Research ethics FAQs

Before you apply

Expand All


Ethics approval is needed for all research involving human participants, human tissue or data from which individuals could be identifiable, in accordance with the University’s policy on the ethical conduct of research involving human participants and personal data. Ethics approval must be obtained before the research starts, including before participants are recruited. Please make sure you allow enough time for the review process when planning your research. 

If you are unsure whether ethics approval is needed, refer to the decision flowchart for CUREC or contact a member of the Research Governance, Ethics and Assurance (RGEA) team for advice.

If you are an undergraduate in the Social Sciences or Humanities, and you are conducting low-risk research for your dissertation, your project might qualify for expedited review. Refer to CUREC’s approved procedure 06 for more information:


The HRA decision tool will help you determine if your study requires approval from an NHS research ethics committee (REC) via the HRA. There is also a decision tool to help you decide whether or not your study meets the NHS definition of research. Further guidance is available from the HRA’s website

All research within the NHS requires a sponsor. The University’s Research Governance, Ethics & Assurance (RGEA) sponsorship group (formerly CTRG) supports applicants through the process of applying to NHS RECs and ensures that the University meets its requirements as research sponsor. They should be contacted at the earliest opportunity when preparing the research application and documentation in order to access their advice, support and necessary sponsorship.

If NHS REC approval is required, then you do not usually need to also seek review from a University REC. If your study includes both NHS patients and healthy volunteers, then the NHS REC approval will cover the entire study. You would not need to seek additional ethics approval from CUREC for the inclusion of healthy volunteers. 

CUREC can provide ethical review of research involving participants recruited by means of their status as current or former members of NHS staff, or research involving NHS premises or data. However, you must also check whether you need NHS permission to conduct the research, ie Health Research Authority (HRA) approval. If staff recruitment can be conducted outside the NHS, an application can be submitted directly to CUREC (using the appropriate CUREC form), since HRA approval will not be required. If HRA approval is needed, then applicants should complete the Integrated Research Application System (IRAS) form instead of a CUREC form and submit this, together with any supporting documentation by email to the RGEA sponsorship group). They will then review all documentation for compliance with NHS requirements, and will advise on obtaining the permission of the relevant NHS trust or seeking Health Research Authority (HRA) approval. You can then forward the documentation to the Medical Sciences IDREC for ethical review. 

NHS REC approval is needed for research involving NHS data. It is important to check whether you need permission from the NHS for that data use. (Permission may be needed for use of data whether in an identifiable or anonymised form.) The RGEA sponsorship group advises on this and provides confirmation that the University will accept the role of sponsor for such studies.


The Department of Computer Science and many departments within the Social Sciences Division have their own departmental research Ethics committees (DRECs). If your department has its own DREC, please submit your application to it for review in the first instance:

If your department does not have its own DREC you will need to submit your application to one of the Interdivisional Research Ethics Committees or OxTREC.


The latest version of the application forms and further information about the process are available from each committee’s webpage. You will find links on the Where and how to apply for ethical review page.

Information about courses is available on the Integrity and ethics training page. Research integrity training is compulsory for all University research staff and research students. The introductory core course, and the module on research involving human participants, are compulsory for all University of Oxford research students (either on graduate taught courses or taking research degrees). It is also available to all University staff and students who are interested in undertaking more detailed training in this area. The refresher course is more suitable for experienced University of Oxford researchers (for example, postdoctoral researchers or established academic staff).


In general, if the data is not NHS data, has been previously collected, and cannot be traced back to identifiable individuals, you need not obtain ethical approval. This means projects using existing data from a census, for example, do not need approval. If it’s possible to identify individuals from the data, for example by using a key, then ethics approval must be obtained. 

Where researchers identify a target population and hold any identifying information about them (for example an email address) in order to administer a research procedure (for example sending a link to a web survey platform), the research must obtain ethical approval, even if the datasets collected from that procedure cannot be linked back to individuals, because the individuals are involved as research participants. Refer also to the Compliance team's guidance on mailing lists and CUREC’s Best practice guidance 06 on internet-mediated research:


Yes. Observation may seem more intrusive to the people being observed than to the observer and does still count as research involving human participants. Sometimes observation can pose more complex ethical questions, for example if individuals will be identifiable from the data that is collected, the observation is of at risk groups or observation of harmful or illegal activity.

You might find it helpful to refer to CUREC’s Best practice guidance 02 on ethnographic and other types of qualitative research:


All research projects where people participate by offering their personal information, opinion or data where that information/opinion/data contributes directly to answering the project’s research questions need ethical approval.

