Evidence-based, default-open, risk-managed, user-centred data access

Abstract

In recent years, there has been an increasing demand from the academic community for more access to confidential data for research purposes, particularly that data collected by government departments. This has happened for three reasons. First, both governments and users have become conscious of the research value in data resources and the financial pressure to re-use data. Second, the growing use of administrative data has greatly increased the range of questions that can be answered. Third, over the last decade or so there has been growing evidence that secure academic research use of the most sensitive data can be managed without placing excessive burdens on users or data holders. In addition, the wider user community is increasingly demanding more granular statistics, such as user-generated tables.

However, the supply of secure efficient data access solutions is still a minority sport: data access is dominated by defensive decision-making which has changed little in decades. A major influence is the dominance of downside risk in the literature on statistical disclosure control (SDC). Over fifty years this literature has successfully developed a coherent approach to analysing problems and proposing solutions, to the extent that anyone facing an anonymisation problem can pick an effective, uncontroversial off-the-shelf solution. However, the SDC literature is uniformly defensive, encouraging users of SDC analyses to take the same attitude.

The net result of defensive decision-making in government and defensive SDC literature is to generate a ‘policing’ model of data security, where right, wrong and responsibilities are clearly defined, and the aim of the data owner shifts from user needs to ‘due diligence’. Moreover, defensive decision-making encourages a focus on theoretical worst cases: the evidence base that has been built up on how researchers actually use data plays almost no part in the literature.

This paper argues that a change in attitudes can lead to outcomes which are cost effective, more secure, more sustainable, more resilient, and encourage good relationships with stakeholders. We refer to this as the evidence-based, default-open, risk-managed, user-centred (‘EDRU’) model, and it reflects insights from economics, psychology, criminology, and cybersecurity.

This paper summarises the case for this evidence-based holistic approach to data access management. The common themes are use of evidence, integration of statistical and non-statistical approaches, and the effective use of limited resources. While this approach is no longer novel in some communities, it is still unfamiliar enough to cause concerns amongst those implementing data access strategies. This paper aims to address such concerns and demonstrate the importance of grounding strategy in realistic expectations of risk, uncertainty, cost and incentives.