The University has a responsibility to ensure that all research conducted under its name is carried out with integrity, accountability, and respect for the rights and welfare of others. REDP procedures help protect research participants, researchers, personal data, and the reputation of the University. They also promote good research practice by making sure that projects are planned and conducted in line with ethical standards, legal obligations, and professional expectations. These procedures support the principles set out in the University of Malta Research Code of Practice, which applies to staff, students, and all others conducting research under the University's auspices.
These procedures apply to any research carried out by University staff, students, visiting or affiliate staff, associates, contractors, and consultants, whether on University premises or elsewhere on behalf of the University. Research is understood as a systematic investigation designed to develop or contribute to scholarly knowledge, particularly where the findings may be published, presented, or otherwise disseminated. This includes, for example, dissertations, thesis work, staff research projects, collaborative studies, and externally funded research. Where a project involves human participants, personal data, biological material, sensitive topics, or other ethically relevant issues, it will normally fall within the scope of REDP procedures.
Researchers are required to complete a self-assessment through the online REDP form in URECA before starting their project. This process helps identify whether the research raises any ethics or data protection issues and whether these require formal review. If the issues identified are marked "for records," the project may normally proceed once the form is completed. If any issues are marked "for review," the project must be evaluated by the relevant Faculty Research Ethics Committee (F/REC), and where applicable by the University Research Ethics Committee (UREC), before the research begins. Researchers are responsible for ensuring that the information submitted is accurate and complete, and for seeking further guidance whenever they are unsure.
You can also use our AI Ethics Check - an AI-assisted tool that helps you think through your self-assessment before submitting via URECA.
Ethics and data protection audits are carried out to help ensure that research across the University continues to meet appropriate standards of integrity, compliance, and professionalism. These audits review a sample of REDP applications and related documentation to check whether procedures are being followed properly, whether risks have been identified appropriately, and whether projects are being conducted in accordance with approved processes. Audits are not intended simply as a control mechanism, but also as a means of supporting good practice, identifying areas where further guidance may be needed, and helping the University maintain public trust in its research activities. UREC conducts annual audits across different disciplines, while F/RECs may also review applications within their areas.
Activities occurring in normal teaching are exempt unless data are made accessible to others through publication or persistent storage for future research. Staff conducting teaching activities remain responsible for ethical compliance under the UM Research Code of Practice.
Student queries should go to academic supervisors. Other researchers should contact the CMMBrec chair. Contact us at research-ethics.cmmb@um.edu.mt.
Yes, if you are conducting research on UM premises using its facilities or on behalf of the UM - including staff, students, visiting/affiliate staff, associates, contractors, and consultants.
For students, the primary supervisor guides compliance. For all others, the applicant is responsible for accurate self-assessment. Failure to follow procedures and the UM Code of Practice constitutes a serious breach; audits finding non-compliance may result in disciplinary measures.
The University designates one supervisor as principal supervisor, who advises on the application and endorses the REDP form.
No. The REDP form is identical for all applicants. Students must complete additional fields and obtain supervisor endorsement through the URECA process.
CMMBrec directly manages research ethics review for the Centre for Molecular Medicine and Biobanking. Applicants should contact CMMBrec - not UREC - with questions or concerns about their application.
Never. All REDP forms go to the relevant FREC (for CMMB researchers, that is CMMBrec). Applications reach UREC only if forwarded by a FREC.
Once the research design is sufficiently developed to complete the form, but before data collection begins. Allow sufficient time for FREC review based on published meeting dates. See the Meeting Schedule.
Self-assessments showing no issues may proceed immediately upon CMMBrec acknowledgement. Those requiring full review should expect a response within 30 working days of receipt. If UREC-DP review is also required, an additional 30 working days applies.
No. Submit via URECA including the self-assessment. If the self-assessment clearly permits commencement, data collection may begin. If additional assessment by CMMBrec is required, you must wait for their decision before commencing any data collection.
No. Conducting research and collecting data before completing REDP review violates the UM Research Code of Practice.
No. Complete REDP review only after your department approves your research proposal. Your supervisor will not endorse the application until the proposal itself is accepted.
