Skip to Content

Ethical Data Management in Evaluation and Research

A framework for responsible and respectful data management.
21 September 2025 by
Ethical Data Management in Evaluation and Research
Gerard Atkinson

In evaluation, social research, and market research, data is not just a technical asset — it is a reflection of people’s lived experiences, identities, and trust. Ethical data management is a cornerstone of respectful and responsible research practice.

This resource outlines practical steps for managing data ethically and transparently, drawing on Section 3.1 of the National Statement on Ethical Conduct in Human Research. We've also provided a template document and checklist to help you frame up your data management plan as part of your project.

Introduction

Ethical data management ensures that:

  • Participants’ rights are protected, especially around privacy, consent, and cultural ownership.
  • Stakeholders can trust the research process and its outcomes.
  • Projects comply with legal and professional standards (e.g. Privacy Act, GDPR, AES and TRS codes of ethics)
  • Data is used responsibly, including for future research or evaluation.

It is always important to remember that as collectors of data, we are drawing upon information that represents peoples' experiences and stories. Participants in research and evaluation trust these stories with us and we have an obligation to them to use this in an ethical manner.

Data management in the National Statement

Section 3.1 of the National Statement on Ethical Conduct in Human Research, particularly clauses 3.1.43 to 3.1.49 set out clear expectations for researchers and evaluators in handling data responsibly. These sections highlight seven areas where researchers and evaluators need to consider their approaches to data management:

  • The agreements between collaborating researchers and organisations (including clients) in the management of data and intellectual property (IP) generated as part of a project.   
  • Having a data management plan in place for projects.
  • Ensuring security measures are proportional to the risks in the project and the sensitivity of information collected.
  • Compliance with relevant legal and regulatory requirements, and with conditions of consent by participating stakeholders (something that is also discussed in our position statement on data retention). 
  • Having in place secure and safe disposal mechanisms for data that are appropriate to the design of the project, and delivered in line with obtained consent and with legal requirements.
  • Where justifiable, the retention of data from projects in a way that makes them accessible for future research.

How do I deliver data management in my project? 

Given the above considerations, it's not necessarily obvious what is the best approach for data management in a project. The following sections look at each of the clauses and gives you some examples of where these might or might not apply in practice.

3.1.43: How are we approaching collaborative agreements?

When multiple researchers are collaborating on collection, storage and/or analysis of data or information, they should agree to the arrangements for custodianship, storage, retention and destruction of those materials, as well as to rights of access, rights to analyse/use and re-use the data or information and the right to produce research outputs based upon them. Researchers should consider whether any intellectual property will be generated by the project and agree on the ownership of any intellectual property created. Agreements on such arrangements and ownership need not necessarily be in the form of a contractual document, but should facilitate a clear resolution of these issues.

As a practical example, if a local council commissions a social impact evaluation involving external consultants and internal analysts, all parties should agree on who owns the data, who can access it, how long it is retained, and whether it can be reused in future projects. This is typically documented in the contract for services and the project plan, but may also form part of a Memorandum of Understanding and/or a shared project charter. 

3.1.44: How are we planning for data management?

For all research, researchers should develop a data management plan that addresses their intentions related to generation, collection, access, use, analysis, disclosure, storage, retention, disposal, sharing and re-use of data and information, the risks associated with these activities and any strategies for minimising those risks.
The plan should include:
  • Security measures (e.g. encrypted servers, password protection)
  • Policies and procedures (e.g. internal data handling protocols)
  • Contractual and confidentiality agreements
  • Training for team members
  • Storage format (e.g. CSV, transcripts, audio files)
  • Intended uses and disclosures
  • Access conditions
  • Information to be communicated to participants
  • Consent strategy (extended, unspecified, or waived)

In practice, all projects should have a data management plan that outlines the details of how all data will be managed during and after the project. For example, a market research firm conducting a survey on consumer behaviour should document how survey data will be stored (e.g. encrypted cloud storage), who will access it (e.g. analysts only), and whether it will be reused for future trend analysis. Participants should be informed of these intentions during the consent process.

