L-Università ta' Malta
URECA Portal UM Home
Home CMMBrec Resources Guidance for Applicants

Guidance for Applicants

CMMBrec  ·  What to know before you submit a research ethics application

📄
This guidance is intended for researchers preparing to submit an application to CMMBrec - the Centre for Molecular Medicine and Biobanking Research Ethics Committee. It has been adapted for CMMBrec from existing University of Malta and Faculty Research Ethics Committee guidance, with additional provisions relevant to biomedical research, human biological material, genetic and genomic data, data protection, laboratory governance, digital tools and artificial intelligence.

1. Purpose of this guidance & before submitting an application

Purpose of this guidance

This guidance is intended for researchers submitting applications to the Centre for Molecular Medicine and Biobanking Research Ethics Committee (CMMBrec).

CMMBrec reviews research carried out under the auspices of the Centre for Molecular Medicine and Biobanking, including biomedical, molecular, genetic, genomic, biobanking, laboratory-based, clinical-data, human-sample and related research. The Committee's role is to ensure that research is ethically sound, scientifically justified, proportionate in its demands on participants, and compliant with University of Malta requirements.

Applications that are incomplete, unclear, internally inconsistent, or not supported by the required documents may be returned to the applicant before formal review.

Before submitting an application

Researchers should familiarise themselves with the University of Malta Research Code of Practice, the University research ethics review procedures, relevant UREC guidance, and any CMMBrec templates or checklists.

No recruitment, contact with potential participants, access to identifiable data, use of coded data, sample collection, sample analysis, or extraction of clinical or laboratory records may begin until the necessary ethical approval and institutional permissions have been obtained.

CMMBrec approval applies only to the study as described in the approved application and supporting documents. Any later change may require an amendment (see Section 15).

Applicants should ensure that the application form itself contains a clear description of the study. It is not sufficient to write "see protocol" or "see information sheet" in place of answering the relevant questions. The form, protocol, information sheet, consent form and supporting documents must all tell the same story.

Where the applicant is a student, the supervisor must be involved in the preparation of the submission and should be copied in correspondence with CMMBrec. Supervisor endorsement must be completed where required.

2. Scope of CMMBrec review

CMMBrec may review applications involving, among others:

  • human participants;
  • patients, healthy volunteers, students, staff or professionals;
  • human blood, tissue, cells, DNA, RNA or other biological material;
  • archived, residual or biobanked samples;
  • clinical, laboratory, imaging, genetic, genomic or questionnaire data;
  • identifiable, coded or pseudonymised data;
  • secondary use of existing data or samples;
  • research using CMMB facilities, equipment or collections;
  • collaborations involving hospitals, clinics, laboratories, universities, NGOs, public entities or private organisations;
  • use of digital platforms, cloud systems, artificial intelligence or automated analysis tools.

Where a project raises data protection issues, involves special category personal data, genetic data, health data, or other sensitive processing, it may also require review or clearance through the University Research Ethics Committee - Data Protection (UREC-DP), or other relevant structures.

3. Quality and consistency of documents

All submitted documents should be clear, professional and fit for purpose.

Participant-facing documents should be written in plain language and should avoid unnecessary technical detail. Where technical, clinical, molecular or genetic terminology is needed, it should be explained in a way that the intended participants can understand.

Documents should be proofread before submission. Avoidable spelling, grammar, formatting, translation or typographical errors may delay review.

The following details should be consistent across all documents:

  • study title;
  • applicant and supervisor names;
  • recruitment method;
  • participant group;
  • study procedures;
  • sample and data handling;
  • withdrawal arrangements;
  • retention period;
  • confidentiality statements;
  • institutional permissions;
  • contact details.

Where Maltese versions are required, these should be accurate, properly formatted and consistent with the English version.

4. Recruitment and first contact

Recruitment arrangements must protect voluntariness and avoid pressure.

The first contact with potential participants should normally be made by a person or office already authorised to contact them, not by a student or unauthorised researcher. This is especially important where participants are patients, students, employees, service users or persons in a dependent relationship.

The application should explain who will identify potential participants, who will contact them, what they will be told, how they will express interest, and how refusal will be handled.

Where a researcher is also a participant's clinician, lecturer, supervisor, employer, assessor or service provider, this must be declared. The application should explain how undue influence or perceived obligation will be avoided.

For patients or service users, the information sheet must make clear that refusal to participate or withdrawal from the study will not affect care, services, benefits or entitlements.

For students or employees, the documents must similarly make clear that participation is voluntary and will not affect assessment, employment, progression or access to opportunities.