However, many research projects will also bring researchers into contact with other types of people: those who will show you how equipment works, provide technical or expert information about matters connected with your research, and give their views on your research (for example as part of a peer review process, or as a trainer on a methodology course you are taking). These people do not count as 'human participants' in the sense intended by CUREC’s policy. They are not giving you information about themselves, and the opinions that they offer are not the subject of the research. You need not get ethical approval of your research if your contact with people is confined to this sort of interaction.


Some healthy volunteer studies including use of human tissue may be reviewed by CUREC. However, this depends on a combination of whether the tissue samples would be considered 'relevant material' by the Human Tissue Authority (HTA), and the processing and storage of the samples. Please note that any material from humans that contains cells is considered 'tissue', including (but not limited to) faeces, blood, urine and saliva.

For full information as to when and where to apply for ethical review, please read Best practice guidance 15 – ethics review of research with human tissue, in conjunction with our flow chart for human tissue samples:

If you are still unsure, please contact the Medical Sciences IDREC, the OxTREC Secretariat or the human tissue governance group.  


This information assumes that tissue samples that will be stored at Oxford will be registered on one of the University’s Human Tissue Authority (HTA) licences. Where this is not the case, ethics approval will need to be sought from a National Health Service (NHS) research ethics committee (REC).

In all cases, tissue samples need to have been collected with donor consent for them to be transferred outside the country in which they were collected. Where the samples are to be used in a new piece of research, permission from the donor for this use would also need to be in place.

Whether review from a CUREC subcommittee is required depends on the proposed use of the samples at the University of Oxford:

  1. The sample collection had foreign ethics approval (for a study that has completed), but samples are being sent to Oxford for use in a new study – CUREC approval is required (by either MS IDREC or OxTREC)
  2. The sample collection has foreign ethics approval (for an ongoing study), where a member of the University is acting as a formal collaborator on the study but will not have any contact with participants (for example analysing samples only) – foreign ethics approval is sufficient
  3. The sample collection has foreign ethics approval (for an ongoing study), where a member of the University will have contact with human participants and work on the samples – foreign ethical approval and CUREC approval are required (by either MS IDREC or OxTREC)

The study will require OxTREC ethics approval if the foreign ethics approval covering tissue collection was received from a country outside of the EU, or if the study is funded by a USA federal funding agency (for example NIH).

All other studies should be directed to the MS IDREC for ethics approval.


Some research projects are conducted jointly between two or more institutions. These may be subject to more than one set of ethics approval procedures. Firstly, establish whether each institution requires its own ethics approval or if it is prepared to accept approval given by another. If ethical approval is required from more than one institution, leave adequate time to apply to each institution and be prepared to harmonise comments from each ethics review into your finalised research protocol and supporting documents.

Where the University of Oxford is the lead institution, ethical approval from CUREC must be obtained. Compliance with CUREC policy should be prioritised in addition to accommodating the requirements of partner organisations (should multiple approvals be required).

Where the University is not the lead institution, the researchers from the University of Oxford should supply to the relevant CUREC subcommittee details of the ethical application, including all documents, the ethics application form that was submitted to the lead institution, and their approval notice. This will then be reviewed to ensure that the approval already obtained is in accordance with the requirements of the University’s policy on the ethical conduct of research involving human participants and personal data

International projects

For international projects, you may find it helpful to refer to CUREC’s Best practice guidance 16 – social science research conducted outside the UK, which contains guidance on expectations around local ethics approval. 

Joint projects falling within OxTREC’s remit

Where the University of Oxford is the lead institution, ethical approval from CUREC (OxTREC) must be obtained.

Where the University is not the lead institution, the researchers from the University of Oxford should contact the OxTREC Secretariat for further advice. Researchers may also find it helpful to consult the criteria for ethical review of research involving Oxford investigators as collaborators, which is available on the OxTREC application process page.

Please note that any ethical approval provided by OxTREC is subject to receiving ethical approval from the relevant local (in country) ethics committees. The approval notice from the relevant local ethics committees should be supplied to OxTREC. 


You may be a new member of staff, or enrolled for a qualification at the University of Oxford, and were based at another institution when you received ethical approval for your research project. Alternatively, you may be based at another University, but wish to recruit University of Oxford staff or students to participate in your study.

In either case, you do not normally need separate CUREC approval, but should supply details of the ethical application (including all documents) and approval notice from the lead institution to the relevant CUREC subcommittee for our records. We will check that these meet University of Oxford ethical review requirements, and may require you to make minor document changes. You must also obtain any other local permissions necessary to recruit University of Oxford staff or students for your research (for example heads of department, course directors, or student societies).

