The AIHW has a long history of effective compliance with its privacy and confidentiality obligations and is well experienced in managing the risks associated with the use and release of data. Building on our current best practice, the AIHW has recently decided to progressively embed the Five Safes framework into our approach to the management of the privacy of data.

In essence, the Five Safes is a risk assessment framework for data access: safe people, safe projects, safe settings, safe data and safe outputs. The framework is described in more detail by Tanvi Desai, Felix Ritchie and Richard Welpton, Five Safes: designing data access for research, University of the West of England, 2016, and by the Australian Bureau of Statistics.

The Five Safes is becoming common language across the Commonwealth (for example in relation to the government’s response to the Productivity Commission’s report on data availability and use) and with other Australian stakeholders.  This makes it useful for communicating with stakeholders including data suppliers, data users and the general public – about our approach to ensuring privacy, confidentiality and data security.

Current AIHW practices in data linkage, confidentialisation, data security and data access and release practices are being mapped to the Five Safes framework. Similarly, the activities of the AIHW’s Ethics Committee in considering projects and data collections can be reflected in the dimensions of the Five Safes framework.

The five risk dimensions in the Five Safes framework are assessed separately, then the dimensions are considered jointly to evaluate whether the overall arrangements are acceptable.

Safe projects Is the use of the data appropriate?
Interpretation: Use of the data is legal, ethical and the project is expected to deliver public benefit.
Safe people Can the users be trusted to use it in an appropriate manner?
Interpretation: Researchers have the knowledge, skills and incentives to act in accordance with required standards of behaviour.
Safe data Is there a disclosure risk in the data itself?
Interpretation: Data has been treated appropriately to minimise the potential for identification of individuals or organisations.
Safe settings Does the access facility prevent unauthorised use?
Interpretation: There are practical controls on the way the data is accessed – both from a technology perspective and considering the physical environment.
Safe output Are the statistical results non-disclosive?
Interpretation: A final check can be required to minimise risk when releasing the findings of the project. 

The Table 1 below illustrates how a Five Safes framework risk assessment supports the application of controls for data access. The table illustrates the four most common modes by which the AIHW shares and releases data and their associated controls.

 

Open access

Website data files, tables and publications.

Delivered access

Providing data directly to particular users.

Secure remote access

Providing access to data through a secure remote connection.

Secure on-site access

Providing access to data within the security of the AIHW data lab.

Safe projects

Is the use of the data appropriate?

No control

Anyone can use the data for their own purposes.

Moderate control

Users sign a declaration regarding the purpose for which they will use the data.

Considerable control

Users can only use the data for the stated purpose; their access and use is controlled and monitored.

High control

Project proposals are subject to a comprehensive evaluation by the AIHW.

Safe people

Can the users be trusted to use it in an appropriate manner?

No controls

Anyone can access the data.

Very high control

Users sign legally binding undertakings. 

Considerable control

Authorised users sign legally binding undertakings.

High control

Available to authorised expert users who agree to attend the Data Lab and sign legally binding undertakings.

Safe data

Is there a disclosure risk in the data itself?

Very High control

Data are highly aggregated and treated to protect privacy and confidentiality.

High control

Data are treated by the AIHW to minimise the likelihood of identifying individuals.

Considerable control

Treatments are applied to protect privacy and confidentiality while supporting the aims of the project.

Moderate control

Treatments are applied to protect privacy and confidentiality while maximising the utility of the data.

Safe settings

Does the access facility prevent unauthorised use?

No controls

There no controls.

Moderate control

Users are required to store the data securely and use it in their own physical and IT environment in accordance with a signed agreement.

Considerable control

Access control is password based, physical security is specified in an agreement, data cannot be removed, and use of the data can be monitored and audited.

Very high Control

The AIHW Data Lab is within the AIHW premises and subject to physical security, IT security, as well as monitoring and auditing capabilities. Data cannot be taken from the Data Lab.

Safe output

Are the statistical results non-disclosive?

No controls

There are no controls.

Moderate control

The outputs are controlled by the user, but are governed by agreements with the AIHW.

High control

Outputs can be audited by the AIHW and users are required to comply with the AIHW confidentialisation policy and practices.

Very high control

Outputs meet project objectives, AIHW confidentialisation policy and practices, and are assessed by the AIHW before being released.

Table 1. Five Safes framework controls applied under different modes of data sharing and release