By Sasi Murakonda, Research Scientist at Privitar

We are pleased to announce that we have concluded our work for the PRiAM (Privacy Risk Assessment Methodology) project and have published our learnings in a series of reports.

Over the last eight months, Privitar, along with University of Southampton and the University of Warwick, participated in this project as part of the DARE UK program, funded by UKRI. The key objective of the program was to design and deliver a trustworthy national infrastructure enabling responsible and ethical research using sensitive data. The PRiAM project focused on laying the foundation for a standard privacy risk assessment approach, enabling multiple organizations to understand and manage privacy risk when provisioning data for safe, collaborative research

Although different organizations have different risk appetites, many of the factors they consider when assessing privacy risk are common. Making these explicit supports consistent and transparent decision-making for data provisioning.

We collaborated with a wide range of stakeholders – including an advisory group consisting of legal professionals, privacy experts, and data protection practitioners, as well as the general public – to understand how people perceive privacy risk and design a standard risk assessment methodology. Many of the factors considered when assessing privacy risk are common across different organizations. Our work identifies these factors and provides a framework for their use. This enables organizations to make consistent and transparent decisions in data provisioning.

In our first deliverable, we detail the requirements for privacy risk assessment and cover different approaches to identifying, organizing, and using the factors affecting privacy risk. Additionally, we present different use cases to illustrate the challenges in a federated setting and re-examine the five safes framework in this new context. We emphasize the importance of expanding the scope of the five safes dimensions for the framework to support data access decisions in a network of Trusted Research Environments (TREs). You can check out this earlier blog post detailing this piece of work.

We designed a privacy risk assessment framework to improve consistency and transparency in decisions about data sharing. It is built on top of the five safes and aims to facilitate a better use of the five safes. The framework is based on two fundamental principles: 1) To explicitly state what information is accounted for when assessing privacy risk and how and 2) To encourage a comparison-based reasoning about risk in different scenarios. We also worked together with the advisory board to identify and list the commonly used factors for assessing privacy risk under the five safes. This helps in driving the efforts towards creation of standard benchmarks for risk assessment and data sharing decisions across organizations and industries. We presented the approach in detail, along with illustrative examples on its usage, in the second deliverable.

Our third deliverable explores and demonstrates the feasibility of encoding the risk factors we identified in a systems security modelling tool. The tool supports the ISO/IEC 27005 methodology for information security risk management. We also provide an overview of our approach to represent the concepts of privacy risk in the format of ISO 27005 concepts (assets,  controls, risks, threats, vulnerabilities, and consequences). This work is a proof of concept for risk modelling and automatic risk assessment when sharing data with researchers in Trusted Research Environments (TREs). 

The fourth deliverable provides a summary of our learnings from interacting with the public through interactive workshops and an online survey conducted using a questionnaire developed from learnings in the workshops. We specifically focused on understanding how individuals perceive privacy risk and provide recommendations to account for these perceptions when assessing privacy risk of sharing data inside TREs and in general, when designing the infrastructure for sharing data with researchers.

You can review our reflections of the project and the full reports in depth, here:

DARE UK PRiAM Project D1 Report: Privacy Risk Assessment Requirements for Safe Collaborative Research (2.0) 

DARE UK PRiAM Project D2 Report: Risk Tiers for a Consistent and Transparent use of the Five Safes Framework (1.1)

DARE UK PRiAM Project D3 Report: Privacy Risk Framework Application Guide (1.1)

DARE UK PRiAM Project D4 Report: Public Engagement (1.0) 

We would like to thank all our collaborators, advisors, and participants in the project for their immense support, guidance, and contributions toward the successful completion of this project. Although the project has concluded, Privitar will continue to enhance and validate the privacy risk assessment framework, as we see it as an important part of Modern Data Provisioning.

Want to find out more about privacy risk assessment or working with us? Please get in touch!