Whose data is it anyway? The importance of Information Governance in Research

Guest post by Preeti Matharu, Jack Hindley, Victor Olago, Angharad Green (ARC Research Data Stewards), in celebration of International Love Data Week 2025

Research data is a valuable yet vulnerable asset. Research data is a valuable yet vulnerable asset. Researchers collect and analyse large amounts of personal and sensitive data ranging from health records to survey responses, and this raises an important question – whose data is it anyway?

If data involve human subjects, then participants are the original owners of their personal data. They grant permission to researchers to collect and use their data through informed consent. Therefore, responsibility for managing and protecting their data, in line with legal, regulatory, ethical requirements, and policies lie with researchers and their institution. Hence, maintaining a balance between participant rights and researcher needs.

Under the General Data Protection Regulation (GDPR) in the UK and EU, participants have the right to access, update and request deletion of their data, whilst researchers must comply with the law to ensure research integrity. However, under the Data Protection Act, research data processed in the public interest must be retained irrespective of participant rights, including the rights to erase, access and rectify. UCL must uphold this requirement while ensuring participant confidentiality is not compromised.

Information governance consists of policies, procedures and processes adopted by UCL to ensure research data is managed securely and complies with legal and operational requirements.

Support for information governance in research is now provided by Data Stewards within ARC RDM IG. That’s a long acronym, let’s break it down.

• ARC: Advanced Research Computing – UCL’s research innovative centre and provides 1. Secure digital infrastructure and 2. Teaching software.
• RDM: Research Data Management – assist researchers with data management.
• IG: Information governance – advise researchers on compliance for managing sensitive data.

Data Stewards – we support researchers with data management throughout the research study, provide guidance on data security awareness training, data security requirements for projects, and compliance with legal and regulatory standards, encompassing the Five Safes Framework principles. Additionally, we advise on sensitive data storage options, such as a Trusted Research Environment (TRE) or the Data Safe Haven (DSH).

Furthermore, we emphasise the importance of maintaining up-to-date and relevant documentation and provide guidance on FAIR (Findable, Accessible, Interoperable, Reusable) data principles.

As stated above, data can be vulnerable. UCL must implement strong security controls including encryption, access control and authentication, to protect sensitive data, such as personal health data and intellectual property. Sensitive data refers to data whose unauthorised disclosure could cause potential harm to participants or UCL.

UCL’s Information Security Management System (ISMS) is a systematic approach to managing sensitive research data to ensure confidentiality, integrity, and availability. It is a risk management process involving people, processes and IT systems. The key components include information management policy, identifying and assessing risks, implementing security controls to mitigate identified risks, training users and continuous monitoring. The ISMS is crucial in research:

1. It protects sensitive data; without stringent security measures, data is at risk of being accessed by unauthorised individuals leading to potential theft.
2. It ensures legal and regulatory compliance i.e. GDPR and UCL policies. Non-compliance results in hefty fines, legal action and reputational damage.
3. Research ethics demand participant data is handled with confidentiality. The ISMS ensures data management practices, data anonymisation, and controlled access whilst reinforcing ethical responsibility.
4. It reduces the risk of phishing attacks and ransomware.
5. It ensures data integrity and reliability – tampered or corrupted data can lead to invalid research and waste of resources.

UCL practices for Information Governance in research:

• Data security – Use encrypted storage, access controls and secure platforms like TRE or DSH.
• Ethical responsibility – Data protection office and Ethics obtain informed consent from participants and ensure they fully understand how their data will be used.
• Data Security Awareness training – Ensure researchers have completed and regularly review their training.
• Information Security Group – Conduct regular audits, identify vulnerabilities and mitigate potential risks.
• Contract Services – Review all research related contracts.

In response to the question, whose data is it anyway? Data may be generated by participants, but the overall responsibility to use, process, protect, ethically manage lies upon the researchers and UCL. Additionally, beyond compliance and good information governance, it is about ensuring research integrity and safeguarding the participants who make research possible.