The present and future of the Five Safes framework
Article Sidebar
Main Article Content
Abstract
The Five Safes has become the default framework for confidential data governance across multiple sectors and countries. Since its inception in 2003, the approach has influenced data management in many ways, particularly in the public sector. As it has become established and widely used, both its advantages and limitations have come to the fore, along with an understanding of modern data management principles.
This paper explores the history, application, strengths and limitations in the Five Safes. It discusses the different variations on the framework over time, as well as recent suggestions for deepening or extending the framework.
Finally we discuss the framework’s relationship to the emerging preference for principles-based regulation and design, showing how there is a concordance between the two which may lead to a new consensus on good data governance design models.
Article Details
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Copyright is retained by the authors. By submitting to this journal, the author(s) license the article under the Creative Commons License – Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0), unless choosing a more lenient license (for instance, public domain). For situations not allowed under CC BY-NC-ND, short sections of text, not to exceed two paragraphs, may be quoted without explicit permission provided that full credit, including © notice, is given to the source.
Authors of articles published by the journal grant the journal the right to store the articles in its databases for an unlimited period of time and to distribute and reproduce the articles electronically.
References
Alves, K., Tava, F., Whittard, D., Green, E., Beata Kreft, M., & Ritchie, F. (2021). Process and economic evaluation of the ODI R&D programme: Final report. London: Open Data Institute
Arbuckle L. and El Emam K. (2020) Building an anonymization pipeline. O’Reilly Publishers
Atkin C., Crosby B., Dunn K., Price G., Marston E., Crawford C., O’Hara M., Morgan C., Levermore M., Gallier S., Modhwadia S., Attwood J., Perks S, Denniston A., Gkoutos G., Dormer R., Rosser A., Ignatowicz A., Fanning H. and Sapey E. (2021) Perceptions of anonymised data use and awareness of the NHS data opt-out amongst patients, carers and healthcare staff. Research Involvement and Engagement v7:40 https://doi.org/10.1186/s40900-021-00281-2
Bailie J. (2020) Big data, differential privacy and national statistical organisations.Statistical Journal of the IAOS 36(3):1-8. DOI: 10.3233/SJI-200685
Bender S., Blaschke J., Hirsch C. (2022) Data Production in a Digitised Age: The need to establish successful workflows for micro data access. Deutsche Bundesbank, Research Data and Service Centre Technical Report 2022-02.
Bleninger P., Drechsler J., and Ronning G. (2011) Remote data access and the risk of disclosure from linear regression. Statistics and Operational Research Transactions, Special Issue: Privacy in Statistical Databases. 35:7-24
Boniface M., Carmichael L., Hall W., Pickering B., Stalla-Bourdillon S. and Taylor S. (2021) The Social Data Foundation Model: Facilitating Health and Social Care Transformation through Datatrust Services. Mimeo University of Southampton Interdisciplinary Centre for Law, Internet and Culture.
Boniface M., Carmichael L., Hall W., McMahon J., Pickering B., Surridge M., Taylor S., Atmaca U-I., Epiphaniou G., Maple C., Murakonda S., Weller S. (2022) Privacy Risk Assessment Requirements for Safe Collaborative Research. DARE UK Sprint 'PRiAM' v1.1, July.
Brennan P., Fitzpatrick M., LarranagaJ., O'Donnell V., Osman M., Petterson C., Powles J., Twomey C., Wortham R. (2019) Privacy and Responsible Information Sharing for Western Australia. Community Submission to WA consultation on data sharing.
Bujnowska A. (2018) Access to European Microdata for Statistical Purposes. https://ec.europa.eu/eurostat/cros/system/files/04.access_to_microdata.pdf
Corti L., van den Eyden V, Bishop L. and Wollard M. (2020) Managing and Sharing Research Data: A Guide to Good Practice, 2nd edition. Sage.
Coulter A. (2021) atient trust in plans to share primary care data. British Medical Journal v373:1413 http://dx.doi.org/10.1136/bmj.n1413
Cranswick K., Tumpane S. and Stobert S (2019) Virtual data labs - A more flexible approach to access Statistics Canada microdata. UNECE/Eurostat Work Session on Statistical Data Confidentiality, The Hague, October
Culnane C., Rubinstein B., Watts D. (2020) Not fit for Purpose: A critical analysis of the ‘Five Safes’. Mimeo, University of Melbourne.
Desai T., Ritchie F., and Welpton R. (2016) The Five Safes: designing data access for research. Working papers in Economics no. 1601, University of the West of England, Bristol. January
DPMC (2019) Data Sharing and Release Legislative Reforms Discussion Paper. Commonwealth of Australia, Department of the Prime Minister and Cabinet.
DSS (2016) Data Access Project: Final Report. Australian Government Department of Social Services. June.
