The AIHW has a long history of effective compliance with its privacy and confidentiality obligations and is well experienced in managing the risks associated with the use and release of data. The AIHW uses the Five Safes framework to reinforce management of the privacy and confidentiality of data.

The Five Safes is an approach to thinking about, assessing and managing risks associated with data sharing and release. The framework is an internationally recognised approach to considering strategic, privacy, security, ethical and operational risks as part of a holistic assessment of the risks associated with data sharing or release. The Data Availability and Transparency Bill 2020 includes reference to Data Sharing Principles based on the Five Safes framework.

Modes of access

There are four modes of access for data sharing and release, where:

  • Data sharing is making data available to another agency, organisation or person under agreed conditions.
  • Data release is making data publicly available with few or no restrictions on who may access the data and what they may do with it.

The four modes of access are outlined in Table 1 below.

Table 1: Modes of Access

Open access Data are made publicly available with few or no restrictions on who may access the data and what they may do with it. For example, making data available through a publicly accessible website. The data made available through open access is sometimes called open data.
Delivered access Data are made available by direct delivery to the user’s custody. The user can be required to agree to specific conditions associated with management and use of the data.
Secure remote access Data are made available to users via remote access that has a high level of security infrastructure control and where the users’ activities can be remotely supervised. The ABS DataLab, the Department of Health’s Enterprise Data Warehouse (EDW), the AIHW Secure Remote Access Environment (SRAE) and the Sax Institute’s Secure Unified Research Environment (SURE) are examples.
Secure on-site access Data are made available to users in a managed physical location that has a high level of security infrastructure control and where the users’ activities can be personally supervised. The AIHW DISC DataLab is an example.

Data are released through Open Access and shared through the other three modes.

Five dimensions

The framework is used to assess risk across five dimensions associated with a specific data sharing or release proposal. The dimensions and their attendant risks are described in Table 2 below.

Table 2: Five Safes dimensions and risks

Dimension Meaning Potential risks to be mitigated

Projects

Is the use of the data appropriate?

AIHW Interpretation: Use of the data is legal, ethical and the project is expected to deliver public benefit.
  • Breach of data supplier requirements
  • Breach of AIHW Ethics Committee collection/project approval conditions
  • Project is not expected to deliver public benefits commensurate with risk
  • Project design unlikely to meet stated objectives
  • Consent arrangements are unlawful
  • Using AIHW data for this project is outside community expectations.
People

Can the users be trusted to use it in an appropriate manner?

AIHW Interpretation: Researchers have the knowledge, skills and incentives to act in accordance with required standards of behaviour.

Users of the data:

  • are subject to a conflict of interest
  • are subject to incentives to breach terms and conditions
  • are inexpert in the subject matter
  • have insufficient statistical skills to analyse the data effectively
  • and/or their organisation are unlikely to be able to manage data breach risks effectively
  • and/or their organisation have a history of breaching terms and conditions.
Data

Is there a disclosure risk in the data itself?

AIHW Interpretation: Data has been treated appropriately to minimise the potential for identification of individuals or organisations.
  • Identifiers are not removed
  • Data include variables not required for the project
  • Data include records not required for the project
  • Data treatments are insufficient to prevent disclosure of personal information (Privacy Act)
  • Data treatments are insufficient to prevent attribute disclosure
  • Data treatments are insufficient to prevent identification of an information subject (AIHW Act s.29).
Settings

Does the access facility prevent unauthorised use?

AIHW Interpretation: There are practical controls on the way the data is accessed – both from a technology perspective and considering the physical environment.

Data are:

  • lost, intercepted or disclosed during transmission to the setting (data/privacy breach)
  • subject to unauthorised access at the setting (data/privacy breach)
  • used for purposes beyond those approved (including linking to other data)
  • removed from the approved setting
  • not destroyed on completion of the project.
Output

Are the statistical results non-disclosive?

AIHW Interpretation: A final check can be required to minimise risk when releasing the findings of the project.
  • Outputs do not meet confidentiality requirements
  • Outputs are released without required data supplier approval
  • Output treatments are inconsistent with those of data already released.

The five dimensions are assessed separately, then considered jointly to evaluate whether the overall arrangements are such that the risks have been appropriately managed. Any data access proposal considers all five dimensions (even if simply to note that a particular dimension is not relevant to that solution).

Each dimension of the framework can be considered as an adjustable mechanism offering a range of controls at proportionally higher or lower levels depending on the specific case. While each dimension can be set independently, all five dimensions need to be considered jointly to evaluate whether a particular instance of data sharing is a safe arrangement.

The dimensions interact. More stringent controls in one dimension can allow the controls on other dimensions to be relaxed somewhat, and vice versa. In each situation we ask ourselves: ‘Collectively, are these techniques appropriate and adequate to manage the risk?’

Benefits to users of AIHW data

The AIHW seeks to provide the most useful data possible to researchers while continuing to meet our privacy, confidentiality and data supplier obligations.

Each request for data access is assessed on a case-by-case basis, using the Five Safes, with a view to maximising the utility of the data provided for the research.

To facilitate this, depending on the detail and sensitivity of the data requested, we may ask requesters to do any or all of the following:

  • provide a research proposal that: is clearly documented; includes the research objectives; states the expected public benefit; and, details the proposed data analysis methodology
  • complete a Technical Assessment of a proposed linkage project
  • submit an application for ethical review of the research proposal by the AIHW Ethics Committee
  • advise us of other data or information available within the research work environment
  • satisfy us that:
    • you have expert knowledge in the subject area
    • you or your team have the skills and resources required to undertake the research project and associated analysis
    • you understand and have the capacity to prevent and manage data breach risks
    • you will not attempt to link the data to other data
    • data will be stored on approved media in an access restricted environment at all times
    • access to the data will be restricted (password controlled or two-factor authentication) to those listed as authorised to access the data
    • physical security of your work environment meets our requirements
    • your data hosting facilities are compliant with the relevant provisions of the Australian Government Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) and are fit for managing AIHW data
    • data will be destroyed on completion of the project
    • you are not subject to any conflicts of interests or incentives to breach the terms and conditions of use
    • you are supported by your organisation, including your organisation’s preparedness to sign a legally binding contract with the AIHW for which sanctions can apply in the event of non-compliance.
  • sign terms and conditions of use, which may be legally binding. Sanctions can apply for non-compliance with terms and conditions
  • permit us to undertake audits of your work environment to ensure compliance with the terms and conditions of use
  • ensure that the statistical output of your research complies with AIHW policy and data supplier requirements regarding de-identification. Outputs may be subject to approval or audit by the AIHW.

Our requirements of you in these respects will depend on the nature, volume, detail and sensitivity of the data to which you are requesting access. Requests for access to highly aggregated summary data will result in few, if any, of the requirements listed above. Access to highly sensitive or detailed data may call for your response to most or all of the above.