Skip to main content
v2026.1714 entries · CC-BY 4.0
CASRAI

Editorial · CASRAI

Research Data Management Policy: Not Just a DMP

How an institutional research data management policy differs from a per-grant DMP, with a ready template structure.

ByMCP Service
Published 3 Jul 2026· 7 minute read

A research data management policy is an institution-wide governance document that sets ownership, retention, storage and researcher-responsibility rules for all research data an organisation produces — distinct from a data management plan (DMP), which is a project-specific document written for a single grant. Confusing the two leaves institutions with fragmented practice: strong per-grant DMPs but no consistent rule for what happens to data once a project, or a researcher, moves on.

A research data management policy is the institutional framework; the DMP is one project’s implementation of it. This article sets out the structural difference and gives a template for writing the institutional-level document, covering ownership, retention tiers, storage classes and researcher obligations.

What is a research data management policy?

A research data management (RDM) policy is a formally approved institutional document — typically ratified by a university executive, senate or research committee — that defines how all research data created, collected or reused at that institution must be handled across its lifecycle: creation, active use, retention, sharing and disposal.

Unlike guidance notes or web pages, a policy carries institutional authority: it assigns accountability, sets minimum retention periods, and states what happens by default when a researcher leaves or a grant closes. The UKRI Concordat on Open Research Data (2016, updated 2020), signed by UK Research and Innovation, Universities UK and the Wellcome Trust among others, sets out common principles — including that research data are a public good and that costs of good data management are legitimate, fundable research costs. Most UK institutional RDM policies, including those at Edinburgh, Southampton and Manchester, cite the Concordat directly as their basis.

Research data management policy vs a data management plan

The policy and the DMP operate at different scopes and answer different questions. The policy answers “what does this institution require of everyone, always?” The DMP answers “how will this specific project handle its specific data?” A DMP written for a UKRI or Horizon Europe grant should reference and comply with the institutional policy, not substitute for it.

Dimension Institutional RDM policy Data management plan (DMP)
Scope Whole institution, all research Single project or grant
Author Research office, library, IT, governance committee Principal investigator / research team
Trigger Approved once, reviewed periodically Written at proposal stage, revised through project life
Contains Ownership defaults, retention minimums, storage tiers, roles Dataset types, volumes, specific repositories, embargo dates
Enforcement Institutional compliance / disciplinary framework Funder compliance check at reporting/audit
Review cycle Every 3-5 years (Edinburgh’s policy specifies five) Reviewed and updated within the life of one project

A well-run institution needs both, in that order: the policy first, so every subsequent DMP inherits a consistent set of defaults — retention minimums, approved repositories, data protection procedures — rather than each research team inventing its own.

Template structure for an institutional RDM policy

Reviewing current UK institutional policies (Edinburgh, Southampton, Manchester, Birmingham, Cambridge) shows a consistent structural skeleton. A new or revised policy should include, in order:

  • Purpose and scope — why the policy exists, and which staff, students and data types it covers.
  • Definition of research data — the institution’s own working definition (the UKRI Concordat’s is a common starting point: digital or analogue information collected, observed or created to validate research findings).
  • Roles and responsibilities — who is the data owner by default (usually the institution), who is the data steward (usually the principal investigator), and what the research office, IT services and library each provide.
  • Data management planning requirement — a mandate that a DMP must exist for every funded (and, ideally, every unfunded) research project, and where that requirement sits relative to ethics approval.
  • Storage and security tiers — approved storage classes mapped to data sensitivity.
  • Retention and disposal — minimum retention period, and the trigger for review or deletion.
  • Sharing, access and FAIR compliance — the institution’s default position on open data, exceptions for confidentiality, and adherence to the FAIR principles (Findable, Accessible, Interoperable, Reusable), as defined by Wilkinson et al. in Scientific Data (2016).
  • Legal and ethical compliance — UK GDPR and Data Protection Act 2018 obligations for personal data, plus any sector-specific requirements.
  • Review cycle and ownership of the policy itself — who revises it and how often.

