DARE UK Privacy Risk Assessment Methodology
Privacy Risk Assessment Methodology (PRiAM)
Secure Society Health & WellbeingProject Vision
Organisations responsible for data protection must demonstrate that sharing data for research does not put individuals at undue risk of harm. Such harms relate to a person’s right to privacy – for example, they may involve someone’s identity being revealed or data being used unlawfully. Organisations aim to reduce harm through privacy risk management. Although best practice principles such as the ‘Five Safes’ are used, there is no standard privacy risk assessment approach. This leaves organisations to make their own choices about levels of risk and how they should be managed.
Personal data may be held by many organisations. Often, research requires combinations of data – for example, studying patients’ journey from hospital to recovery may involve combining medical data with data from social care, digital health applications and wearable technologies. With no standard risk assessment approach, it’s hard for multiple organisations to assess and manage risk consistently.
PRiAM aimed to deliver a way to assess privacy risks for data managed by multiple organisations. Engaging experts and members of the public in research use cases, a privacy risk assessment framework has been developed and demonstrated using a security decision support tool. The framework and evaluation of usability and efficiency has been published, ensuring widespread impact.
Project Objectives
PRiAM is part of the DARE UK programme aiming to design and deliver a coordinated and trustworthy national data research infrastructure to support cross-domain research for public good.
The objectives are
- Analyse driver use cases (public health prevention, integrated care) and data usage patterns from health and social care research typical of future MRC and ESRC data sharing (WP1, Outcome: understanding of future unmet data sharing needs)
- Identify key factors contributing to privacy risks within the Five Safes when datasets are linked in federated research networks (WP2, Outcome: understanding of privacy risk factors and consequences)
- Define a risk tier classification framework for consistent assessment considering impact (severity of compromise) and likelihood of privacy risks when data is linked and analysed (WP2, Outcome: methodology for privacy risk assessment)
- Assess privacy risks related to use cases using a cyber security risk modelling and simulation platform based on ISO 27005 (WP3, Outcome: accelerated and repeatable privacy risk assessment)
- Evaluate the framework, modelling and simulation through engagement (advisory board, public) with multidisciplinary stakeholders including research councils, information owners, regulators, and public (WP1, Outcome: evaluation and engaged network of info gov, legal & policy, practitioners and public stakeholders)
You can find more information on the PRiAM project at DARE UK
Project Results
- D1 Report: Privacy Risk Assessment Requirements for Safe Collaborative Research: Exploring Emerging Data Patterns and Needs of Advanced Analytics in Cross Council Research Networks through Use Case Analysis
- D2 Report: A Privacy Risk Assessment Framework for Safe Collaborative Research: Risk Tiers for a consistent and transparent use of the five safes framework
- D3 Report: Privacy Risk Framework Application Guide
- D4 Report: Public Engagement: Understanding private individuals’ perspectives on privacy and privacy risk
IT Innovation's Role
IT Innovation provides overall leadership of PRiAM workign with the University of Warwick and Privitar Ltd
Project Funding
