Tag: research ethics and governance

  • Research Data Governance: Where DMPs, FAIR and Institutional Policy Meet

    Research data governance is the institution-wide framework of policies, roles and standards that determines how research data is created, stored, protected, shared and retained across its lifecycle — distinct from the project-level task of managing a single dataset. It sits above data management plans (DMPs) and FAIR practice, translating funder and institutional policy into assigned accountability. The most common failure point is not the policy itself but the gap between what a DMP promises and what a principal investigator (PI) or data steward is actually resourced and empowered to deliver.

    Put simply: research data governance is the system of institutional authority, roles and control that determines who is accountable for a dataset at every stage of its life, from collection to eventual disposal or archiving.

    What is research data governance?

    Research data governance establishes the policies, roles and standards dictating how research data is ethically collected, stored, secured and shared, applied at the level of the whole institution rather than a single grant. It differs from research data management in scope: management is what a researcher does with one dataset; governance is how an organisation ensures every dataset is handled consistently and lawfully.

    Andrea Chiarelli’s 2023 analysis for Force11’s Upstream describes this as a shift “from individual projects or datasets to the way the organisation as a whole thinks and operates when it comes to research data.” A 2025 Data Science Journal paper by Odebrecht et al. argues governance requires a “system of cross-organisational” accountability, since ownership, stewardship and compliance obligations rarely sit with one office.

    In practice, governance frameworks typically assign roles across several functions:

    • Senior leadership — sets institutional strategy and secures infrastructure budget.
    • Data stewards or data champions — provide discipline-specific guidance and training.
    • Librarians and information professionals — curate data and advocate for open sharing.
    • Ethics and compliance officers — verify adherence to regulatory and funder requirements.
    • IT and information security teams — manage storage, backup and access control.
    • Principal investigators — remain directly responsible for their project’s data day to day.

    How do data management plans fit into research data governance?

    A data management plan is the project-level instrument; research data governance is the institutional context that shapes it. Governance sets the rules of the road — the DMP is the trip plan for a specific project, describing what data will be generated, how it will be stored, and what happens to it once funding ends. Most UK and EU funders now require a DMP at application stage, per the Digital Curation Centre’s funder-policy overview.

    UKRI’s Guidance on Best Practice in the Management of Research Data (2020) states research data should be “easily discoverable, accessible, assessable, intelligible, useable” — language drawn from the G8 Open Data Charter. That expectation only becomes operational once a governance framework specifies which repository, metadata schema and retention period satisfy it. Without that translation layer, a PI can write a technically compliant DMP the institution has no infrastructure to support.

    Where personal or sensitive data is involved, governance also requires a Data Protection Impact Assessment (DPIA) under UK GDPR before collection begins — a step outside most DMP templates, and frequently where research ethics and governance approval stalls.

    Where do FAIR principles sit in the governance stack?

    The FAIR Guiding Principles — Findable, Accessible, Interoperable and Reusable — were formally published in Scientific Data in 2016 (Wilkinson et al.) and have since become the default technical standard governance frameworks use to operationalise “good data practice.” FAIR is a set of design criteria for datasets; governance is the accountability structure that ensures those criteria are met at scale, not just described in policy.

    A governance policy might mandate persistent identifiers, controlled-vocabulary metadata and an approved repository — the mechanisms that make a dataset FAIR in practice. Funder mandates reinforce this: cOAlition S’s Plan S requires data underlying publications be made available in a FAIR-compliant repository, converting a technical principle into a compliance condition an institution’s governance office must monitor.

    Layer What it governs Primary owner
    Institutional research policy Ownership, retention, ethical boundaries Senior leadership / research office
    Research data governance framework Roles, accountability, infrastructure standards Data governance committee
    FAIR principles Technical findability/reuse criteria for datasets Data stewards, repository managers
    Data management plan Project-specific application of the above Principal investigator

    Where do responsibility gaps appear between data stewards and PIs?

    The most persistent governance failure is not absent policy but an accountability vacuum between those who write institutional standards and those who generate the data day to day. Force11’s Upstream analysis notes “research cultures value autonomy and independence,” making a standardised framework structurally difficult to enforce against individual research groups — a cultural, not merely technical, obstacle.

    The gap tends to open at predictable points:

    • Departure events — what happens to a dataset when a researcher leaves is, per Upstream, “one of the most common difficulties,” since ownership and access rights are rarely settled in advance.
    • Metadata quality — without an assigned data steward, a PI defaults to whatever documentation is fastest, not what is FAIR-reusable.
    • Sensitive data handling — a DPIA is approved at the outset, but ongoing access-control enforcement typically falls back to the PI’s lab, unsupported by IT.
    • Retention beyond project end — a retention period is set, but archiving budget and ownership after a grant closes is frequently unassigned.

    The University of Oxford’s data governance framework addresses this by “establishing roles, definitions, standards and procedures to help keep data accurate and fit for purpose” — an explicit attempt to move responsibility off the individual researcher and onto a named institutional function. Institutions without an equivalent role map leave every gap to default to the PI, regardless of whether they have the time, training or authority to close it.

    Frequently asked questions

    What is data governance in research?