This ordering matters: policies that lead with storage and IT detail before establishing roles tend to read as IT documents rather than governance ones, which weakens researcher buy-in.

Retention, ownership and storage tiers

Retention should be set as a minimum, not a target. A commonly cited UK baseline is three years from project end or publication, with the caveat that funder, sponsor or disciplinary requirements specifying longer periods take precedence — clinical and health-related data, for example, routinely requires 10-15 year retention under separate regulatory regimes.

Ownership defaults matter because researchers move institutions far more often than data does. Most UK institutional policies assign underlying ownership of research data to the institution as the legal entity that employed the researcher and typically held the grant, while the principal investigator retains stewardship responsibility — the practical duty of care — during and after the project. This split must be stated explicitly, not left implicit, because it is the clause institutions rely on when a departing researcher wants to take data with them.

Storage tiers should be mapped to data sensitivity rather than treated as one undifferentiated pool. A workable minimum is three tiers:

  • Tier 1 — open/shareable: deposited in a Re3data-listed, CoreTrustSeal-certified repository with a DOI via DataCite.
  • Tier 2 — restricted/sensitive: access-controlled institutional storage under a data sharing agreement.
  • Tier 3 — confidential/personal: encrypted storage meeting UK GDPR requirements, with a Data Protection Impact Assessment on file.

Researcher obligations and governance roles

The policy should state researcher obligations as directives, not suggestions. At minimum, researchers are required to: complete a DMP before data collection begins; store active data only in institutionally approved systems; register externally held datasets with the institution; and provide a data access statement or citation in any publication when the underlying data are not directly deposited.

Governance sits across three functions the policy must name individually: the research office (grant compliance, costing RDM into proposals — UKRI states that RDM costs are eligible under its funding), IT services (approved storage infrastructure and security), and the library or research data service (repository operation, metadata standards, researcher training). ARMA and INORMS provide sector benchmarking for how these research administration roles are typically distributed across institutions.

Common questions

What is the difference between a research data management policy and a data management plan?

A research data management policy is an institution-wide governance document setting defaults for ownership, retention and storage. A data management plan is a project-specific document, usually required by a funder at proposal stage, that details how one project’s data will be collected, stored and shared within those institutional defaults.

Who is responsible for research data management at an institution?

Responsibility is shared but must be explicitly assigned. The principal investigator is typically the data steward for a given project; the institution holds underlying ownership; and the research office, IT services and library provide the supporting infrastructure, costing advice and repository services the policy commits to.

How long should institutions retain research data?

Most UK institutional policies set a minimum retention period of three years from project end or publication, deferring to longer funder-, sponsor- or discipline-specific requirements where they apply — for example, clinical research data typically requires substantially longer retention under separate regulatory regimes.

What does FAIR data mean in a research data management policy?

FAIR stands for Findable, Accessible, Interoperable and Reusable — principles defined by Wilkinson et al. (2016) that a policy should require researchers to apply when depositing data, typically through persistent identifiers, standard metadata and appropriate licensing. See the CASRAI research data dictionary for related term definitions.

Implications for research administrators

Institutions that only mandate DMPs at grant stage, without an underlying institutional policy, end up with inconsistent retention practice, ambiguous ownership when staff leave, and duplicated storage costs across departments running incompatible systems. Writing the institutional policy first — using the structure above — gives every subsequent DMP a consistent, auditable baseline, and gives research offices a defensible answer when a funder, ethics committee, or departing researcher asks who owns what and for how long.

As RDM costs are increasingly built into grants and UK institutions face growing FOI and audit scrutiny of data retention, the institutional policy is the operational backbone that per-project DMPs are supposed to inherit from, not replace.

LAC

Partner Deal

LAC Health Supplies Mobile App

Referenced across the research world

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo
  • ORCID logo
  • Crossref logo

View CASRAI adoption →