Principle 2 (Confidentiality/Data Security): The data subject’s identity (whether person or organisation) is protected, information is kept confidential and secure, and the issue of consent is considered appropriately
5. Direct identification
Low risk:
Data or research outcomes cannot be used to directly identify data subjects or specific populations
Average risk:
Don’t know, or unsure if data or research outcomes could be used to directly identify data subjects
High risk:
Data or research outcomes could directly identify data subjects or specific population groups
Direct identification means using the published research outcomes to derive the identity of data subjects without the use of additional data sources. Statistical research may require access to datasets with a higher level of granularity and, to produce and publish statistics, researchers might risk breaching the confidentiality of data subjects. You should make sure that adequate statistical disclosure controls are strictly applied to prevent research outcomes being used to directly identify data subjects or attributes identifying population groups.
Back to top6. Indirect identification
Low risk:
Data or research outcomes cannot be used indirectly to identify data subjects or specific population groups
Average risk:
Don’t know, or unsure if data or research outcomes could be used to indirectly identify data subjects
High risk:
Data or research outcomes could indirectly identify data subjects or specific population groups
Indirect identification involves using additional data sources along with research outcomes to derive the identity of data subjects or a set of proxy attributes that can identify individuals or population groups. Although you cannot prepare datasets for every eventuality, you should consider whether the current level of de-identification is proportionate to the datasets being used, and (as much as reasonably possible) if there are any other datasets available which could be used to indirectly identify individuals.
Back to top7. Data Security
Low risk:
Strict data security in place to recognised standards that is proportionate to data use/sensitivity
Average risk:
Research taking place outside of a recognised secure environment, with proportionate data security precautions taken
High risk:
Research taking place outside of a recognised secure environment, with some data security requirements still to be considered
Data security is an essential requirement for any research environment. The level of security required should be proportionate to the data collected, used, processed and curated. Depending on the granularity and sensitivity of data, we must ensure that public data is handled in a secure and responsible manner.
Back to top8. Ethical Consent
Low risk:
Informed consent has been obtained from data subjects for all stages of this particular project.
Average risk:
Consent has not been obtained from data subjects for this research which can be justified
High risk:
Informed consent has not been obtained from data subjects which cannot be justified
From an ethical point of view, consent should be sought for each data use when collecting, processing, linking and sharing data for each individual project. Their consent should be sought in advance of the project taking place. Consent must be well informed and ‘opt-in’ rather than ‘opt-out’.
As indicated by the middle response provided on the ethics self-assessment tool, there are instances where not seeking informed consent for a specific use of someone’s data can be justified. An example of this may be secondary analysis of large administrative datasets, where it may be disproportionate for informed consent for this particular research use to be collected.
In these cases where informed consent for the research project is not sought and can be justified, you should be mindful of how this may impact your consideration of other items on the ethics self-assessment tool. For example, you may be undertaking secondary analysis on a number of administrative datasets. Due to the lack of informed consent for this specific research, you should be clear on the public views and acceptability of the research you are looking to undertake.
Back to top9. Permitted use of data
Low risk:
Permission has been given specifically for this research project, or the proposed use of data is within the same context for which permission was previously given
Average risk:
Don’t know, or unsure if the proposed use of data is beyond the initial context for which permission was originally given
High risk:
The proposed use of data is beyond the initial context for which permission was originally given
If you have secured approval from a data owner to acquire or use a dataset, then you will need to ensure that any further research based on that dataset falls within the context of the original agreement to use this dataset. For further information on ethical considerations when using third-party data, see our high-level ethics checklist focused on this data type.
N/A: There may be situations where permission to access certain data is not required. In such instances, you must still provide a justification, along with necessary evidence, to explain why permission is not required.
Back to top