El Emam K. and Arbuckle L. (2020) The Five Safes of Risk-Based Anonymization. Privacy Analytics White Paper.
Elliot M., Mackey E. and O'Hara K. (2020) The Anonymisation Decision-Making Framework: European Practitioners’ Guide, 2nd Edition. UK Anonymisation Network. https://msrbcel.files.wordpress.com/2020/11/adf-2nd-edition-1.pdf
Eurostat (2016) Self-study material for the users of Eurostat microdata sets
Green E., Ritchie F., Newman J. and Parker T. (2017) "Lessons learned in training 'safe users' of confidential data". UNECE worksession on Statistical Data Confidentiality 2017. Eurostat.
Griffiths K., Blain J., Vajdic C. and Jorm L. (2021) Indigenous and Tribal Peoples Data Governance in Health Research: A Systematic Review. Inernational Journal of Environmental Research and Public Health. v18:10318. doi.org/10.3390/ijerph181910318
GroosD. and van Veen E. (2020) Anonymised Data and the Rule of Law. European Data Protection Law. v4 pp498-508
Hafner H-P., Lenz R., Ritchie F., and Welpton R. (2015) "Evidence-based, context-sensitive, user-centred, risk-managed SDC planning: designing data access solutions for scientific use", in UNECE/Eurostat Worksession on Statistical Data Confidentiality 2015, Helsinki.
Hafner, H., Lenz, R. & Ritchie F. (2019). User-focused threat identification for anonymised microdata. Statistical Journal of the IAOS, 35(4), 703-713. https://doi.org/10.3233/SJI-190506.
Hallinan D., Friedewald M. and McCarthy P. (2012) Citizens' perceptions of data protection and privacy in Europe. Computer Law & Security Review v28:3 pp263-272 https://doi.org/10.1016/j.clsr.2012.03.005
HDR (2020) Trusted Research Environments (TRE). UK Health Data Research Alliance Green Paper v1.0 30 April.
ICON (2016) Hellenic Statistical Authority Mission on microdata access: final report. Eurostat
Jenkins S., Harris A., and Lark R. (2017) Maintaining credibility when communicating uncertainty: The role of communication format. In: Gunzelmann G., Howes A., Tenbrink T. and Davelaar E. (eds.) CogSci 2017: Proceedings of the 39th Annual Meeting of the Cognitive Science Society. (pp. pp. 582-587). Cognitive Science Society: London, UK.
Jefferson E., Liley J., Malone M., Reel S., Crespi-Boixader A., Kerasidou X., Tava F., McCarthy A., Preen R., Blanco-Justicia A., Mansouri-Benssassi E., Domingo-Ferrer J., Beggs J., Chuter A., Cole C., Ritchie F., Daly A., Rogers S. and Smith J. (2022) Recommendations for disclosure control of trained Machine Learning (ML) models from Trusted Research Environments (TREs). https://zenodo.org/record/6896214#.Yt5i2HbMKHs
Karrar N., Khan S., Manohar S., Quattroni P., Seymour D., Varma S. (2021) Analysis of Data Use Registers published by health data custodians in the UK. medRxiv preprint doi: https://doi.org/10.1101/2021.05.25.21257785medRxiv preprint doi: https://doi.org/10.1101/2021.05.25.21257785
Keenan P. (2020) “Dictum meum pactum”: UK regulation: Rules or Principles. Keenan Regulatory Consulting.
Lane J., Bowie C. , Scheuren F., and Mulcahy T. (2009) NORC Data Enclave: Providing Secure Remote Access to Sensitive Microdata. Presentation available at https://ec.europa.eu/eurostat/documents/1001617/4398365/S02P1-NORC-DATA-ENCLAVE-SCHEUREN.ppt Accessed 20.8.2022
Lane J. (2020) Democratizing our data: a manifesto. MIT Press
Marcotte J., Rush S., and Ogden-Schuette K. (2020) Tiered Access to Research Data for Secondary Analysis. University of Michigan. https://dx.doi.org/10.7302/4259
McEachern S. (2021) CADRE Five Safes Framework - Conceptualisation and Operationalisation of the Five Safes Framework. Co-ordinated Access for Data, Research and Environments. doi:10.5281/zenodo.5748610
NRC (2014) Proposed Revisions to the Common Rule for the Protection of Human Subjects in the Behavioral and Social Sciences. National Research Council doi:10.17226/18614. ISBN 9780309298063. PMID 25032406.
OECD (2014) OECD Expert Group for International Collaboration on microdata Access: Final report. Organisation for Ecoomic Co-operation and Development.July.
ONS (2011) Secure Data Service Risk Assessment. Mimeo, Office for National Statistics.
ONS (2020) Safe Researcher Training 2017 onwards. Office for National Statistics. Last reviewed June 2020
Oppermann I. (ed.) (2018) Privacy in Data Sharing: a guide for business and government. Australian Computer Society. November.
