Skip to Main Content
University of York Library
Library Subject Guides

Research data management: a practical guide

Restricting access to sensitive data

A practical guide to help you manage your research data well, covering best practice for the successful organisation, storage, documentation, archiving and sharing of research data.

restricting access

When sharing data, the key principle is to be as open as possible, as closed as necessary.

It's widely accepted that a requirement to share data does not equate to "open" access to data in every case. Some data may not be shared openly as it may be sensitive or subject to a non-disclosure agreement.

The University and funders recognise that there are constraints on the open release of research data.

Before sharing research data it is important that you consider the wider consequences of your research and identify any legal, ethical, contractual or commercial reasons to restrict access to data. In some cases you may not be able to share data at all, though this can often be avoided by considering the issues from the start and planning your data management.

Restricting access to the whole or any part of the dataset so it is not freely and openly downloadable.

Concordat on open research data

The Concordat on open research data was developed through consultation with the research community. It outlines ten principles for sharing research data, including:

"There are sound reasons why the openness of research data may need to be restricted but any restrictions must be justified and justifiable." - Principle 2

Reasons to restrict access to data

link to the University's guidance on data protectionIf your research involves personal data  - information on living, identifiable people - you must manage it in accordance with data protection legislation.

Personal data can be archived in a data repository, shared and reused in the future if you pay attention to:

  • gaining informed consent for data sharing
  • anonymising the data
  • planning reuse conditions and data access restrictions.

You can find further guidance on the working with sensitive data page.

not with text University guidance on research integrity and ethicsEven if data is not personal as defined under the UK GDPR, it still may not be ethical to share it openly. There may be circumstances where the inappropriate release of sensitive data might put research participants, the public or vulnerable groups at risk.

Data on the the location of endangered animals, vulnerable groups, fragile ecosystems or GM crops, data from animal experiments, and data on organisations are all examples of data that may be too sensitive to share openly. 

note with text University guidance on intellectual propertyBefore you can share research data you need to ensure that you have the right to do so. It is therefore vital to clarify copyright and intellectual property ownership of any data that you will use before your research begins.

You can find further guidance on the working with third party data page.

note with text University guidance on contract drafting and negotiationThe need to comply with confidentiality clauses and contractual obligations would be valid justification for withholding research data. However, it may be possible to share such data with other researchers, subject to non-disclosure agreements.

It is important to negotiate on data sharing (e.g. with an industry partner) before your research begins, particularly for publicly funded research where data sharing is expected.

note with text University support for commercialising researchThe research data you create might have commercial potential/value. These data might eventually be suitable for sharing, but delaying access can often be justified to allow time to assess and protect the commercial potential of the research (e.g. through the use of embargoes).

If you think your research might have commercial potential, you should consult with the Commercialisation team before you share data.

Access restrictions

Several techniques can be used to regulate or restrict access to data, for example:


Placing data under embargo for a given period of time, during which access would be completely restricted. Embargoes might be used to:

  • delay access whilst patents are filed or while research is commercialised.
  • permit a reasonable period of first exclusive use, to give the researcher an opportunity to publish or otherwise exploit the results of their research.
  • ensure that archived data are not published before the articles based upon them are published, in line with publisher requirements.

Funder data policies should always be checked before an embargo is placed on the release of data, to established what is permitted.


Some data repositories (e.g. the UK Data Service for safeguarded data) provide registered access, requiring potential users to register before they are able to access the data. Some repositories may grant access only to registered users that meet certain criteria.


Granting access upon request, for example nominating a contact whose permission must be obtained before access to the data is granted. This might be necessary if checks need to be made to e.g. assess whether the requester is working on a suitable project or has a conflict of interest. Some repositories (e.g. the University's repository - Research Data York - for sufficiently anonymised data) may also require the requestor to fulfil certain conditions to be granted access to the data, such as signing a data sharing agreement.


Non-disclosure or confidentiality agreements can be used to share confidential or sensitive data with specific individuals, for specific purposes and under specific terms. Contact the Research and Knowledge Exchange Contracts team if such an agreement is required.


It is your responsibility to be clear on the restrictions that need to be imposed to safeguard your data. It is therefore important to document why and how you intend to restrict access to the data; to inform the data repository, to inform prospective users of the data, and where appropriate, to justify your decisions to your funder.

Applying access restrictions

Any restrictions on data access should be reasonable, transparent and in line with established best practice.

The same level of restriction does not need to be applied to all your research data, i.e. not everything has to either be openly available to the public or completely restricted. There are many types of access control that can be applied to all or part of your data, some of which will still allow you to share your data but only with specific users under certain conditions. This should always be considered in preference to a complete restriction on the whole dataset.

If you restrict access to your data, the restrictions will need to be justified in your data access statement.

If you are unsure as to whether you could or should make your data openly available, please contact the Open Research team before you publish your data.