If the research is to be advertised on posters on University or college noticeboards, the researchers must also obtain the appropriate local approval to advertise there (for example for colleges, from college bursars or senior tutors, or if in a University department, from local departmental administrators, building managers or communications staff). Any poster should include a reference to which ethics committee has reviewed and approved the study, together with the reference number.

Preparing the ethics application

Expand All


The principal researcher or principal investigator should be the formal applicant for ethical review.

This is the person who accepts the overall responsibility for the research, provides oversight, and ensures that all staff and students working on the study are suitably trained and qualified by experience to conduct the research. For these reasons, a student cannot be the principal investigator. The formal applicant is the student's supervisor in the case of student research, or the principal investigator or grant holder in the case of staff research.

This does not preclude other researchers from preparing parts of the application, particularly where such preparation functions as part of an educational qualification. The CUREC subcommittee would usually correspond with students regarding their research applications, even though the supervisor is named as the principal researcher or investigator. 


You must secure CUREC approval before beginning the parts of your project that involve human participants or personal data, including advertising and recruitment of potential participants. However, you are permitted to carry out literature searches, information gathering, and peer discussions before you secure approval. Grant awarding bodies may specify that you need to secure ethical approval before you apply for funding and in such cases CUREC is usually able to accommodate this. However, in general you should only apply for ethical review after funding has been secured, in case the project evolves after funder review such that the ‘ethical frame’ of the project is altered. 


For studies that require OxTREC review, minimal risk application may take up to 30 days to approve. Full committee applications are reviewed at OxTREC meetings, which take place once every two months.

For applications to all other CUREC subcommittees, you should allow 30 days for the review of a CUREC 1 or 1A application or 60 days for a CUREC 2 or CUREC 3 application. 

The committee secretariat will acknowledge receipt of your application and initiate the review process. Once your application has been reviewed, you will receive feedback via email. The committee may request changes or further information. 

Please see each subcommittee's application process page (SSH IDREC process, MS IDREC process, OxTREC process) for more details. 

Ethical review procedures operate all year round, though they may take a little longer outside term time when staff are likely to take annual leave.

The instructions on the application form will explain what documents need to be submitted together with the application form itself. Supporting documents typically include:

  • recruitment material (for example advert, poster, email invitation, website or social media text)
  • participant information sheets (for some studies, several different versions may be needed for different tasks or activities or for different participant groups)
  • consent form (and assent form if children are participating)
  • sample interview and survey questions
  • debrief (if applicable)
  • protocol (for OxTREC and applications to MS IDREC that require subsequent HRA review)
  • an authorised fieldwork risk assessment

Guidance on obtaining participants’ informed consent and template documents are available on the Informed consent page

A signature or email endorsement is needed from the PI, the student (if student research) and the head of department or nominee. The MS IDREC still prefer wet ink signatures where these can be obtained. Pasted images of signatures are not acceptable. In lieu of signatures, an email endorsement can be provided:

  1. The PI (and student, where applicable) should copy and paste the text from the ‘Declarations and signatures of researchers’ section of the CUREC 1, 2 or 3 form, section E1 of the CUREC 1A form, or sections H1 and 2 of the OxTREC minimal risk application form into an email.
  2. The head of department (or deputy) should copy and paste the text from the ‘Acceptance by head of department or faculty or designated nominee’ section of the CUREC 1, 2 or 3 form, section E2 of the CUREC 1A form, or section H3 of the OxTREC minimal risk application form. 

Send emails from a University address to the mailbox for the relevant ethics committee (see Ethics committee contacts). Please include the name of the PI and the title of the research project in the email header to help us identify which application the email endorsement relates to. 



See also the FAQs in the After approval section.

If the project and ethical frame is likely to change from one phase to another, it is better to apply for further approval (either via an amendment or a new project application) closer to the commencement of each phase. Practically, it is not possible for CUREC to approve research unless it is provided with enough information to make an appropriate assessment. If, however, you are confident that you have enough information about each phase and that the results of one will not affect another, please seek approval via a single application. 


Per project, the approval given is usually for the project duration proposed in the CUREC application (calculated as the time between project start and end date cited on the application). However, CUREC will grant a minimum approval period of eighteen months and a maximum of five years. Should researchers wish to submit project amendments (see FAQs in the After approval section) that extend this five-year duration, they must notify the CUREC subcommittee of this as part of the overall amendment notification, giving a brief summary of the research findings so far and justifying their reasons for extension. 


The terms and conditions of the research funding will indicate whether any form of monitoring is required to ensure that standards of ethical conduct are maintained after the study has received initial approval. 