    Data governance in research is the exercise of institutional authority and control over how research data is created, secured, shared and retained, increasing the value of research data while minimising risk, and covering ownership, quality, ethical compliance and long-term stewardship across every supported project.

    What are the four pillars of research data governance?

    Most frameworks converge on four pillars: policy (rules for ownership, access and retention), roles (stewards, ethics officers, IT, PIs), infrastructure (repositories, metadata standards, storage) and compliance monitoring (audits against funder and legal requirements). Each pillar fails independently if the others are absent.

    What are the 5 C’s of data governance?

    The 5 C’s — clear vision, leadership commitment, collaboration, communication and continuous improvement — describe the cultural conditions a governance programme needs to survive contact with autonomous research groups. Without leadership commitment specifically, governance policy tends to remain aspirational rather than enforced.

    Will AI replace research data governance?

    No. AI tools can automate metadata tagging, anomaly detection and compliance checks, but they cannot assign accountability or resolve the ethical judgement calls that research ethics and governance committees make. AI changes the tooling of governance, not the underlying need for named, human-accountable roles.

    Implications for institutions

    For research administrators, the practical implication is that a DMP template or FAIR-compliance checklist is necessary but not sufficient. An institution needs a named governance owner — a research data governance committee or chief data steward function — whose remit spans the full lifecycle, not just the application stage a DMP covers.

    The Royal Society and British Academy’s joint review, Data Management and Use: Governance in the 21st Century, argued data governance should be treated as an organisational capability comparable to financial or ethical governance, not a bolt-on exercise assigned to whichever office has spare capacity. That framing is increasingly reflected in how EARMA, ARMA and INORMS member institutions structure research administration functions, positioning data governance alongside grants management and research integrity rather than beneath IT.

    Conclusion: closing the gap

    Research data governance, DMPs and FAIR practice describe the same problem from three altitudes: institutional accountability, project-level planning, and technical dataset design. The responsibility gaps undermining all three consistently form where policy assigns an outcome — FAIR metadata, secure retention, a departure protocol — without assigning a person. Institutions that name an accountable role for every governance obligation, rather than defaulting to the PI, close that gap before it becomes a compliance failure. For broader context on these roles within the wider research administration function, see CASRAI’s research administration standards resources.

  • Clinical Research Governance: Sponsor, Host, PI

    Clinical research governance in a multi-site trial is not a single chain of command but three overlapping, unequally weighted accountabilities: the sponsor owns overall trial risk and cannot delegate it away, the host organisation owns the local environment and confirms site-level capacity, and the principal investigator owns day-to-day conduct at their site. In practice, this three-way split creates gaps — in indemnity, in recruitment-shortfall accountability, and in adverse-event reporting speed — that the written framework does not fully resolve.

    Clinical research governance is the system of regulations, ethical principles and quality standards — spanning ethical approval, risk management, data integrity and financial oversight — that safeguards participants and assures the scientific validity of health research. In UK-regulated studies, the current reference point is the UK Policy Framework for Health and Social Care Research, maintained by the Health Research Authority (HRA) and last updated 10 January 2025.

    Contents

    What the framework says multi-site responsibility should look like

    On paper, the model is clean. The UK Policy Framework defines the sponsor as the organisation or individual taking on responsibility for initiating, managing and financing (or arranging financing for) a study. Every other party’s obligations flow from that single point of accountability.

    Participating NHS sites are brought in through Confirmation of Capacity and Capability — a check, run by each site’s own research and development (R&D) office, that it has the staff, facilities and local approvals to deliver the protocol safely. This is the mechanism that lets a single HRA and Health and Care Research Wales (HRA/HCRW) Approval cover recruitment across dozens of sites without a fresh full ethics review at each one.

    Contractually, the sponsor-host relationship is usually standardised through the Association of the British Pharmaceutical Industry’s model Clinical Trial Agreement (mCTA) for commercial studies, or a model Non-Commercial Agreement for academic ones — terms defined alongside related governance concepts in the CASRAI Research Administration Dictionary. Costs are mapped using the NIHR’s Attributing the Cost of Health and Social Care Research and Development (AcoRD) guidance and a Statement of Activities/Schedule of Events Cost Attribution Template (SoECAT), intended to make explicit which party pays for what before the trial opens.

    The sponsor owns the trial’s overall regulatory and scientific risk. Under the UK Policy Framework, this cannot be contracted away, even when day-to-day monitoring is subcontracted to a contract research organisation (CRO). Concretely, that means:

    • Establishing and maintaining a documented risk-management framework across all sites
    • Ensuring compliance with Good Clinical Practice under ICH E6(R2)
    • Arranging indemnity/insurance appropriate to the trial’s risk profile
    • Monitoring site-level performance and stepping in when a site under-delivers

    For commercially sponsored trials, indemnity typically follows ABPI clinical-trial compensation guidelines. For non-commercial, NHS- or university-sponsored trials, negligent harm is usually covered through the host trust’s NHS Indemnity Scheme (the Clinical Negligence Scheme for Trusts). Non-negligent harm — injury with no clinician at fault — is a separate, thinner layer of cover that sponsors of non-commercial studies must arrange themselves, and it is frequently the least-scrutinised line item in a multi-site risk assessment.

