Paul Jackson | Average reading time 4 minutes
13 Nov 2024
In September, Paul Jackson, Data Approvals Transformation Lead at Research Data Scotland, visited Rwanda to take part in the Innovate Africa Symposium 2024. We asked him to reflect on the conference and themes of building trust in data.
I was delighted to represent Research Data Scotland (RDS) at the second Innovate Africa Symposium, standing in for Professor Roger Halliday, CEO of RDS who spoke at the first symposium in Johannesburg last year.
Organised by the African Development Bank with the theme ‘Strengthening Data Governance in the African Data Ecosystem’ the event aimed to promote discussion around recent significant advancements in data governance, covering topics ranging from national data governance frameworks, platforms, processes and case studies on international efforts to enhance an inclusive data governance ecosystem.
There’s a great blog about what was discussed at the conference, so I won’t repeat what’s already covered, but I do want to explore how else we might build trust in the data system.
My presentation was the only one addressing researcher access to data, with a focus on the Five Safes framework. The framework is voluntary but is vigorously adopted by Trusted Research Environments (TREs) in the UK to guide their data security processes.
I was able to reflect at the conference on the long history of the development of the Five Safes. It all began around 15 to 20 years ago, when the European Statistical System wanted to benefit from UK’s proud history of enabling research use of confidential statistical data. It was explained to our colleagues in Europe that data doesn’t have to be either fully open or fully closed; that there is a collection of settings that taken together can create a safe space in between these extremes where the data are of high utility but also secure. This became the Five Safes framework, and it is wonderful it is still so useful now.
The objective is ‘privacy by design and default’. The GDPR (Article 89) says that if a scientific research purpose can be fulfilled by further processing which prohibits the identification of data subjects, then the purpose must be fulfilled in that manner. This is where using the Five Safes has most value.
“The objective is ‘privacy by design and default’.”
Using the Five Safes framework, researchers use data that has been prepared in advance for them. The researcher doesn’t need identifiers, because the identity of persons is not relevant to scientific research; and if identifiers were needed to prepare linked or longitudinal data then that work has already been done in advance.
De-identifying the data and removing information not needed for the research study is a step towards the effective anonymisation required by the GDPR, but other steps still need to be taken — which is why there are four more ‘Safes’. Just as the GDPR says, organisational measures, as well as this technical measure, are needed. Further measures need to be taken relating to the training and work history of the researcher; to the purpose of the research; to the secure location of the processing; and to ensuring outputs continue to be safe even when in the public domain.
When these measures are taken together to ensure that further processing for scientific research will prohibit the identification of data subjects by the researcher, then the data are anonymised effectively when used by the researcher.
“De-identifying the data and removing information not needed for the research study is a step towards the effective anonymisation required by GDPR...”
At RDS we have launched – and are continuing to develop – a new system to speed up and simplify access to data. The Researcher Access Service is bringing some important changes to Scotland. It provides an end-to-end digital journey for the researcher — no paper forms. It presents a dedicated catalogue of pre-prepared datasets. There are dedicated project coordinators to help the researcher specify the linked project dataset perfect for their work, and to prepare it for them. There is a dedicated Panel for approval of these projects. There is a dedicated space in Scotland’s National Safe Haven designed to support this work. And just one of the desirable features of the RAS is that there is a known information governance pathway that prohibits the researcher from processing personal data, allowing an acceleration of project approval times and reducing the administrative burden on researchers.
The big gain we’re working towards is that – with a known information governance pathway in place – the researchers do not have to work out a GDPR legal basis, prepare a Data Protection Impact Assessment, or enter their home institution into Personal Data Sharing Agreement as a Data Controller. The researcher can focus on setting out their methodology, specifying their data needs, and the public benefit and impact of their work. They are required only to honour the terms of the agreement formed by their approved application.
The Five Safes provide a useful set of guiding principles designed to allow practical flexibility in how safety is achieved when supporting different user requirements with different designs of data. It was interesting to listen to and join discussions on advancements in data governance at the Innovate Africa Symposium, and it was a pleasure to be able to share with attendees how Research Data Scotland are addressing access to data on behalf of researchers.
Related content
Research Data Scotland (RDS) has published an update to its metadata catalogue, bringing closer alignment with partner organisations and adding new datasets for research in the public benefit.
11 Nov 2024
We caught up with Paul Jackson, our Data Approvals Transformation Lead, to learn more about his role, and to talk about how Research Data Scotland can enable real change by improving access for researchers.
Research Data Scotland
15 Dec 2023
To stay updated with Research Data Scotland, subscribe to our monthly newsletter and follow us on X (Twitter) and LinkedIn.