However, the two main funders who attach conditions relating to monitoring are:

  • the Economic and Social Research Council (ESRC) (see the Research Ethics Framework)
  • the US National Institutes of Health, which stipulate that projects that require ethical approval must be reapproved for every year of the research funding. (Applications for ethical approval of research with US federal government funding, including from the NIH, are handled by OxTREC.)
Guidance on addressing ethical issues

Expand All


It is important that participants are given the information they need to make an informed decision about whether or not to take part in the research. For example, they should be given information about the project itself, what taking part would involve and whether there are any risks or benefits. They should be able to ask questions and made aware of any limits to withdrawing, for example once the data have been anonymised.

The consent process typically involves a conversation between one or more members of the research team and the potential participant. The participant is usually provided with some written information about the research and asked to sign a consent form. For longer projects, ensuring participants’ consent is often an iterative and ongoing process.

Further guidance and templates are available on the informed consent page. Researchers should use the templates as a starting point but these must be adapted so that they are suited to the individual research project and participant group. 

Where it is not possible to obtain a signed consent form, a record of the information provided and consent given should be kept. A sample template is available from the Informed consent page (under 'Oral consent').

For advice on writing in an accessible way for participants, please see our informal guide:


Consider whether you need to make any changes to your recruitment strategy, how you approach potential participants or to your process for obtaining informed consent. How will you record the participants’ consent? Guidance and templates are available on our Informed consent page. You may find it helpful to refer to CUREC’s Best practice guidance on conducting research interviews, which includes guidance on conducting interviews remotely.

The procedures for obtaining the participants’ informed consent should be proportionate to the nature of participation and the risks involved, but should always commence with the researcher talking the participant through the study. Whilst audio-recorded verbal consent may be suitable if the project is deemed to be low risk, it is also important that this consent be documented in an auditable record and stored securely. You should consider whether there is a need to remotely record participants only for the purpose of taking consent. An alternative is that verbal consent be taken at the start of remote interviews/focus groups, with a written record of this consent created by the researcher. You would go through the consent statements and complete a paper/electronic consent form on behalf of the participant as you do so. You should then sign this, scan and email a password-protected copy to the participant for their records, retaining your copy in a secure location.

Are there any risks associated with where the participants are located for the interviews? For example, are they in a safe place or could they be overheard? Who could be captured in the background if video is required? Consider any additional communication challenges. It might be harder to tell if a participant needs a break or is upset when conducting interviews remotely. 

If you will be making audio or video recordings or capturing images, familiarise yourself with the University’s research data management guidance and policies. Microsoft Teams is the University’s preferred platform for conducting interviews remotely. 
University guidance on platforms for conducting research remotely:


University staff and students who conduct research with human participants and personal data sometimes engage third party individuals or companies to provide research assistance. This assistance can take the form of, for example, providing interpreting, translation or transcription services or assistance with interviewing or surveying participants in fieldwork in the UK and overseas.

Careful consideration should be given as to what form of in-person third-party assistance is appropriate and reasonable, especially during health epidemics or pandemics and other humanitarian crises (for example armed conflicts, famine and natural disasters).

Researchers and reviewers should consider:

  1. Is it necessary or appropriate to conduct the research in person? Could the research be conducted remotely, online or postponed?
  2. What are the reasons for outsourcing the in-person interaction?
  3. What is the local situation (including current rates of infection transmission, level of conflict etc)? Is what is proposed in line with current local government guidance?
  4. Would it be safe for anyone to conduct the research? Will those conducting the in-person research be subject to risks that would be unacceptable for a University of Oxford researcher?
  5. Has a risk assessment been conducted for the in-person element? This needs to explain:
    1. the measures necessary to protect against humanitarian crises
    2. the support being provided to the local workers
      The researchers may find it helpful to seek advice from a safety officer.
  6. Is the research being conducted in accordance with CUREC’s Best practice guidance 01 on researcher safety (including providing training, ongoing support, appropriate remuneration, insurance and acknowledgement)?


Yes. It will be important to ensure that any invitation to students of this University to participate in a research project makes it clear that the participation or non-participation in the project will not affect the student's academic assessment in any way (see the University's policy on the ethical conduct of research involving human participants and personal data). The participant information should also make clear that no information arising from the research will be disclosed to the student's college, department or faculty.

Similar statements should be made in relation to their employment if the participants in the research are employees of this University. Please note that you must obtain any local permissions necessary to recruit University of Oxford staff or students for your research (for example heads of department, course directors and student societies). 

This will depend on the nature of the contact involved. Researchers need to be sensitive to safeguarding issues, and follow the guidance set out in the University's Safeguarding code of practice. This includes ensuring that a safeguarding risk assessment of the proposed research has been completed. The code of practice and a pro forma risk assessment are on the HR Support website

Research participants must be informed how they can report concerns about any member of the University with whom they will be interacting. Researchers should also take responsibility for complying with safeguarding regulations and research practices that relate to the settings (country, institution) of their research. 

