Skip to main content

Research Repository

Advanced Search

Evidence-based, default-open, risk-managed, user-centred data access

Ritchie, Felix; Hafner, Hans-Peter; Lenz, Rainer; Welpton, Richard


Hans-Peter Hafner

Rainer Lenz

Richard Welpton


In recent years, there has been an increasing demand from the academic community for more access to confidential data for research purposes, particularly that data collected by government departments. This has happened for three reasons. First, both governments and users have become conscious of the research value in data resources and the financial pressure to re-use data. Second, the growing use of administrative data has greatly increased the range of questions that can be answered. Third, over the last decade or so there has been growing evidence that secure academic research use of the most sensitive data can be managed without placing excessive burdens on users or data holders. In addition, the wider user community is increasingly demanding more granular statistics, such as user-generated tables.

However, the supply of secure efficient data access solutions is still a minority sport: data access is dominated by defensive decision-making which has changed little in decades. A major influence is the dominance of downside risk in the literature on statistical disclosure control (SDC). Over fifty years this literature has successfully developed a coherent approach to analysing problems and proposing solutions, to the extent that anyone facing an anonymisation problem can pick an effective, uncontroversial off-the-shelf solution. However, the SDC literature is uniformly defensive, encouraging users of SDC analyses to take the same attitude.

The net result of defensive decision-making in government and defensive SDC literature is to generate a ‘policing’ model of data security, where right, wrong and responsibilities are clearly defined, and the aim of the data owner shifts from user needs to ‘due diligence’. Moreover, defensive decision-making encourages a focus on theoretical worst cases: the evidence base that has been built up on how researchers actually use data plays almost no part in the literature.

This paper argues that a change in attitudes can lead to outcomes which are cost effective, more secure, more sustainable, more resilient, and encourage good relationships with stakeholders. We refer to this as the evidence-based, default-open, risk-managed, user-centred (‘EDRU’) model, and it reflects insights from economics, psychology, criminology, and cybersecurity.

This paper summarises the case for this evidence-based holistic approach to data access management. The common themes are use of evidence, integration of statistical and non-statistical approaches, and the effective use of limited resources. While this approach is no longer novel in some communities, it is still unfamiliar enough to cause concerns amongst those implementing data access strategies. This paper aims to address such concerns and demonstrate the importance of grounding strategy in realistic expectations of risk, uncertainty, cost and incentives.


Ritchie, F., Hafner, H., Lenz, R., & Welpton, R. (2018, October). Evidence-based, default-open, risk-managed, user-centred data access. Paper presented at Conference of European Statistics Stakeholders, Bamberg

Presentation Conference Type Conference Paper (unpublished)
Conference Name Conference of European Statistics Stakeholders
Conference Location Bamberg
Start Date Oct 18, 2018
End Date Oct 19, 2018
Deposit Date Jun 9, 2021
Keywords EDRU, confidentiality, data access
Public URL
Publisher URL