    What does the host organisation control — and what doesn’t it?

    The host — the NHS trust, health board or university hosting the research locally — controls the physical and clinical environment: staff, facilities, occupational health cover, and the local R&D governance confirming capacity and capability before recruitment opens. It does not inherit the sponsor’s overall trial risk, and is not accountable for protocol design or cross-site data integrity.

    A host trust can, and does, halt recruitment at its own site if capacity is exceeded or a safety signal appears locally — but it has no authority over the other sites in the study, and no visibility into the sponsor’s aggregate risk picture unless the sponsor actively shares it.

    Party Owns Does not own
    Sponsor Overall trial risk, protocol design, cross-site oversight, indemnity arrangement Local staffing, facilities, day-to-day site conduct
    Host organisation Local environment, capacity/capability confirmation, site-level safety culture Cross-site risk aggregation, protocol amendments, sponsor’s regulatory liability
    Principal investigator Protocol adherence, informed consent, local data accuracy, adverse-event reporting at their site Trial-wide risk decisions, insurance/indemnity arrangements, other sites’ conduct

    Where does the principal investigator’s accountability begin and end?

    The principal investigator (PI) is accountable for conduct at their own site: following the protocol, obtaining valid informed consent, keeping accurate records, and reporting adverse events promptly to both the sponsor and the relevant research ethics committee. Their authority stops at the site boundary — a PI has no formal governance role over other participating sites, even in trials where they also act as chief investigator for scientific leadership.

    The structural tension is that a PI is usually employed, or given honorary contract/letter-of-access status, by the host — while being contractually accountable for trial conduct to the sponsor. That dual reporting line works when both parties communicate; it becomes a blind spot the moment a deviation or shortfall needs escalating and neither party is clearly first in line.

    Where does the theory break down in practice?

    Three recurring failure points separate the written framework from operational reality.

    • Recruitment-shortfall accountability. The framework assigns sponsors overall oversight, but recruitment targets are delivered site by site. When one site underperforms, responsibility for the trial-level consequence (a delayed readout, a statistically underpowered analysis) sits with the sponsor — yet the sponsor’s only lever is the same capacity-and-capability relationship the host controls.
    • Adverse-event reporting speed mismatches. PIs report to their own site’s systems first; sponsors then aggregate signals across sites to spot patterns. Multi-site trials with paper-based or fragmented electronic systems can see days of lag between a local signal and trial-wide risk reassessment — the exact gap that first-in-human trial reforms following the 2006 Northwick Park (TGN1412) incident were designed to close, by tightening dose-escalation and staggered-dosing risk controls at source rather than relying on retrospective aggregation.
    • Data-protection role confusion. Under UK GDPR, sponsors are usually the data controller and hosts the processor for site-level data — but joint-controller arrangements are common in investigator-led studies, and the governance documentation does not always specify which party answers a subject access request or a breach notification first.

    The historical root is worth noting: the original Research Governance Framework for Health and Social Care (Department of Health, 2001, revised 2005) followed the Bristol Royal Infirmary and Alder Hey organ-retention inquiries, which exposed exactly this kind of accountability vacuum in single-site care. The current UK Policy Framework, published in 2017 and updated since, extended that same sponsor-centred logic to a far more complex multi-site landscape — without fully re-engineering it for that complexity.

    Answer-first Q&A

    What is research governance in the NHS?

    In the NHS, research governance is the broad set of regulations, principles and standards that exist to achieve and continuously improve research quality across UK healthcare. It covers ethical approval, participant safety, data integrity, financial oversight and the roles of the sponsor, host organisation and investigator, all set out under the HRA’s UK Policy Framework for Health and Social Care Research.

    What are the seven pillars of clinical governance?

    The seven pillars, first articulated by Scally and Donaldson in their 1998 NHS clinical governance model, are: patient and public involvement, risk management, education and training, clinical audit, clinical effectiveness, staffing and management, and information management. They describe organisational quality assurance, distinct from — but closely linked to — trial-specific research governance.

    What are the five components of a clinical governance framework?

    Most operational models group clinical governance into five practical components: clear accountability structures, quality improvement and audit processes, risk and incident management, education and continuing professional development, and robust information systems. A multi-site trial needs all five replicated consistently across every participating organisation, not just at the coordinating centre.

    Implications for institutions running multi-site studies

    For research administrators and institutional leaders, the practical fix is not to wait for the framework to be re-engineered — it is to make the three-way split explicit in every study-specific document: the mCTA/mNCA, the SoECAT and the risk log. Naming which party owns recruitment-shortfall escalation, which owns the data-protection role, and which pays for non-negligent-harm cover before the first participant is consented closes most of the gaps identified here.

    As UK trial infrastructure consolidates further — with combined HRA/MHRA review pathways and shared R&D systems across integrated care systems — the sponsor-host-PI triangle will only govern more sites per study, not fewer. Institutions that document risk ownership explicitly, rather than relying on the framework’s implicit assumptions, will be the ones that catch the next Northwick-Park-scale gap before it reaches a participant, not after.