Those working with at risk groups are encouraged to complete the relevant online training provided by the Oxford Safeguarding Children Board. As well as such compliance, researchers should consult guidance from the relevant professional associations. For example, for research settings in the UK, detailed guidance on circumstances in which criminal records disclosures can or must be obtained, can be found on Personnel Services' Disclosure and Barring Service (DBS) page
In many cases, when research is being undertaken in schools, the schools will indicate what kind of safeguarding checks are needed.

For all DBS applications, guidance and advice please contact the Vetting & Screening Office at Security Services (, 01865 (2)82152 or 01865 (2)82788). 


In the UK and many EU countries, children are legally defined as anyone who has not reached their 18th birthday and are therefore considered as not legally competent to give consent to take part in major research. Instead, parental or legal guardian consent is required. However, 16 and 17 year olds may, in certain research projects that do not raise complex ethical issues, be classed as 'competent youths'. They are still technically children but are considered to have sufficient understanding of the research and its implications that they can make up their own minds about taking part, and have that opinion honoured. However, this class of 'competent youth' is not automatic and must be decided on a per-project and (as appropriate) per-individual basis.

To decide this, the following factors will be relevant:

  • Youths cannot usually be classed as 'competent youths' if outside the UK and the EU. This is because expectations of parental authority and young people's autonomy, and the areas of life in which these apply, can vary considerably between cultures. In considering whether the class applies to youths outside the EU, researchers should be guided by cultural expectation plus any relevant legislation and (regulatory) standards. The class could also apply to youths outside the EU who are enrolled at a university (where greater autonomy is likely).
  • If the research is 'unproblematic' in ethical terms, it is likely the class of competent youth applies. However, if, in the overall context of the research project, anything looks to be of significant ethical concern (for example the project design, area of enquiry, or research procedures) the class may not apply.
  • If the research involves procedures that would require parent or legal guardian consent outside of a research setting, the class would not apply. 
  • Projects fitting under one of CUREC's procedures concerning children (see Approved procedures) would normally support the use of the class.

Examples of research where the class of 'competent youths' would apply and would not apply are found in our best practice guide on competent youths


Please see our best practice guide on competent youths. If the class can be applied to all participants under 18, then the CUREC 1 form or CUREC 1A checklist is sufficient. Any participants under 18 to whom neither the class of 'competent youths' nor one of CUREC's approved procedures applies would trigger completion of a CUREC 2  application. 


Adult participants may be offered compensation for the 'inconvenience of taking part' and any reimbursement should reflect the time spent undertaking study activities. In addition to this, reasonable travel costs may be reimbursed. Children recruited in schools may receive a sticker or certificate as a 'thank you'. If a child takes part in a study with their parent present, the parent may be given a gift voucher or book token and they can choose whether to give this directly to the child.

It is not recommended that compensation values be stated on recruitment adverts (posters, websites, social media etc), as this can be construed as inducement to participate. It is preferable to state 'You will be compensated for your time'. Compensation values may then be included within the more detailed participant information. Further guidance is available within CUREC’s Best practice guidance 05 on payments and incentives in research.

Data management

Expand All


The purpose of the ethics review process is to ensure that the ethical issues associated with conducting the research have been identified and addressed. As well as legal requirements and complying with the University’s policy on the management of data supporting research outputs, there are ethical issues associated with collecting, managing, storing and sharing personal data for both researchers and research participants. 

The ethics review includes making sure that potential participants will be able to make an informed decision about participation in a research project. In order to make an informed decision it is important participants understand what data will be collected about them, what is going to happen to that data and the risks associated with how the data would be used, stored and shared. 


Research data is defined as the recorded information (regardless of the form or the media in which they may exist) necessary to support or validate a research project’s observations, findings or outputs. Research data may contain personal data. Personal data is information that relates to an identified or identifiable living individual. That individual must be identified or identifiable either directly or indirectly from one or more identifiers or from factors specific to the individual. Information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of UK GDPR. It does not change the status of the data as personal data with a potential for disclosure following a security lapse. UK GDPR defines pseudonymisation as: 

'…the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.'

Further guidance on pseudonymisation is available from the UK Data Service. It is important to note that the bar for defining data as anonymous is very high, as the Information Commissioner’s Office explains: 

'In order to be truly anonymised under the UK GDPR, you must strip personal data of sufficient elements that mean the individual can no longer be identified. However, if you could at any point use any reasonably available means to re-identify the individuals to which the data refers, that data will not have been effectively anonymised but will have merely been pseudonymised.'

