Please read through these guidelines carefully before completing your form as inadequate information may delay your project.
Please ensure your form is completed in a language that is comprehensible to a lay person. It is also recommend that applicants spell-check all files before submission, particularly participant-facing documents.
This should be the Principal Investigator (other collaborators are listed in section 1.3)
- This only needs to be completed for student projects which have been escalated by the department as requiring HSSREC review.
1.3. Other Investigators
- Please mention all other investigators involved regardless of their host institution.
- Please state here if the project has been referred from another Research Ethics Committee or from a delegated review process and explain why the project has been referred.
2.2 Estimated start date
- Please be aware that data collection may not begin until Full Approval from the Committee has been granted. Please check the date of the next HSSREC meeting and remember that although feedback from the meeting will be sent to you as soon as possible, this may take up to 10 working days. It should also be taken into account that you may need to make amendments to your application, following Committee feedback, before Full Approval is granted.
2.5 Type of Project
- The majority of projects coming through HSSREC will be 'Research'. This question seeks to identify any projects involving the NHS which may need further approvals or Sponsorship.
2.6 Research Sponsor
- This only applies to research projects which involve the NHS. If this does not apply to your project, please state N/A.
- Please state here which organisation/institute is funding the project. If the project is unfunded, please state N/A.
2.9 Links with other HSSREC applications
- For example, you may previously have had a pilot study approved through HSSREC, for which you are now conducting a follow up project.
- This only needs to give a brief outline of your project so that the Committee can understand the scope of the project and its context. Remember, the Committee is made up of experts from different fields, so any technical language specific to your discipline may need to be explained.
Risk and Ethical Considerations Checklist
This checklist provides detailed prompts to help you consider any ethical issues which may arise as part of your project. If you tick 'Yes' to any of these boxes, please provide further details in the spaces provided. Guidance for each point has been provided within the application form, however this guidance is not comprehensive. Please think carefully about how each question may be relevant to your project (some questions may not be relevant to your project). It is important to answer these questions honestly and give careful consideration to how any risks to participants or the researcher(s) will be minimised.
Study Design, Methodology & Analysis
5.1 Research Aims
- This only needs to be a brief statement to describe and justify your research question(s) (more detailed descriptions of methodology and data analysis should be given below in questions 5.3 and 5.4)
5.2 Project Objectives
- As above, this only needs to provide a very brief summary of any project objectives the study may have.
5.3 Study Design and Data Collection Methods
- More detailed information should be provided here on the methodology which your study will employ, giving particular focus to the parts of your study which involve human participants. Detailed guidance is provided within the question.
5.4 Data Analysis
- Please provide details of what data will be collected, how it will be collected, how and by whom it will be handled and analysed. Detailed guidance is provided within the question.
6.1 Number of Participants and Sampling Strategy
- This question is looking for justification for the number of participants you are planning to recruit. Please describe how many participants will be involved in the study and the rationale for this.
6.3 Inclusion Criteria
- Please give a summary (or provide a list) of inclusion criteria. What criteria will participants need to meet to be included in the study?
6.4 Exclusion Criteria
- Please provide details of any factors which will exclude participants from taking part in the study. Please note, if you are only aiming to recruit participants with very specific inclusion criteria, you do not need to provide an exhaustive list of exclusion criteria, only state 'those who do not meet the inclusion criteria'.
7.1 Obtaining Informed Consent
- Detailed guidance is provided within the application form.
- Please also consider whether multiple forms of consent need to be obtained (e.g. if you are working with groups of adults and children, do separate Participant Information Leaflets (PILs) need to be provided with language appropriate to each group?)
7.2 How Participants Withdraw
- Detailed guidance is provided within the application form
- Please be aware of the difference between a participant withdrawing their participation and withdrawing their data. It should be made clear in the PIL that the participant is able to withdraw their participation at any point during the study with no consequence to them. However, after a certain amount of time (e.g. after an article or book containing their data has been published) it will be impossible for the participant to withdraw their data. This should also be made clear to the participant in the PIL.
Data Collection, Use and Storage
Data Flow Map
A template data flow map has been provided to accompany the ethics application form to help determine who the data controllers and processors are in the project. Researchers do not have to use this template but can use this as a guide to design their own. The complexity of the data flow map will depend on the project, the number of collaborators/third parties and data processing activities.
