Your study can be run using aggregate data, but the data has not yet been aggregated for your use.

You have indicated that you do not need to be able to distinguish individuals.

It is likely you will be able to make use of aggregate data where data about individuals are grouped by similar characteristics and summarised. These datasets provide statistical analysis without providing individual-level data points to data users.

Data you plan on using will be aggregated for the purpose of your study. Aggregating data is a form of data anonymisation.

Things to know when data undergoes an anonymisation process before you use it to run your study

You have indicated that data will be anonymised to some degree before you can use it in your study. There are a few guidelines to follow to safely proceed with data anonymisation.

Before data is anonymised, individual people can be identified from the dataset, such data is considered ‘personal data’ and is subject to the UK General Data Privacy Regulation (UK GDPR). Furthermore, medical data is confidential. The process of anonymising medical data is therefore subject to the common law duty of confidentiality, as is social care service-user data.

If the data is anonymised by the care team of the provider of health data

The care team are staff working in a health and care service provider organisation who the patient / service user would reasonably expect to have access to their record for individual care.

Members of the care team can proceed with the anonymisation of confidential information they are already privy to in their care team member role, without breaching the common law duty of confidentiality.

If the data is anonymised by someone else (e.g. someone outside the care tean)

A service provider can apply to lift the common law duty of confidentiality if it decides that it wants to provide those without existing access to confidential information (e.g. someone outside their care team) with access to the data, including for the specific purposes of conducting anonymisation or doing research. The provider (as data controller) bears the risk of determining whether it would be in breach of the law in such scenarios.

England and Wales

The provider needs to obtain approval by the Confidentiality Advisory Group (CAG) where patients are not being approached for consent.

A pre-application checklist is available here: CAG_pre-application_checklist

Scotland

A Caldicott Guardian can provide a legal avenue to access confidential patient information from a single Board. Information sharing and disclosure - UKCGC

The HSE Public Benefit and Privacy Panel (PBPP) can provide a legal avenue on behalf of multiple Board Caldicott Guardians. Public Benefit and Privacy Panel for Health and Social Care - NHSS HSC-PBPP

Northern Ireland

There is currently no legal basis to process patient identifiable data outside the care team. You will need to gain agreement from the local care team to support activity. For further information please visit Health and Social Care Northern Ireland. Full guidance is available on the Integrated Research Application System (IRAS) Website. For further advice, contact the HSC R&D Office (details of offices are available via the HSC website) or the Gateway (phone: (028) 7161 1126; email: research.gateway@hscni.net).

Does the use of aggregate data call for approval?

Using aggregate data is likely to be safe… but it might not be.

Data are considered ‘safe’ when they are ‘effectively anonymised’, i.e. when the risk of re-identifying individuals is low enough in the eyes of the law. There have been occurrences where it was possible to re-identify individuals from aggregate data Read more on the Risk of Re-identification.

If the dataset is not considered ‘effectively anonymised’, your usage of data does require approval.

Understanding the data requirements for your project is the first step in your research journey. This tool should have assisted you in thinking about the essential considerations on the use of data for health and social care research. Please do ensure that you think about the most appropriate data you need for your study and whether your data access needs would meet the statutory and legal governance requirements in the UK. It is imperative that data used for the development of AI and data-driven interventions is accessed with the highest privacy and ethical standards. Spending time to identify the data you need, understand what data is available and consult the relevant people and organisations, may ensure that your project can get started as soon as possible with minimal delays.

Start again