Unless you are certain that the data is anonymous, it would be sensible to assume that the data is pseudonymised and treat it as personal data. 

Ethics approval is required from CUREC or an NHS ethics committee where research involves human participants (for example interviews, questionnaires, observation) or personal data (including secondary data). 


In general, data should be managed and used in such a way as to protect the confidentiality of the research participants. In accordance with the principle of data minimisation, unless there are good reasons for identifying the participants from the research data and the research outputs, it is good practice to remove as many identifying characteristics as you can and as soon as you can. 

There must be a good reason for keeping identifiable data and for sharing it with others, and if you need to do this you should obtain and keep a record of participants’ informed consent for this. It is important to describe how the data will be handled clearly and accurately. For example if the information sheet says that the data will be anonymised then you are obliged to do this.  In some settings it may be appropriate to ask participants if they would like to be identified, for example when attributing a quotation to an elite or expert interviewee. Further guidance is available within CUREC’s Best practice guidance 03: 

It may be difficult to fully anonymise or de-identify research data or research outputs, particularly for qualitative data or if there are only a small number of participants involved. Care should be taken to avoid saying that a participant’s data will be anonymised if there is any possibility of identifying them, including by the researcher. (See answer to question D2.) Instead it is both preferable and clearer to explain to participants how their data will be used and how identifiable they will be, both from the data and from the research outputs, to help inform decisions about participating. 
The UK Data Service guidance on anonymisation provides helpful advice on anonymisation techniques.


Examples of sensitive or special category data include data relating to race, ethnic origin, sexual orientation, political opinions, religious beliefs, physical or mental health, trade union membership, genetics, sexual life, biometrics (where used for ID purposes), or criminal activities. Special conditions apply to the processing of this type of information. Particular care must be taken if the participants could be considered as vulnerable or if sharing the data could put the participants at risk of harm or burden (for example embarrassment). In such cases researchers may find it helpful to seek advice either from within their department or from their ethics committee as well as referring to CUREC’s best practice guidance documents.

CUREC’s Best practice guidance 07 contains guidance for applicants whose research may potentially fall within the scope of the Prevent duty:

There is also guidance on research involving security-sensitive research material:

Researchers are encouraged to use a platform where the data is stored within the UK or EEA. Jisc Online Surveys is the University’s recommended platform for online surveys. IT Services manage an organisation-wide licence for Jisc Online Surveys and any student, staff member or academic visitor can request an account for creating surveys. It is not possible to access information about respondents’ IP addresses if Jisc Online Surveys has been used.

Researchers should also ensure that online surveys are set not to collect IP addresses unless these are needed. Certain online survey platforms (for example Qualtrics) include the IP addresses of respondents as part of the survey results by default, but this can usually be switched off for individual surveys. 

Refer to CUREC’s Best practice guidance 06 on internet-mediated research for further guidance on platforms for online surveys:


Microsoft Teams is the University’s approved platform for virtual meetings and currently the only platform approved for conducting meetings where confidential or sensitive subjects will be discussed. Zoom may be sufficiently secure for some situations. Refer to the University’s Information Security website for guidance. 

Practical considerations when planning interviews to be conducted online include taking into account varying degrees of digital literacy and access to technology. It may be more difficult to tell if the location is suitable, such as whether the participant is in a safe place or if they could be overheard.

Refer to CUREC’s Best practice guidance 10 on conducting research interviews for further guidance:


In accordance with the principle of data minimisation, researchers should only collect personal data that is necessary for their research and not share personal data with others or ask others to process the data unless this is required for their research. Consider whether there is a need to record participants or if sufficient information could be collected instead by taking notes, for example. If it is necessary to record the participants, would an audio recording be sufficient? Video recordings involve collecting much more personal data so these should be avoided unless they are important for the research. 

Further guidance for researchers working remotely with participant data.


During the course of the research project, data should be stored on University servers or Nexus365 OneDrive for Business if possible, and backed up using the University’s HFS service. Nexus365 OneDrive for Business has been approved by the University’s Information Security team for the storage and secure transfer of research data during the course of the research. Personal accounts with third party cloud storage providers are not generally an appropriate place to store research data. Please contact your local departmental IT support or Research Data Oxford ( for advice on appropriate platforms for storage and sharing of large data sets when OneDrive for Business is not suitable, or in the case of collaboration with third parties outside the University.

If you do need to use personal devices, please make sure that they are secured according to University guidelines. Devices containing personal data must be protected by whole disc encryption.  Further guidance on keeping your computer, portable devices and personal data safe is available on the Information Security webpages.

