By Dr. Suzanne Weller, Head of Research at Privitar

We are excited to announce the publication of our first deliverable from the PRiAM project which outlines the risk assessment requirements for safe collaborative research.

Privitar is part of the DARE UK program, funded by UKRI, which aims to design and deliver a trustworthy national infrastructure enabling responsible and ethical research to be carried out using sensitive data. The multi-year program is split into phases and we are  taking part in the design and dialogue phase, which runs through August 2022. We are proud to partner with the University of Southampton and the University of Warwick on the PRiAM (Privacy Risk Assessment Methodology) project.

The PRiAM project aims to lay the foundations for a standard risk assessment approach, enabling multiple organizations to understand and manage privacy risk when sharing data and provisioning combined datasets to researchers. Our approach aims to bring consistency and transparency in decision-making when assessing risk, with a specific focus on complex flows of data within networks of data providers and Trusted Research Environments (TREs). A TRE is a secure environment in which researchers can analyze data with strong safeguards in place. The approach is co-designed by an advisory group consisting of legal professionals, privacy experts, and data protection practitioners, as well as a public involvement and engagement forum.

The report sets out the context for the privacy risk assessment framework, describing three real-world advanced analytics use cases related to public health research and integrated care. For example, our first use case focuses on research to proactively model complex hospital discharges so that measures, such as elongated length of stay or readmission, can be used to optimize capacity planning and scheduling of community care services. Solutions for this use case involve individual linking of complex multi-stakeholder data using electronic clinical and management records, social care records from the local authority, and community nursing data.

The needs of this use case are complex, requiring linkage across multiple datasets managed by different stakeholders. This makes it a useful example to identify the factors and situations contributing to privacy risk, and the stakeholders involved in decision-making in cross-council research networks.

The second part of the report focuses on an initial conceptualization of risk factors. A well-established and popular approach to evaluating risk is the Five Safes. This framework also plays an important role in communicating the sources of risk and mitigations to a diverse range of stakeholders. The Five Safes is commonly used in the setting of providing researchers access to data in a secure environment and ensuring that the outputs from the research are ethical, of public benefit, and cannot be used to identify data subjects.

Assessing privacy risk across larger networks of data providers, secure environments, and research programs require enhancements to the Five Safes framework, adapting it to the complex setting of these emerging data usage patterns. The report presents an enhanced Five Safes framework, which includes:

Extending the checks on people to stakeholders, highlighting the need for appropriate skills, knowledge, and motivation across the wide range of people and organizations that have responsibility for, access to, and influence over the management of the data.

Extending the checks on projects to collaborations to reflect the diverse ways in which organizations are coming together to share resources and services for collaborative research.

Finally, the enhanced Five Safes put a greater emphasis on data flows, drawing attention to how emerging data usage patterns involve increased flows of information between multiple stakeholders in multiple environments.

Please read the full report, available on the DARE UK web, to find out more.

The PRiAM project continues until the end of August 2022. Look out for the next deliverable, which will outline a design and example usage for the privacy risk assessment framework.

At Privitar Labs, we’re driving the creation of practical solutions using privacy-enhancing technologies. We work in close partnership with our strategic customers and partners to apply leading privacy techniques to enable new uses of data. 

Want to find out more about privacy risk assessment or working with us? Please get in touch!