Primary data are collected directly by a researcher specifically for their research study - for example through interviews, surveys, sample collection, or direct observation of participants. Secondary data were originally collected by others, for different purposes, and made available to you; they may be published, held in open-access repositories, or shared under a data-sharing agreement.
The distinction matters for your self-assessment: re-using secondary data does not automatically exempt your project from review. If the dataset still contains personal or special category data that has not been fully anonymised, your use of it can still trigger ethics and/or data protection review, so it is worth checking the provenance, licence terms, and anonymisation status of any secondary data before you rely on it.
While not explicitly required for all applications, a DMP describing data storage, processing, and protection helps demonstrate FAIR principles compliance and legal adherence. Many external funders (e.g., European Research Council) now require DMPs, and a DMP is required for all projects involving special categories of personal data.
A useful DMP usually sets out: what data will be generated or collected and in what format; how and where it will be stored and backed up during the project; who will have access to it and under what safeguards; how long it will be retained; and what will eventually happen to it - whether it will be archived, shared, anonymised, or securely destroyed. Thinking these points through early often makes the rest of your REDP application more straightforward.
Participants must receive sufficient information, in a format and language they can understand, to make a genuine, informed decision about whether to take part. Researchers must ensure that consent is given voluntarily and without pressure or coercion, and that participants' freedoms are respected throughout - including a clear right to withdraw, and to have their data removed, without any negative consequences for declining or discontinuing participation.
In practice, this is usually achieved through a clear Participant Information Sheet (PIS) and Consent Form that explain, in plain language, what taking part involves, any foreseeable risks or benefits, how the data will be used, stored and protected, how long it will be kept, and who to contact with questions or concerns. Extra care - and often additional safeguards such as parental/guardian consent or simplified materials - is needed when working with children, patients, or other groups who may be less able to give consent freely.
'Human tissue/samples' is interpreted broadly, and includes any human body constituent parts - such as organs, bones, skin, blood, cerebrospinal fluid, cells, fetal tissue, and cord blood - as well as body products such as urine, sweat, tears, milk, hair, and nails.
This broad definition matters because many of these materials, particularly blood, cells, and other biological samples, can yield genetic or health information about the person they came from. For that reason they are generally treated as special categories of personal data, which can trigger ethics and data protection review even where a sample is unlabelled or appears anonymous - since laboratory analysis could, in principle, still make the donor identifiable.
Social media can be a rich source of research data, but it raises several ethical concerns that need to be thought through carefully, including: the distinction between content posted publicly and content shared in more private or restricted spaces; whether and how informed consent for research use can realistically be obtained; whether complete anonymisation is actually feasible (usernames, writing style, and linked profiles can make people re-identifiable); the risk of harm to the people whose posts are studied; and the increased sensitivity where the data may relate to children or other vulnerable groups.
Before proceeding, check whether the platform's terms of service permit this kind of research use, and document your reasoning - including how you will handle consent and anonymisation - in your self-assessment or REDP application. See UREC's guidance note: Harvesting Data from Social Media.
Generative AI tools (Google Gemini, ChatGPT, Microsoft Copilot) often permit user-input reuse for model improvement per service terms, posing material data protection risks - especially for personal or sensitive information.
Upload of personal data to AI platforms constitutes personal data processing requiring full FREC approval compliance and participant consent. Special categories of personal data must be strictly anonymised or pseudonymised before use with any AI tool.
UM's Research Ethics FAQ notes that, under the University's institutional agreement with Google, data - including prompts, uploaded files and conversations - is not used to train AI models and is not reviewed by human operators when Google Gemini or NotebookLM are accessed through a University of Malta account. Researchers should nevertheless avoid uploading identifiable or sensitive data unless this is consistent with the approved Data Management Plan, participant consent, and FREC/UREC-DP requirements.
Per GDPR Article 9, these are categories of personal data that carry a higher risk to people's rights and freedoms if mishandled, and so require heightened protection: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (used to uniquely identify someone), health data, and data concerning a person's sex life or sexual orientation.
In a research context this category comes up more often than people expect - for example, a survey that asks about someone's medical history, a sample that could be analysed for genetic information, or an interview that touches on sexuality or religious belief can all involve special category data, even if that wasn't the main focus of the study. Applications processing special categories of personal data require referral by CMMBrec to UREC-DP for an additional layer of review, and will generally also need a Data Management Plan and explicit consent that clearly covers this kind of processing.