If you have hard copies of documents or other data that you need to store please seek advice from within your department on how to store these. Some departments may provide server space. Otherwise Nexus365 OneDrive, SharePoint Online, and Microsoft Teams offer storage and sharing options. LabArchives electronic lab notebook service offers unlimited storage. The HFS back-up service is free of charge to graduate students and staff. 

Information about longer-term options for storing and preserving data is available via the Research Data Oxford website. Information Security provides advice on keeping data secure. Information about the University’s Open Access Publications Policy is available on the Open Access Oxford website

Because a Nexus365 OneDrive account is associated with a specific set of SSO credentials, anything stored in that account will be deleted shortly after the account-holder leaves the University. In the case of research conducted by students, data retention beyond the duration of their degree course must be discussed and a retention plan agreed with the supervisor. Information about storage options is available on the Research Data Oxford website.

In accordance with the University’s Research Data policy, research data supporting outputs (for example publications, conference contributions, videos, websites) should be stored for at least three years after publication or public release of the work of the research. Research data can be stored for longer than this period 'for as long as it has continuing value, in accordance with legal and funder requirements and paying due regard to discipline norms and cost'. Researchers must keep an accurate and comprehensive record of their research, including documenting clear procedures for the collection, storage, use, reuse, access and retention or deletion of the research data associated with their records. 


It is important to make sure participants are aware of how their data will be used and shared and how identifiable they will be from the data. 

If researchers plan to share personal data or are involving a third party to process the data (including services such as a transcription service) to collect or process personal data on their behalf (a data processor), advice should be sought from their research contracts specialist on an appropriate form of agreement with that third party to ensure the information is processed in accordance with the University’s legal obligations and to make sure any privacy concerns have been addressed. A third party security assessment (TPSA) should be completed. It also may be helpful to contact the University’s Information Security or Information Compliance teams to check they are satisfied with the provider’s information handling practices. Researchers also need to agree with the other party what happens when they no longer need to share the data.

OneDrive for Business, provided as part of the University’s Nexus365 offering, has been approved by the University’s Information Security team for the sharing of research data. Please contact your local departmental IT support or Research Data Oxford ( for advice on alternative platforms for sharing large data sets when OneDrive for Business is not suitable. 

Other sections of this website provide guidance on transferring data outside the UK and the European Economic Area and on agreements to regulate the sharing or transfer of research information, materials or data, including material transfer agreements (MTAs). 

Guidance on sharing data is available via the Research Data Oxford website. The UK Data Service also has guidance on consent for data sharing, for example if the data is to be made available for reuse. 

Researchers may choose to make their data available in an archive or repository, or be required to do so by funders. ORA Data is Oxford’s institutional data archive. Information about the University’s open access publications policy is available on the Open Access Oxford website


Please refer to the guidance on the Information Compliance webpage on mailing lists. Contacting individuals in the future to inform them of new research projects at the University or to invite them to take part in future research projects would be regarded as direct marketing. Mailing lists for this purpose would need to comply with the Privacy and Electronic Communications Regulations (PECR) as well as UK GDPR. Researchers will need to give consideration to maintaining records of consent, appropriate management opt-out requests, as well as the general principles of GDPR compliance such as data security, data minimisation, retention, and accuracy (researchers are advised to contact Information Security for assurance on the security measures of any mailing list database or tools). 

Processing of special categories of data for the purposes of direct marketing is likely to require a data protection impact assessment. If that is the case researchers should contact the Information Compliance Team for advice. 


The University’s IT Regulations state that 'users are not permitted to use university IT or network facilities for… transmission, without proper authorisation, of e-mail to a large number of recipients, unless those recipients have indicated an interest in receiving such e-mail'. Given the potential also for breaches of data protection legislation when constructing email mailing lists, researchers are advised to seek further advice from the University’s Information Compliance Team and Information Security Team and to refer to the guidance on the Information Compliance webpage on mailing lists.


The University’s Information Security Team has approved the use of the Microsoft Office suite within Nexus365 for processing confidential information, including the automatic transcription feature within Microsoft Teams and Transcribe, the transcription feature within the web version of Microsoft Word. Using an option within the Microsoft Office suite within Nexus365 is considered more secure than many of the third party transcription services on offer. 

When using external transcription services, it is important to ensure data is transferred between parties in a secure manner, and that the service deletes all audio-visual material once the transcription has been returned to the researcher. A service-level agreement should be in place before any material is transferred to the service provider.

Researchers should take advice from Information Security about other third party providers who might process personal data on their behalf since a third party security assessment (TPSA) may need to be conducted. 


