University and legal requirements

Guidance on University policy around research data management, as well as the legal requirements with which you should comply when using, creating and sharing research data.


Research data management is a requirement for researchers at the University, as well as a condition of many funders and publishers.

There are also legal requirements with which you should comply when using, creating and sharing research data.

University policy

The University of Sheffield maintains a Research Data Management Policy as part of its Good Research & Innovation Practices (GRIP) Policy. The key points are:

  • All researchers (staff and students) are responsible for looking after the data they collect and analyse, and overall responsibility lies with the lead researcher or supervisor.

  • All research proposals should have a data management plan.

  • Unless otherwise specified by a contract or the terms of a grant, data generated by research projects are the property of the University of Sheffield.

You should also refer to the University’s Records Retention Schedule when deciding which data to retain and dispose of.

Strategic leadership for the University’s Research Data Management Policy is provided by the Open Research Advisory Group.

Legal requirements

Intellectual property

Rights to intellectual property (IP) created by University employees are generally owned by the University. When creating data, however, you must consider the IP rights of all stakeholders involved, including research partners, collaborators and funders.

For further information, see Research Services (staff only link, Impact and IP).


When using existing data sources, you should always check who owns the copyright and the conditions under which you can reuse the data.

For further information, see our copyright hub.

Data licensing

All published research data should be licensed to show what users may or may not do with it. Licences, or waivers, are granted by the IPR holder, who should be established from the outset of the project.

Data repositories indicate which licences can be used for deposited data, from Creative Commons to more restrictive ones which may require permission for reuse.

For further information, see How to license research data (DCC).

Ethics approval and consent

It may not be possible to share, or even collect, personal or sensitive data unless specific consent is obtained from participants. It may, however, be possible to anonymise some data in order to make it available.

The University provides detailed guidelines relating to this area of research integrity and ethics.

GDPR and data protection

The General Data Protection Regulation (GDPR) gives individuals the right to know what information is held about them, while ensuring this information is handled properly. Researchers must adhere to data protection requirements when sharing or managing research data.

For further information, see GDPR and data protection, and also the University's Information Classification Scheme, which outlines potential data protection risks.

Freedom of information (FOI)

As the University is a publicly funded organisation, any recorded information held, including research data, may be subject to FOI requests for access.

If you object to the release of your data, for example on the grounds of confidentiality, you should contact the FOI Unit (staff only link).

Commercial confidentiality

Data obtained from a commercial partner, or licensed from a provider, may be subject to a confidentiality or collaboration agreement. This may prevent data sharing or place restrictions on how data may be used.

You should be aware if this is the case, but check with your supervisor if in doubt, or contact Research Services.

Export control legislation

Export controls are measures imposed by the government to regulate the transfer of goods – including data – to other states.

These controls apply to items on the UK Strategic Export Control Lists, where there are end-use or end-user concerns, and when destinations are subject to sanctions or other restrictions. For example, applied research that could be misused for military purposes would be considered particularly high risk.

You should read the information provided by Research Services (staff only link) before making data available to any organisations or individuals outside the UK and email them at with any queries.

For further information, contact