Anonymous/anonymised data do not relate to an identified or identifiable person, and the link to the individual cannot realistically be re-established by anyone, by any means. Because it no longer relates to a person at all, data protection law does not apply to truly anonymous data - but the bar for "truly anonymous" is high: under GDPR recital 26, the test is whether re-identification is genuinely and irreversibly impossible, not merely inconvenient. Stripping out names alone is usually not enough, especially for rich data such as genetic material, detailed case histories, or small/unique samples.
Pseudonymised data have had direct identifiers (such as names) replaced or removed, but can still be linked back to a specific person with the help of additional information - for example, a code held in a separate, secured file. Because that link still exists somewhere, pseudonymised data still relate to an identifiable person and remain fully subject to data protection law and to GDPR safeguards.
In practice, if you (or anyone else) retain a key, code, or other means of linking the data back to participants, you are working with pseudonymised - not anonymised - data, however securely that key is stored. True anonymisation only occurs once all personal data and all linking information have been permanently and irreversibly destroyed, such that no one could ever reconnect the data to the person it came from.
A participant can be identifiable in more than one way. Direct identification happens when something points straight to who they are - a name, a photograph, a verbatim quotation in their own words, a job title that's unique within an organisation, or similar. Indirect identification happens when a combination of details - for example a person's role, location, age range, and the nature of their condition or experience - would let someone who knows them (or knows of them) work out who they are, even without naming them directly.
Where there is a realistic chance that a participant could be identified - directly or indirectly - from what you plan to publish or share, you should obtain their explicit, informed consent to that specific use. If that isn't possible or appropriate, you will need to justify why the identifying information is necessary for the research, and explain what steps you have taken to minimise the risk - for example, generalising details, aggregating data, using composite case descriptions, or removing especially distinctive characteristics.
There is no single retention period that fits every type of research - it depends on the discipline, the nature of the data, any funder or publisher requirements, and the level of sensitivity involved. As a general benchmark, many international universities recommend retaining research records, data and materials for around 6-10 years after publication, which allows enough time for verification, replication, and responding to any queries about the work.
Longer retention is generally encouraged for higher-risk or more sensitive work - for example studies involving invasive procedures, psychiatric or mental-health research, other sensitive topics, or vulnerable participants. Where children are involved, a common recommendation is to retain records for around 10 years after the participant reaches the age of majority (18), since they may wish to query or revisit their involvement once they are adults. Whatever period you choose, it should be set out in your Data Management Plan together with your storage, security and eventual disposal arrangements. If you are unsure what is appropriate for your discipline, contact CMMBrec for guidance.
Sharing identifiable personal data with researchers based outside the EU/EEA counts as an international transfer under GDPR, and is subject to the additional rules set out in GDPR Chapter 5. The starting principle is that the receiving country or organisation must offer a level of data protection broadly equivalent to that guaranteed within the EU - this can be satisfied, for example, where the European Commission has issued an adequacy decision recognising that a particular country's laws provide equivalent protection.
Where no adequacy decision applies, the transfer can often still go ahead by putting appropriate safeguards in place - most commonly a Data Transfer (or Data Sharing) Agreement incorporating the European Commission's Standard Contractual Clauses (SCCs), which set out binding contractual obligations on both parties for how the data will be protected, used, secured, and (where relevant) returned or destroyed at the end of the collaboration. Other mechanisms, such as Binding Corporate Rules, may be relevant for some institutional partnerships.
Because these arrangements create legal commitments on behalf of the University, researchers should not rely on an informal understanding between collaborators. Seek UM Legal Office guidance as early as possible - ideally before any data is shared - so that the appropriate safeguard (an adequacy decision, an SCC-based agreement, or another approved mechanism) and the supporting agreement can be identified and put in place in good time.
The ethical review process for research involving primary data from animals is intended to ensure compliance with relevant legislation, specifically Legal Notice 161 of 2017 (Protection of Animals Used for Scientific Purposes Regulations).