A Data Controller is the party which determines the purposes and means of processing personal data. This means, the party who has control over what information is collected and how this will be used. It is possible for there to be more than one controller for each process, each with their own purpose.
A Data Processor is the party who processes personal data on behalf of the Data Controller. This is an individual or organisation who is processing data in accordance with someone else’s (the controller’s) instructions. Please refer to the ICO’s guidance if you are in any doubt.
The Data Flow Map should:
- document what happens to the data from the point of collection to the point of deletion (or review to decide if the data should be retained or deleted);
- account for the storage/processing of data within any third parties and also any cloud services (i.e. sharing or transferring the data for randomisation, analysis, transcription or other research activities);
- include details of how long information is retained at the various stages and who may be granted access to the data;
- consider arrangements for long term storage and archiving of the data.
Further guidance and support with regards to managing research data is available from the Library.
8.2 and 8.3: Type of Data Collected and Justification for Collecting this
‘What measures are being implemented to reduce or eliminate the risk to these participants’ data for the duration of the period that their personal data is collected and stored?’
This question is looking to determine what measures researchers are putting in place to reduce the risk to data at various stages such as:
- restricted access to the data
- password protection of systems
- ensuring that third party systems have been through the Information Security workbook
- data minimisation at the appropriate stage so only the required data sets are being held
- anonymising/pseudonymising data
- enforcing retention periods – when and how are copies of the data deleted
See below guidance on Question 8.10 for more detailed information on these points
Special Category Data – Additional Safeguards
- The processing of Special Category Data requires that an additional processing condition is satisfied in addition to the usual lawful basis for processing. More guidance can be found here: https://warwick.ac.uk/services/idc/gdpr/keyterms
8.7: Data Sharing
- Data sharing refers to the disclosure of data to third party organisations, or the sharing of data between different parts of the same organisation.
- Data sharing can be in many forms including: a reciprocal exchange of data; one or more organisations providing data to a third party or parties; several organisations pooling information and making it available to each other or different parts of the same organisation making data available to each other.
- Where personal data will be shared with a third party, including external collaborators, external transcription services and cloud service providers, there must be an appropriate data sharing agreement in place before any data transfer takes place. This must be signed off on behalf of the University and not the researcher themselves. Please contact your relevant department in Research & Impact Services (R&IS) for information on preparing data sharing agreements.
- Where data will be shared during or after the research process, whether this is with a supervisor, internal or external collaborator or another authorised individual, researchers should ensure they are using the Warwick email server and not personal accounts e.g. gmail or Hotmail. Files.Warwick is a secure tool researchers can use to store and share their research files securely, accessing them via a web browser. This is particularly useful when there is a need to share a file that is greater than the University's 10 MB limit for email attachments. These can also be shared with external individuals via a web browser.
8.8: Data Storage and retention
- Data storage refers to where data is located, either digitally or physically.
- Physical data, such as paper consent forms, should be stored in a secure location, for example inside a locked draw in your, or your supervisor's office. Access should be controlled appropriately.
- Digital data should be stored in line with University data security policies. Details of policies can be accessed here. As a general rule, research data should be stored on the University Server (M Drive) rather than on a personally owned device. This is secure and is backed up.
- If data must be stored on a mobile device (such as a mobile phone, or a dictaphone), this should be an encrypted device, and data must be transferred to the University Server as soon as possible.
- Data retention refers to the length of time that you must store your data. The university Research Data management Policy states that data should be stored for a minimum period of 10 years.
8.9 Sharing Data Outside the UK
- The University works with many organisations in Countries and territories which fall outside the European Economic Area (EEA). In order for us to continue to share personal data with organisations in these regions, the GDPR has additional requirements that researchers need to comply with when sharing data. Please contact researchgovernance at warwick dot ac dot uk for further guidance before making any data transfers outside the EEA for research purposes.
- Researchers also need to be aware that using international cloud-based services and international software/data collection methods may involve a transfer of personal data outside the EEA. Signing up to such a service in your role as a member of University staff may be binding the University (and not just yourself) to the service's contractual terms, which may not fully comply with the GDPR and therefore put the University at risk of a data breach. The risk is even greater where the data being shared is considered special category personal data or confidential information.
8.10 Compliance and Proportionality Measures to Satisfy DPA and GDPR
- This question addresses Article 5 of the GDPR: principles relating to processing of personal data. Any breach of this provision could result in substantial fines for the University and sanctions for the individual themselves. This question is looking for researchers to consider how they will address each data protection principle to ensure they will be compliant.