3.1.45: Is the security of data proportional to the risk?

The security arrangements specified in the data management plan should be proportional to the risks of the research project and the sensitivity of the information.

We generally encourage researchers and evaluators to err on the side of caution when it comes to data security, but to be proportionate to the risks that might occur for participants were the data to be stolen or made public without permission. For example, a study on public transport usage may require basic security (e.g. password-protected spreadsheets), while a study with users of domestic violence services will most likely have to implement high-level security in the form of encrypted databases, restricted access for team members, and pseudonymisation or de-identification of data prior to use by the project team.

3.1.46: Are data being collected within legal requirements?

Researchers must comply with all relevant legal and regulatory requirements that pertain to the data or information collected, used or disclosed as well as the conditions of the consent provided by participants.

There are a range of legal and regulatory requirements for researchers and evaluators, most notably the Privacy Act (Cth) 1990, but also relevant codes of practice for the sector. Moreover, projects that have international components and/or collect data from non-Australian residents may be subject to international regulations such as the European Union's General Data Protection Regulation (GDPR). There are also the conditions of consent for use, for example if participants consent only to data being used for a specific evaluation, researchers cannot later use it for unrelated projects unless new consent is obtained or a waiver is approved by an ethics committee.

3.1.47: Are there long-term effects that I need to consider?

In relevant research, particularly that which involves the use of materials of biological origin, records should be preserved for long enough to enable participants to be traced in the event that evidence emerges of late or long-term health-related effects, taking into account the conditions of consent that apply.

In evaluation, social research, and market research this clause is less relevant as it typically relates to long term health effects that may arise from a study. Nonetheless, for longitudinal studies and evaluations in areas such as mental health this question is relevant. Ultimately, this clause reinforces the need to align retention periods with the potential future relevance of the data and the original consent terms.

3.1.48: Am I disposing of data securely?

Data, information and biospecimens used in research should be disposed of in a manner that is safe and secure, consistent with the consent obtained and any legal requirements, and appropriate to the design of the research.

In practice an evaluator or researcher needs to consider each set of data being collected and document the approach that will be taken to dispose of data and the time point in which this will be done. Data retention periods will vary based on the type of project, the data collected and the method of data collection. Our position statement provides more information on identifying appropriate periods.

As an example, researchers and evaluators conducting interviews with community members should ensure audio files are securely deleted after the retention period, using secure deletion software, and document the approach taken in the data management plan.

3.1.49: Have I considered future usage of data?

In the absence of justifiable ethical reasons (such as respect for cultural ownership or unmanageable risks to the privacy of research participants) and to promote access to the benefits of research, researchers should collect and store data or information generated by research projects in such a way that they can be used in future research projects. Where a researcher believes there are valid reasons for not making data or information accessible, this must be justified.

On the face of this clause, it would appear that the National Statement is encouraging indefinite retention as a first principle. However, the requirements to ensure data security and legal requirements around data disposal outweigh this. The aim of this clause is to, in compliance with legal and security requirements, promote the ongoing use of research and evaluation information to inform future project delivery. This can vary by project, but may be some form of internal or external publication of reporting and data as appropriate, ranging from internal summary reports through to anonymised datasets with clear metadata. However, consent and cultural considerations must be respected; for example if a First Nations community shares data under culturally specific conditions, researchers must respect these conditions and this may mean that the data cannot be made publicly accessible. 

Data management planning

We've developed a simple template document that you can use to develop a data management plan in line with the requirements of the National Statement. It provides more detail on the questions you need to consider in the planning phases, as well as a checklist to ensure that you haven't missed anything important in the process.

You can download a copy (Word Document) here or click on the icon: 

Summary

Ethical data management is a living practice — it evolves with each project and each stakeholder relationship. By documenting your approach clearly, you not only protect participants but also strengthen the credibility and impact of your work.