The Joint FREC Animal Research Sectoral Subcommittee (JFARSS) is a specialised subcommittee set up to advise FRECs on animal research ethics. If your research involves harm to living animals and/or the use of non-legally obtained animals or tissue, your FREC will consult the JFARSS - you may be asked to provide the JFARSS with additional information about your animal research, and the JFARSS will then advise your FREC on how to proceed with the animal-research aspects of your submission.
The JFARSS can also provide informal advice on the use of animals in research while you are still formulating your project. You can find out more, or get in touch, via the JFARSS page, or contact the CMMB FREC at research-ethics.cmmb@um.edu.mt to be put in touch.
The Animal Regulations (ARs) apply only to: (A) live cephalopods; and (B) live non-human vertebrate animals, including (i) independently-feeding larval forms, and (ii) foetal forms of mammals from the last third of their normal development. The ARs also apply to animals at an earlier stage of development than those just described, but only where the animal is to be allowed to live beyond that stage and may, after reaching it, experience pain, suffering, distress or lasting harm.
The ARs continue to apply to any animal falling within these categories until it is killed, rehomed, or returned to a suitable habitat or husbandry system.
Invertebrates such as Drosophila (fruit flies) fall outside the Animal Regulations' definition of "animal" (which covers only live vertebrates and cephalopods - see the previous question), so they do not, on their own, trigger CMMB REC review on animal-welfare grounds. Neither the current Research Ethics Code of Practice and Procedures (RECoPP) nor the Animal Regulations contain any specific provision addressing invertebrate models. That said, your project may still raise other triggers covered by the standard self-assessment - for example, risk to the researcher, environmental impact, or use of genetically modified organisms - so complete the REDP self-assessment as normal, and contact CMMBrec if you are unsure whether your project requires review.
The Animal Regulations apply only to live animals, so this legislation contains no specific provisions on the use of dead animals or tissues in research. You still need to ensure, however, that any animals or tissues you work with have been obtained legally and from a legitimate source - for example licensed commercial outlets, or donations from persons or institutions who themselves obtained the animals legally and are authorised to donate them.
If you are working with protected species - whether dead or alive, and whether in whole or in part - you are responsible for ensuring that all necessary permits have been obtained, and you should document the source and legality of acquisition in your REDP submission.
Broadly speaking, the Animal Regulations regulate "procedures" - any use of a live animal, invasive or not, for experimental, scientific or educational purposes that could cause it a level of pain, suffering, distress or lasting harm comparable to (or worse than) a routine injection. On that basis, things like observing animals in the wild, briefly capturing them to take non-invasive measurements before release, simply identifying an animal, or normal agricultural/veterinary/husbandry practice are generally not treated as procedures - whereas anything that could cause the animal pain, distress or lasting harm generally is, even if anaesthesia, analgesia or similar methods are used, and even if the animal was taken from the wild (which itself carries restrictions, especially for endangered species, non-human primates, and stray/feral domestic animals).
Harm isn't limited to physical pain, either - it can also include prolonged fear or psychological distress, loss of an animal's ability to behave naturally, social deprivation, disturbance to free-living animals or their group dynamics (including effects that only show up after release back into the wild), and of course death or the risk of it. When you're weighing up whether your project poses a risk of harm, it's worth thinking not just about the procedure itself, but about incidental effects (e.g. the stress of capture, handling or transport) and the cumulative impact over the animal's lifetime.
This is necessarily a simplified summary - the legislation sets out the precise legal definitions, exemptions and thresholds in much more detail. If your project involves any of the above, please indicate this on your self-assessment, consult your FREC/JFARSS, and refer to the official UREC FAQ page and the Animal Regulations themselves for the authoritative definitions.
Even where a detailed review is not required, all University researchers are expected to follow general ethical principles concerning the use of animals in research - in particular, the principles of Replacement, Reduction and Refinement (the 3Rs):
- Replacement - wherever possible, a scientifically satisfactory method or testing strategy that does not involve live animals should be used instead of a procedure.
- Reduction - the number of animals used in a project should be kept to the minimum necessary to achieve the research objectives.
- Refinement - methods of breeding, housing and care, and the methods used in procedures themselves, should eliminate or minimise any pain, suffering, distress or lasting harm to the animals involved.