Compliance checklist
The following checklist is a guide for researchers to help ensure compliance and best practice in research. Not every step will apply to every project, but please read through each step, and follow the guidance if it is relevant to your research.
What you need to do | Why | Further information and guidance |
Engage with Contracts, if outside funders or collaborators are involved, or if you are buying in a third-party tool or service. | If you receive research funding for your project from an external source; are collaborating with others outside the University; will be transferring or sharing any confidential information, material or data; or will engage external consultants, contact Research Funding and Contracts to prepare the relevant agreements. If using a third-party tool or service provider for processing data, the University will also need a contract in place. | |
| Engage with your department/faculty administration team and Research Services Trusted Research team, if overseas collaborators, funders, or suppliers are involved. | It is important to recognise and manage risks associated with international collaboration, particularly where the university and its researchers are subject to legislative or funder requirements such as due diligence, export control, NSI Act, Nagoya Protocol, and ATAS. The University provides support for this; please contact your department/faculty administration team in the first instance who will connect you with Research Services’ support if required. | Trusted research |
Check that information security controls are in place to manage the risk | Technology systems can be a means of causing harm unless they are properly secured. If your research project is using technology systems and/or any kind of personal data follow the steps here. All Divisions and departments must have a Baseline Controls Security Assessment in place. to make sure that cyber security risk is properly managed. Confirm this with your departmental IT or Head of Department (HoD). If your systems aren't provided by your department, they must still be compliant with the University's baseline security controls. If uncertain, email [email protected] If your project involves personal data, the result of these checks will be a key input into your Data Protection by Design documentation (more detail in the link). | Information Security general information How to classify information including personal data |
As part of your induction, ensure you have done the University’s mandated cyber security training | Everyone in the University must complete cyber security training, to help us keep our systems and data safe from attack. | |
Ensure Information Security for Third Party Suppliers | If you are using any suppliers that will collect, process or manage data, check if they are on the Third Party Supplier register. If they are not, have your supplier complete a Third Party Security Assessment to make sure that its security controls are compliant with Oxford's standards and that cyber security risk is properly managed. If uncertain, email [email protected]. If your project involves personal data, the result of these checks will also be a key input into your Data Protection by Design documentation. | |
Complete the data privacy training | If you are using data from research subjects, then complete the data protection awareness training module, to gain a better understanding of your responsibilities in relation to your research subjects’ data. | |
If you are transferring personal data internationally, check if there is a UK adequacy regulation | If any personal data are to be transferred internationally to a third party and you are following a University ethics review pathway, you will need to check if the destination has a UK adequacy regulation. Approach Research Funding and Contracts to ensure the contractual agreements with the third party address the transfer, and complete an International Transfer Risk Assessment. Attach it to your data protection assessment (DPA) or data protection impact assessment (DPIA) for submission to your data protection risk owner to approve - your head of department (or equivalent). If you are unsure whether you are making a transfer, seek advice from [email protected]. | List of destinations with a UK adequacy regulation for international data transfers |
Apply for ethics review and approval for researching involving human participants | You will need to apply for ethics review and have all necessary approvals in place before the start of your research. Generally, if your research involves human participants, personal data and/or human tissue/samples, you will need some kind of ethics approval. There are different levels of ethics review depending on the risk level of the research. Use the flow chart on the 'Where and how to apply for ethical review' page to check if your research needs an Ethics approval, and what kind of approval. If you are still unsure, you can ask for an opinion on this by completing the short form on the 'Study classification' page and sending it to the RGEA Sponsorship team. If your project needs NHS research ethics approval, this will impact the type of data protection documentation you must complete. | Where and how to apply for ethics review |
If you are using personal data in your research complete the Data Protection by Design forms | Data is a highly valuable resource and needs to be carefully looked after. If you are following a University ethics review pathway and you are using personal data in any way, you have a responsibility to keep the data safe and protect your research subjects from any harm. Anyone handling personal data at Oxford must be compliant with the UK's General Data Protection Regulations (GDPR). Complete a data protection screening form to establish if your project presents a higher data protection risk to participants. Submit the screening form to your data protection risk owner for approval - your head of department (or equivalent). If your project has been screened as lower risk, complete a data protection assessment (DPA) for submission to your data protection risk owner to approve - your head of department (or equivalent). If your project has been screened as high risk, or if your funder or a third party you are working with (e.g. a data registry) requires it, complete a data protection impact assessment (DPIA) for submission to your data protection risk owner to approve. Once approved, submit the DPIA to the Information Compliance Team at [email protected] for a formal consultation response on behalf of the University’s Data Protection Officer. The DPIA requires some time and effort to complete. Start this process as early as possible. | UoO data protection screening form UoO Data Protection Assessment form UoO Data Protection Impact Assessment template Data Protection by Design - UoO data protection framework International transfers of personal data Guidance on working with third parties for your research project |
Check if your project needs NHS ethics approval | If your project needs NHS approval, or it is going via sponsorship review process, it will be subject to a privacy review via Research Governance, Ethics and Assurance. This review can stand in place of the University’s Data Protection by Design documentation. If the project is sending personal data outside the UK to a third party in a destination that does not have a UK adequacy regulation, approach the Research Funding & Contracts team to ensure your contractual agreements address the transfer and complete an international transfer risk assessment. Submit the risk assessment to your data protection risk owner to approve – your head of department (or equivalent). If you are unsure whether you are making a transfer, seek advice from [email protected]. | Research Governance Ethics and Assurance List of destinations with a UK adequacy regulation for international data transfers |
If you are doing clinical research and trials, get the right approvals | If you are conducting clinical research and trials you will need to ensure that additional governance approvals are in place. For clinical research, you will need the University to 'sponsor' your research. Find about more about the sponsorship application process. For clinical trials, follow the steps as set out in the link. Some university studies will need Health Research Authority (HRA) approval to take place in the NHS. | Clinical trials and research governance guidance Applying for sponsorship approval |
Follow the procedures for animal research | If you are conducting animal research, visit Biomedical Services |