- There must be an established and documented lawful basis for processing personal data, for research, this is ‘task in the public interest’. For personal data to be used for research, researchers must ensure they employ safeguards including organisational and technical measures to prevent accidental disclosure of personal data to unauthorised individuals and to ensure no harm or distress is caused to individuals. These are as follows:
1. Data minimisation should be applied to the research project and the following 3 things should be considered:
1.1. Only the amount of data required for the study should be collected, from the minimum number of participants (researchers should justify this with a sample size calculation to evidence this is appropriate to the methodology, statistical analyses required and research outcomes/objectives);
1.2. The minimum amount of personal data should be collected from each participant, again justified by the research design;
1.3. The degree of sensitivity of the personal data collected should also be minimised - if special category (sensitive) data is not required to achieve the outcomes of the project, it should not be collected. E.g. is knowing a participant’s religious beliefs or ethnicity relevant to the research question? If not, it shouldn’t be collected.
2. Pseudonymisation/anonymisation - data should be anonymised/pseudonymised as soon as possible. Pseudonymisation involves the removal of direct or common identifiers from the data set, which are then replaced with a number or a code so data can be continually collected about an individual without recording their identity. For pseudonymised data to be secure, the key to re-identifying individuals from the data must be stored separately and securely to the research data. Access to this key should be restricted. If you no longer need to be able to identify a participant, the key should be destroyed. Data is only considered anonymous when there is no possible way to identify an individual either directly or indirectly from the data set.
3. Transparency - the data must be obtained openly and honestly and without any misleading intentions. Details of what personal data will be collected and how this will be processed (intended use), shared and stored should be explicit in the Participant Information Leaflet (PIL). The PIL needs to be specific to the research project but the PIL template provided will help to ensure transparency requirements are met. Participants should also be made aware of when their personal data will be deleted.
4. Fairness - data should only be handled in a manner that the individual would expect to be deemed ‘fair’. The use of the data should be made clear to participants at the outset, as above.
5. Technical measures for example password protection, encryption, restricted access, locked filing cabinets should be applied. All researchers should use University managed devices (laptops/PCs/phones) when processing personal data for research. Research data should be stored on University secure servers and for no longer than is entirely necessary. Any hard copy data e.g. consent forms should be stored in accordance with the University’s information handling procedure.
6. Data sharing – see above guidance for question 8.7. Confirm that arrangements have been made to ensure that all data sharing processes are GDPR compliant.
7. Data sharing agreements – see above guidance for questions 8.7 and 8.9 and confirm that any required data sharing agreements have been/will be put in place.
8. Information Security - information security workbooks should be completed where third party apps/services will be processing personal data on behalf of the University in a research project. For a list of University approved services for research e.g. transcription services, survey tools, please see the Information & Data Security webpage (please note, this is an ongoing project which the IDC team are continuing to add to).
9. Using data for new purposes: reuse of data for future research is not always known at the outset but if you are planning for the data to be made available for use in future research, this should be made clear to participants in the Participant Information Leaflet (PIL) and the consent form. Please note any future use of the data for research will require a new research ethics application to the relevant committee.
8.11 Future Use of Data
- Please decribe any future use of the data you are going to collect (e.g. if this is a pilot study which you may later expand on)
- This question is aims to discover where the results of the study will be published, who will have access to them.
- This is a good place to think about any Public Engagement activities which may result from the study (also known as 'Pathways to Impact'). Will these activities have any ethical considerations which the Committee can consider as part of your application?
- This section of the form is optional but it gives you the opportunity to include anything which has not been covered in the application form. For example, you may wish to add further information about any relevant experience or training you have which would help the Committee review your application.
- Please ensure that all supporting documents are attached along with your application.
- The Committee will need to review all materials relating to your application (e.g. if you have stated that your methodology includes interviews, you will need to include an interview topic guide, if you are using a questionnaire, you will need to include the questionnaire).
- Please ensure that all participant-facing documents are carefully proofread for spelling and grammatical errors. These documents will be on University of Warwick headed paper and should not contain any errors.
Your application, along with supporting documents, should be submitted to email@example.com
Any questions or concerns about your application which are not addressed in the above guidance should be directed to the HSSREC Secretary via firstname.lastname@example.org