Privacy Risk Assessment Methodology

Organisations responsible for data protection must demonstrate that sharing data for research does not put individuals at undue risk of harm. Such harms relate to a person’s right to privacy, for example, someone’s identity is revealed or that data is used unlawfully.
Organisations aim to reduce harm by privacy risk management. Although best practice principles such as the Five Safes are used, there is no standard privacy risk assessment approach. This leaves organisations to make their own choices about levels of risk and how they should be managed.
Personal data may be held in many organisations. Often research requires combinations of data e.g., studying patients from hospital to recovery may combine medical data with other data from social care and digital health. With no standard risk assessment approach, it’s hard for multiple organisations to assess and manage risk consistently.
PRiAM aims to deliver a way to assess privacy risks for data managed by multiple organisations. Engaging experts and members of the public in research use cases, a privacy risk assessment framework will be developed and demonstrated using a security decision support tool. The framework and evaluation of usability and efficiency will be published ensuring widespread impact.

The effective use of data is expected to transform society but use of personal data creates privacy risks. Currently privacy risk management is vague, resulting in a variety of Trusted Research Environments with no consistent guidance for privacy risk assessment, mitigation and management. This is challenging for interdisciplinary research where complex health and social care datasets under different domains of control need to be combined. Today’s privacy impact assessment methods are complicated, demanding and not widely used in practice, leading to inconsistent results. A common way of analysing privacy risks is needed to establish effective cross-council research networks and ensure privacy risk can be managed consistently and efficiently.
We aim to lay the foundations for a standard privacy risk assessment framework that can describe and automatically assess privacy risk for safe data federations. The objectives are to 1) define use cases and data patterns for advanced analytics, 2) identify privacy risk factors 3) define a risk tier classification framework 4) assess privacy risks for use cases (public health and integrated care) using cyber security risk modelling and simulation, and
5) develop, evaluate and disseminate the framework and lessons learnt through engagement with experts and the public.
The framework for comparative assessment of different privacy risks will provide a reference to enable organisations to assess the overall risk levels. We will then investigate how to extend ISO 27005 information security risk management concepts and processes to privacy risk management. We will investigate important types of privacy risk from the framework (e.g. re-identification); threats that can cause privacy risks (e.g., linking); patterns of assets to identify threats (e.g. aggregation of datasets); environments that affect the likelihood of privacy threats (e.g. environment affecting the risk of re-identification); adversarial conditions (e.g. motivations, capabilities and opportunity); and controls (e.g. homomorphic encryption, parquet encryption, secure enclaves, contracts) that can lower the likelihood of threats occurring or mitigate the impact of the risk.
Three work packages will address user needs, privacy risk framework and implementation. WP1 “Use Cases, Evaluation & Stakeholder Engagement” will analyse use cases, requirements, conduct evaluation and capture/disseminate lessons learnt to maximise impact. WP2 “Privacy Risk Framework Specification” will identify privacy risks factors and development the privacy assessment framework.
WP3 “Privacy Risk Modelling & Simulation” will model risk factors and assess use cases using ISO27005.