5. Information sheet

Participants must receive enough information to make a free and informed decision. The information sheet should normally explain:

  • the title and purpose of the study;
  • who is carrying out the study;
  • who is supervising the study, where applicable;
  • why the participant is being invited;
  • what participation involves;
  • how long participation will take;
  • whether interviews, questionnaires, focus groups, clinical procedures, sample collection, record review, recording or follow-up are involved;
  • whether participation involves any risk, discomfort, inconvenience or sensitive questions;
  • whether there is any direct benefit, or whether no direct benefit is expected;
  • that participation is voluntary;
  • that the participant may refuse or withdraw without giving a reason;
  • what will happen to data or samples if the participant withdraws;
  • who will have access to identifiable data;
  • how confidentiality will be protected;
  • how data and samples will be stored;
  • how long data and samples will be retained;
  • what will happen to data and samples after the study;
  • whether data or samples may be used in future research;
  • whether data or samples may be shared with other researchers or institutions;
  • whether genetic or genomic analysis will be carried out;
  • whether clinically relevant, incidental or secondary findings could arise;
  • whether individual results will or will not be returned;
  • who to contact for questions, concerns or complaints.

Where personal data are collected, the information sheet must include an appropriate data protection statement. This should not be a generic paragraph copied into every study - it should match the actual processing proposed in the application.

Where the study involves standard clinical care plus additional research procedures, the distinction must be made clear. Participants should be able to understand what would happen anyway as part of normal care and what is being done only because of the research.

Participants should be told that they may keep a copy of the information sheet and, where applicable, their signed consent form.

See also our dedicated Guidance: Writing a Consent Form, which covers the information sheet/consent-form relationship in more detail.

6. Consent

Consent should be specific, informed and documented where appropriate. The consent form should confirm that the participant has read and understood the information sheet, has had the opportunity to ask questions, understands what participation involves, and agrees to take part.

Consent should be separated into specific statements where the study involves distinct activities, such as:

  • taking part in an interview or questionnaire;
  • audio or video recording;
  • access to clinical or laboratory records;
  • collection of blood, tissue or other samples;
  • genetic or genomic analysis;
  • storage of samples for future research;
  • sharing coded data or samples with collaborators;
  • use of anonymised quotations;
  • re-contact for future studies;
  • return or non-return of results.

The consent form does not need to repeat all details from the information sheet, provided that the information sheet is clearly referenced and given to the participant.

Where data are collected fully anonymously, and no personal data are collected, a signed consent form may not be required. In such cases, the information sheet should state clearly that completing and submitting the questionnaire indicates consent to participate.

Researchers should not describe a study as anonymous if the participant can still be identified from names, contact details, codes, IP addresses, email addresses, rare demographic combinations, clinical details, free-text answers or small sample size.

For full guidance on writing a consent form, see Guidance: Writing a Consent Form.

7. Language, accessibility & confidentiality

Language and accessibility

Participant-facing documents should be provided in a language and format appropriate to the participant group. Where participants are all professionals and can reasonably be expected to work in English, English-only documents may be acceptable. In other cases, both English and Maltese versions may be required.

Where participants may have communication, literacy, cognitive, sensory or language difficulties, the documents and consent process should be adapted accordingly. For participants with aphasia or similar communication difficulties, accessible or aphasia-friendly formats should be used where appropriate.

Confidentiality, anonymity and pseudonymisation

Applicants must use the terms anonymous, anonymised, coded and pseudonymised accurately. Data are not anonymous if the participant can be identified directly or indirectly. If a code exists that links data or samples back to the participant, the data or samples are pseudonymised, not anonymised. Data or samples should only be described as anonymised when all identifiers and links have been permanently removed and no person can reasonably re-identify the participant.

The application should explain:

  • what identifiers will be collected;
  • whether a coding key will exist;
  • who will hold the coding key;
  • where the key will be stored;
  • who will access identifiable data;
  • who will access coded data;
  • when identifiers will be destroyed;
  • whether data will later be anonymised;
  • whether anonymisation is realistically possible.

Confidentiality statements should be realistic. Researchers should not promise absolute anonymity or absolute confidentiality where this cannot be guaranteed.

8. Data protection and GDPR

Research involving personal data must comply with applicable data protection requirements. The application should identify the categories of personal data being processed. Where the study involves health data, genetic data, biometric data, clinical records, family history, ethnicity, sex life, disability, criminal offence data or other sensitive information, this must be stated clearly.

