DARE UK Privacy Risk Assessment Methodology

DARE UK Privacy Risk Assessment Methodology logo

Privacy Risk Assessment Methodology (PRiAM)

Secure Society Health & Wellbeing

Project Vision

Organisations responsible for data protection must demonstrate that sharing data for research does not put individuals at undue risk of harm. Such harms relate to a person’s right to privacy – for example, they may involve someone’s identity being revealed or data being used unlawfully. Organisations aim to reduce harm through privacy risk management. Although best practice principles such as the ‘Five Safes’ are used, there is no standard privacy risk assessment approach. This leaves organisations to make their own choices about levels of risk and how they should be managed.

Personal data may be held by many organisations. Often, research requires combinations of data – for example, studying patients’ journey from hospital to recovery may involve combining medical data with data from social care, digital health applications and wearable technologies. With no standard risk assessment approach, it’s hard for multiple organisations to assess and manage risk consistently.

PRiAM aimed to deliver a way to assess privacy risks for data managed by multiple organisations. Engaging experts and members of the public in research use cases, a privacy risk assessment framework has been developed and demonstrated using a security decision support tool. The framework and evaluation of usability and efficiency has been published, ensuring widespread impact.

Project Objectives

PRiAM is part of the DARE UK programme aiming to design and deliver a coordinated and trustworthy national data research infrastructure to support cross-domain research for public good.

The objectives are

  • Analyse driver use cases (public health prevention, integrated care) and data usage patterns from health and social care research typical of future MRC and ESRC data sharing (WP1, Outcome: understanding of future unmet data sharing needs)
  • Identify key factors contributing to privacy risks within the Five Safes when datasets are linked in federated research networks (WP2, Outcome: understanding of privacy risk factors and consequences)
  • Define a risk tier classification framework for consistent assessment considering impact (severity of compromise) and likelihood of privacy risks when data is linked and analysed (WP2, Outcome: methodology for privacy risk assessment)
  • Assess privacy risks related to use cases using a cyber security risk modelling and simulation platform based on ISO 27005 (WP3, Outcome: accelerated and repeatable privacy risk assessment)
  • Evaluate the framework, modelling and simulation through engagement (advisory board, public) with multidisciplinary stakeholders including research councils, information owners, regulators, and public (WP1, Outcome: evaluation and engaged network of info gov, legal & policy, practitioners and public stakeholders)

You can find more information on the PRiAM project at DARE UK

IT Innovation's Role

IT Innovation provides overall leadership of PRiAM workign with the University of Warwick and Privitar Ltd

Project Funding

DARE UK Logo UKRI UK Logo HDRUK Logo ADRUK Logo

Related Projects

Read More

SYNTHEMA

Secure Society, Health & Wellbeing, Artificial Intelligence
Read More

NHS Wessex Trusted Research Environment

Secure Society, Health & Wellbeing