Research data should be stored on University servers or Nexus365 OneDrive if possible. Information about storage options is available via the Research Data Oxford website. Devices containing personal data must be protected by whole disc encryption. Guidance on protecting your laptop, personal computer or other devices is available on the Information Security website


More detailed guidance is available within CUREC’s best practice guidance (BPG), including: 

The Research Data Oxford website is a central source of guidance and information. For personalised advice, email the Research Data Oxford team:  

The Bodleian Data Library provides advice on finding and using data in research. 

Information Security can advise on other third party providers who might process personal data on behalf of University of Oxford researchers, including on whether a third party security assessment (TPSA) is needed.

The University's information classification policy is available on the Information Security website.

For advice about commercialisation and related intellectual property management, contact Oxford University Innovation

After approval

Expand All

As your project progresses, there may be reasons to make changes (for example to principal investigator (PI), participant information, or procedures), known as amendments. These must be notified to the relevant IDREC or OxTREC for consideration and approval.

For amendments to projects previously reviewed by the SSH IDREC, please fill out an amendment form and submit this, the revised application form and any revised supporting document to

For amendment requests to OxTREC, please send an email to giving the reasons for the proposed modifications and attaching all modified documents with changes tracked.

For amendment requests to the MS IDREC, please complete the amendment form below. You will also need to send any new or revised documentation, which must have changes highlighted, preferably using MS Office Word tracking so that deleted and revised text can both be seen. If your original application required departmental review, revised documentation must first be sent to the department for continued approval. Approval of continued University sponsorship (where sought as part of the original application) will also be required before MS IDREC review.

You must not carry out your study with the changes applied until you receive confirmation from the relevant IDREC or OxTREC Secretariat. If the changes are significant and the project substantively altered, you may need to complete a new application.

The committee response will be:

  • either an email confirming your amendment has been noted and filed
  • or a formal letter of confirmation of the change and approval thereof
  • or a notification that the amendment alters previous ethical consideration of your project requiring submission of a new application.

What amendments need to be reported?

Note that the below is not an exhaustive list.

  • amendment of the design or methodology of the study, or to background information affecting its academic value;
  • change of participant numbers, participant groups and/or recruitment procedures;
  • changes to the procedures undertaken by, or other requirements expected of, participants (including any change relating to the safety or physical or mental integrity of participants, or to the risk/benefit assessment for the study);
  • updates to the application form or other study documentation such as protocol, participant information sheet, consent form, questionnaire, recruitment material, information sheets for relatives or carers;
  • appointment of a new chief/principal investigator;
  • inclusion of new sites or locations for the research and/or change of territory for international studies;
  • a change to the insurance or indemnity arrangements for the study;
  • temporary halt of a study to protect participants from harm (or resulting from a concern or complaint made), and the planned restart of a study following a temporary halt;
  • revised funding arrangements;
  • changes to investigators brochure for clinical trials;
  • alteration of logistical arrangements for storing or transporting samples;
  • collaborator/supplier change;
  • change in remuneration;
  • extension of the study beyond the period specified in the application form or original approval letter;
  • changes to contact details for the chief/principal investigator or other study staff;
  • any other significant change to the terms of the REC application

If it looks likely that your research plans will have to change, please get in touch with the CUREC subcommittee as soon as you can to discuss the changes. If at all possible, you should inform the CUREC subcommittee of any new plans before undertaking them. If you are in a very remote area this may not be possible. Do your best to ensure that your revised project and any documents you will give to participants meet CUREC's standards, which you will be familiar with from your initial application. Submit your project for CUREC review as soon as you can, even if this is after the research is completed.
Please note that retrospective scrutiny of research projects (or amendments to research projects that have already received ethical review approval) is not acceptable except in exceptional cases, and then only with a letter of support from the researcher's head of department or faculty stating why it was not possible for this to be submitted in advance.

Your first priority will be the welfare of the person who has been harmed. If the event takes place within the University you will need to follow normal safety procedures such as making a report in the departmental accident book and if necessary alerting the departmental safety officer.

Any such adverse event must be reported to the CUREC subcommittee that approved your application within seven days. Before continuing with your research, think whether changes to your methodology, equipment or personnel are necessary to prevent further adverse events. Remember to treat emotional distress seriously, as well as physical harm, especially where participants are at risk. The IDREC/OxTREC manager may forward the incident report and advise on the committee view, as appropriate.

A sample of approved CUREC projects may be monitored each year by the relevant CUREC subcommittee to review whether the research is being (or was) conducted within the scope of the ethical approval granted. This is also to help CUREC understand how to improve its processes and encourage good practice among the University research community. CUREC and its subcommittees welcome constructive criticism during monitoring or at any other time.