The application and participant documents should explain:

  • the purpose of processing;
  • the data controller;
  • the categories of data collected;
  • who will have access to the data;
  • where the data will be stored;
  • whether data will be transferred outside the University, outside Malta, or outside the EU/EEA;
  • how data will be protected;
  • how long data will be retained;
  • what rights participants have;
  • whether any limits to erasure apply once data have been anonymised or incorporated into analysis.

Consent to participate in research is not always the same as consent as the lawful basis for processing personal data under GDPR. The data protection wording should therefore be checked carefully and should reflect the study design.

Studies involving genetic data, health data, vulnerable participants, large datasets, data linkage, secondary use, artificial intelligence, profiling, automated analysis, international transfers or cloud platforms may require additional data protection review (typically through UREC-DP).

9. Human biological material

Research involving human biological material requires particular care. This includes blood, tissue, cells, DNA, RNA, saliva, urine, faeces, biopsies, surgical material, archived material, residual diagnostic samples, biobank material and commercially obtained human-derived material.

The application should explain:

  • what material will be used;
  • whether it is fresh, archived, residual, commercial or biobanked;
  • where it will come from;
  • who will collect it or provide it;
  • whether it is identifiable, coded, pseudonymised, anonymised or anonymous;
  • whether it was collected for clinical care, previous research or this study;
  • whether consent already exists;
  • whether new consent is required;
  • whether genetic or genomic analysis will be performed;
  • whether samples will be stored after the study;
  • whether samples may be used for future research;
  • whether samples will be transferred to another institution or country;
  • what will happen to samples at the end of the study.

Where fresh samples are collected specifically for research, an information sheet and consent form will normally be required.

Where archived or biobanked samples are used, permission must be obtained from the holder of the archive, collection or biobank. The application should explain whether the samples are anonymous, anonymised, coded or identifiable.

Where human material is obtained through a clinical service, permission may also be required from the consultant, department, laboratory, data controller, sample custodian or other responsible authority.

Commercial cell lines may not raise the same data protection issues if they are supplied without personal data and cannot reasonably be linked to an identifiable donor. However, if the researcher or collaborator derives the cell lines, or if donor-linked information is available, further review may be required.

10. Genetic and genomic research

Applications involving genetic or genomic analysis must describe the scope of testing clearly. This includes targeted variant analysis, gene panels, whole exome sequencing, whole genome sequencing, transcriptomics, epigenomics, polygenic scores, somatic tumour testing, germline analysis and any analysis that may generate inherited or familial information.

The application should address whether:

  • the analysis is research-only or clinically validated;
  • germline findings may arise;
  • somatic findings may have germline implications;
  • incidental or secondary findings could be identified;
  • individual results will be returned;
  • results will not be returned;
  • confirmatory testing will be required;
  • genetic counselling or clinical referral will be available;
  • family implications may arise;
  • data may be shared through databases or with collaborators.

Participant documents should not overpromise the usefulness of genetic results. If results will not be returned, this should be stated clearly. If results may be returned, the pathway for confirmation, interpretation, counselling and follow-up must be described.

11. Research tools, recordings, digital platforms & AI

Research tools

All research tools must be submitted with the application. This includes questionnaires, interview schedules, focus group guides, data extraction sheets, recruitment adverts, invitation emails, online survey forms, scripts, case report forms and any other tool used to collect data.

If a tool was not developed by the researcher and is not in the public domain, permission from the owner or originator should be provided. The permission should clarify whether the tool may be used as it is, modified, translated, or used only in part. Tools should be in the language in which they will be administered.

Questions should be necessary, proportionate and understandable. Sensitive questions, questions collecting special category data, and questions about third parties should be justified.

Audio, video, digital platforms and AI tools

The application must state whether audio recording, video recording, photography, screenshots, online meeting recordings, transcription tools, cloud platforms, artificial intelligence, machine learning or automated analysis tools will be used.

Where recordings are used, participants should be told what will be recorded, why recording is needed, who will access the recording, whether it will be transcribed, when it will be deleted, and whether they can take part without being recorded.

Digital data should be stored securely, either on encrypted storage media kept in a locked location or on a secure University-approved platform with appropriate access controls.

If external digital tools, transcription platforms, survey systems or AI tools are used, the application should explain what data will be uploaded, whether personal or special category data are involved, where the data are hosted, who can access them, whether the provider may reuse the data, and what safeguards apply.

Identifiable clinical data, genetic data, interview transcripts, recordings or unpublished sensitive research data should not be entered into external AI tools unless this has been specifically justified and approved.

You can use our AI Ethics Check tool to help think through whether your project's use of AI tools needs to be flagged in your self-assessment.