Oppermann I. (ed) (2019) Privacy-Preserving Data Sharing Frameworks People, Projects, Data and Output. Australian Computer Society.
OSR (2018a) Joining up data for better statistics. Office for Statistics Regulation Systematic Review Programme Report. September
OSR (2018b) Regulatory guidance – Building confidence in the handling and use of data. Office for Statistics Regulation. Updated October.
OSR (2019) Joining up data for better statistics. Office for Statistics Regulation Systematic Review Programme Report. October
Productivity Commission (2017). Data Availability and Use – Inquiry Report. Australian Productivity Commission.
Rahman M., Jirotka M., and Dutton W. (2007) Lost in Reality: The Case for Virtual Safe Settings (2007). Mimeo, University of Oxford.
Raisaro J., Marino F. Troncoso-Pastoriza J., Beau-Lejdstrom R., Bellazzi R., Murphy R., Bernstam E., Wang H., Bucalo M., Chen Y., Gottlieb A., Harmanci A., Kim M., Kim Y., Klann J., Klersy C., Malin B., Mean M., Prasser F., Scudeller L., Torkamani A., Vaucher J., Puppala M., Wong S., Frenkel-Morgenstern M., Xu H., Maiyaki Musa B., Habib A., Cohen T., Wilcox A., Salihu H., Sofia H., Jiang X. and Hubaux J. (2020) Improving Data Quality in Medical Research: A Monitoring Architecture for Clinical and Translational Data Warehouses. Journal of the American Medical Informatics Association v0:0 pp1–6 doi: 10.1093/jamia/ocaa172
Ritchie, F. (2008) Secure access to confidential microdata: four years of the Virtual Microdata Laboratory. Economic Labour Market Review 2, 29–34. https://doi.org/10.1057/elmr.2008.73
Ritchie F. (2013) "International access to restricted data: A principles-based standards approach". Statistical Journal of the IAOS v29:4 pp289-300. DOI 10.3233/SJI-130780
Ritchie F. (2014) Resistance to change in governments: risk inertia and incentives. UWE Departmetn of Economics working paper no.1412. December
Ritchie F. (2017a) The ‘Five Safes’: a framework for planning, designing and evaluating data access solutions. Data For Policy Conference 2017. September.
Ritchie F. (2017b) Spontaneous recognition: an unnecessary control on data access? ECB Statistical Papers no.24. European Central Bank. August.
Ritchie, F. (2019). Analyzing the disclosure risk of regression coefficients. Transactions on data privacy, 12(2), 145-173
Ritchie F. and Tava F. (2020) Five Safes or One Plus Four Safes? Musing on project purpose. Bristol Centre for Economics and finance blog
Security Brief (2019) IXUP embeds Five Safes framework in platform. https://securitybrief.com.au/story/ixup-embeds-five-safes-framework-in-platform
Sikorska J., Bradley S., Hodkiewicz M. and Fraser R. (2020) DRAT: Data risk assessment tool for university–industry collaborations. Data-Centric Engineering v1:17 doi:10.1017/dce.2020.13
Silberman R. (2021) Developing access to confidential data in France: results and new challenges. Journal of Privacy and Confidentiality v11:2
Tam S. (2021) On a disclosure probability statement for the 5 safes framework. Statistical Journal of the IAOS 37 (2021) 693–698 693 DOI 10.3233/SJI-200677
Understanding Patient Data (2018) Public attitudes to patient data use: A summary of existing research. Understanding Patient Data. September
Volkow N. (2019) Harnessing the potentiality of microdata access risk management model. UNECE/Eurostat Work Session on Statistical Data Confidentiality, The Hague, October
Weaver B. and Richardson J. (2021) Reinventing Library Research Support Services at Griffith University. In: Cases on Research Support Services in Academic Libraries. IGI GLobal.
Wellcome Trust (2013) Qualitative Research into Public Attitudes to Personal Data and Linking Personal Data. Wellcome Trust, London. July
Whittard, D., Ritchie, F., Rose, M., & Musker, R. (2022). Measuring the value of data governance in agricultural investments: A case study. Experimental Agriculture, 58, Article e8. https://doi.org/10.1017/S0014479721000314
Wiltshire D. (2021) Using Secure Access Data Safely. SSHOC Workshop September. https://youtu.be/svx-n4LEh6M
Wirth F., Meurers T., johns M. and Prasser F. (2021). Privacy‑preserving data sharing infrastructures for medical research: systematization and comparison. BMC Med Inform Decis Mak v21:242 https://doi.org/10.1186/s12911-021-01602-x
Zheng Y., Pal A., Abuadbba S., Pokhrel S., Nepal S. and Janicke H. (2020) Towards IoT Security Automation and Orchestration. Second IEEE International Conference on Trust, Privacy and Security in Intelligent Systems and Applications (TPS-ISA)