Research Data Management

Breaches of privacy in data reveal the importance of good data management practices. The consequences of a breach can include personal harm to those whose data was leaked, internal or external investigations, delays in research, reputational damage, and loss of funding. In designing data management plans (DMPs), researchers must ensure that their plan meets privacy legislation in all of the jurisdictions in which the research takes place. Researchers should consider using a range of data protection measures during the “data life-cycle”. These include,

• Plan to minimize the collection of data. Only collect what is needed for the research.
• De-identify data as soon as possible. If this is not possible, a higher level of data security must be observed to safeguard the original data.
• Store and access research data only on computers connected to secure networks. Use secure data encryption if identifiable information will be stored on a networked computer, stored or transmitted via the web, or stored on a portable device such as a laptop or USB flash drive.
• If there is a need to create databases or applications that use personal information there should be a privacy risk assessment by a privacy expert. At Emily Carr University, consultation is available for researchers. Contact, privacy@ecuad.ca  
• When disposing or transferring ownership of computers, CDs, USB keys, and any other form of electronic storage, make sure sensitive data is irretrievably deleted. When data includes personal information consult a trained IT professional. Contact, IThelp@ecuad.ca 

When you’re considering how you will gather data, and whether the data can be shared once your project is complete, you will need to think through whether participants will be: Directly identifiable, indirectly identifiable, coded, anonymized, or anonymous. This will determine how you can share your data, how secure your data will need to be over the course of your project, and how you will store (and potentially destroy) the data upon the completion of your project. 

• Directly Identifiable - the research materials (data) will identify specific participants through direct identifiers such as names, telephone numbers, addresses  
• Indirectly Identifiable - the research materials (data) can reasonably be expected to identify specific participants through a combination of indirect identifiers like place of residence or date of birth  
• Coded - direct identifiers are removed from the research materials (data) and replaced with coded identifiers. There exists the possibility that with access to the codes it may be possible for a third party to re-identify participants  
• Anonymized - the research materials (data) are irrevocably stripped of direct identifiers. There is no way to link a code to the data in the future  
• Anonymous - the research materials (data) is not collected in relation to any identifiers (for example: anonymous surveys) and the risk of identification is very low   

From TCPS 2 (2022) – Chapter 5: Privacy and Confidentiality 

Determine the data disclosure risk levels and decide whether data can be retained or deposited  

Adapted from "Human Participant Research Data Risk Matrix" by Portage Network. CC BY-NC 4.0. 

Consider any intellectual property issues that need to be addressed

In your DMP, describe how you will obtain permissions for your project. This should include what you want to do (e.g., create derivative artwork, deposit data); who to ask when permission is needed for what you want to do; and, if granted, what the conditions are.        

Include a description concerning ownership, licensing, and intellectual property rights of the data. Terms of reuse must be clearly stated, in line with the relevant legal and ethical requirements where applicable (e.g., subject consent, permissions, restrictions, etc.).      

Obtaining permissions to create, document, and use artwork in arts-based research can be complex, for example, when non-participants are depicted in artwork or artwork is co-created or co-owned, made by minors, or derived from other copyrighted work (e.g., collages made of photographs, remixed songs). Compliance with privacy and copyright law is a common issue in arts-based research and may restrict what data you can create, collect, preserve, and share. 

Familiarity with Canadian copyright law is especially important in arts-based research (see the ECU Copyright Guide, Copyright Act of Canada, Canadian Intellectual Property Office (CIPO), Éducaloi, and Artists’ Legal Outreach). Obtaining permissions is key to managing privacy and copyright compliance and will help you select or develop an end-user license. Permissions should be very specific to the use or the destination of the data. Avoid blanket releases (DEFINITION)  

It is also important to know about ethical and legal issues pertaining to the cultural context(s) in which you do arts-based research. For example, Indigenous data sovereignty and governance are essential to address in all aspects of research data management in projects with and affecting First Nations, Inuit, and Métis communities and lands (see First Nations Information Governance Centre (FNIGC), Inuit Tapiriit Kanatami (ITK), and Global Indigenous Data Alliance (GIDA)), including collective ownership of traditional knowledge and cultural expressions (see UBC Library and ISED Canada).  

ECU Contacts:  
Library: library@ecuad.ca 
Research Ethics Board: ethics@ecuad.ca  
Copyright: dvkam@ecuad.ca 
Privacy: privacy@ecuad.ca