12. Institutional and site permissions

Ethical approval does not replace institutional permission. Where recruitment, data collection, sample collection, access to records, or laboratory work takes place in a hospital, clinic, University department, laboratory, school, NGO, public entity, private organisation or other institution, permission must be obtained from the appropriate authority.

Depending on the study, permission may be needed from a Chief Executive Officer, Clinical Chairperson, Head of Department, consultant in charge, Data Protection Officer, laboratory head, biobank custodian, facility manager, Dean, Registrar, school authority or other responsible officer.

Where CMMB laboratories, equipment, data, sample collections or infrastructure are used, the relevant CMMB permission must be in place.

Permission must be properly documented. Screenshots, text messages or informal messages are not normally sufficient. Where permission is obtained by email, the full email trail should be saved as a PDF, including the applicant's request and the authority's reply.

Institutional permission does not replace participant consent. Participant consent does not replace institutional permission. Both may be required.

13. Minors and adults unable to consent

Research involving minors or adults who may lack capacity requires additional safeguards.

For participants under 18 years of age, written consent from a parent or legal guardian is normally required. For minors aged 12 to 17 years, assent from the minor is also normally required. Younger children should still be involved in the decision in an age-appropriate way.

A child or young person who does not wish to participate should not be pressured to take part, even if parental consent has been given.

Where adults may lack capacity to consent, the application must explain how capacity will be assessed, who may provide legal authorisation where applicable, and how the participant's wishes, welfare and dignity will be protected.

14. Secondary use, multi-phase & collaborative studies

Secondary use of data or samples

Secondary use of existing data or samples still requires ethical consideration. The application should explain:

  • where the data or samples come from;
  • why they were originally collected;
  • whether previous ethics approval exists;
  • whether previous consent exists;
  • whether the proposed use is covered by that consent or approval;
  • who the data controller or sample custodian is;
  • whether data or samples are identifiable, coded, pseudonymised, anonymised or anonymous;
  • whether additional permission is needed;
  • whether participants need to be re-contacted;
  • whether anonymisation or further safeguards are required.

Where the new study goes beyond the original approval or consent, a new application or amendment may be required.

Multi-phase studies and larger projects

Where a study has more than one phase, the application should describe each phase clearly. If later phases depend on the results of earlier phases, this should be explained. CMMBrec may approve the whole study, approve an initial phase only, or require further review before later phases begin.

Where a student or researcher joins a larger approved study, the original approval reference should be provided. If the new work adds no new procedures, participant groups, data collection, sample use, analysis or data protection issues, review may be limited. If new elements are added, further review will be required. Students may still need to submit their own application even when their work forms part of a larger approved study.

Collaborations and data or sample sharing

Collaborative projects must have clear governance. The application should identify the principal investigator, student researchers, supervisors, clinical collaborators, laboratory collaborators, external partners, data controllers, processors, sample holders and participating institutions.

Where data or samples are shared between institutions, the application should explain what will be shared, in what form, with whom, for what purpose, under what agreement, and with what safeguards. Material transfer, data sharing, intellectual property, publication and future-use arrangements should be addressed where relevant.

15. Amendments & responsibilities after approval

Amendments after approval

Any significant change to an approved study must be submitted for review before the change is implemented. This includes changes to the title, aims, participant group, recruitment method, consent process, information sheet, consent form, research tools, procedures, sample collection, sample use, data access, analysis, storage, sharing, retention, research team, supervisor, study site, digital tools or AI tools.

Approval for one version of a study does not automatically cover later changes.

Responsibilities after approval

Approval from CMMBrec does not remove the responsibility of the researcher and supervisor to conduct the study ethically and lawfully. Researchers must follow the approved protocol, use the approved documents, protect participants, respect consent, maintain confidentiality, secure data and samples, comply with institutional permissions, report unexpected ethical issues, and seek amendments when needed.

Failure to follow approved procedures may lead to suspension of the study, withdrawal of approval, referral to relevant University structures, or other action as appropriate.

16. Useful resources

Applicants should consult relevant University of Malta research ethics and data protection resources, including guidance on research ethics review, data management, online or remote consent, social media data, inclusive language, research involving disabled persons, research involving persons with mental disorders, medical imaging data, biological samples, GDPR, digital tools and artificial intelligence - see our External Links section for direct links to UREC, UREC-DP and the Research Code of Practice.

Applicants should also consult CMMBrec templates, checklists, FAQs (see our FAQs page) and examples where available, and the related Guidance: Writing a Consent Form.