Publicly available data where there is no reasonable expectation of privacy, regardless of sensitivity or identifiability. 

Data collected with no information that could reasonably identify individuals or groups. Data contains no confidential, private, or sensitive information. 

Data subjects are not vulnerable in the context of the research and would not be harmed if a breach were to occur.

Medium Risk

All identifiers collected have been stripped so that data to be deposited has no information that could reasonably identify individuals or groups. 

Data may contain information originally collected as confidential, private or sensitive. 

Data subjects are not vulnerable in the context of the research and would not be harmed if a breach were to occur.

High Risk

Identifiers remain and/or (re)-identification is possible or probable. 

Data contains confidential, private or sensitive information. 

Data subjects may be vulnerable in the context of the research and may be harmed if a breach were to occur.

Extreme Risk

Data acquired through an agreement (formal or informal) with a custodian, barring further use or retention. 

Identifiers remain and/or (re)-identification is possible or probable. Data contains confidential, private or sensitive information. 

Data subjects are vulnerable in the context of the research and would be harmed if a breach were to occur.

The risk level of your research data will determine the types of active data storage and data security safeguards you should use. 

Working with sensitive data

In general, you will need to take extra care to manage de-identification or anonymization of sensitive data. In most cases it is not sufficient to simply remove directly identifying information from a dataset, as it is possible to re-identify subjects using combinations of indirect identifiers. Our recorded workshop on data de-identification gives a more detailed introduction to some of the issues involved.

A three-part Sensitive Data Toolkit for Researchers has been developed for the Canadian context by the Sensitive Data Expert Group at the Digital Research Alliance of Canada: 

Sensitive data must also be protected by setting up and enforcing appropriate access security measures. The Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans (TCPS 2, 2022) provides examples of safeguards that can be implemented to secure data, organized into the following categories: 

  1. "Physical safeguards include the use of locked filing cabinets, and the location of computers containing research data away from public areas"
  2. "Administrative safeguards include the development and enforcement of organizational rules about who has access to personal information about participants"
  3. "Technical safeguards include use of computer passwords, firewalls, anti-virus software, encryption and other measures that protect data from unauthorized access, loss or modification". 

Even if your research does not involve humans, it is a good idea to secure your research data.  

Guidance and recommendations

For more details and guidance: