PRiAM: Privacy Risk Assessment Methodology

A DARE UK Sprint Exemplar Project

Organisations responsible for data protection must demonstrate that sharing data for research does not put individuals at undue risk of harm. Such harms relate to a person’s right to privacy – for example, they may involve someone’s identity being revealed or data being used unlawfully.

Organisations aim to reduce harm through privacy risk management. Although best practice principles such as the ‘Five Safes’ are used, there is no standard privacy risk assessment approach. This leaves organisations to make their own choices about levels of risk and how they should be managed.

Personal data may be held by many organisations. Often, research requires combinations of data – for example, studying patients’ journey from hospital to recovery may involve combining medical data with data from social care, digital health applications and wearable technologies. With no standard risk assessment approach, it’s hard for multiple organisations to assess and manage risk consistently.

PRiAM aimed to deliver a way to assess privacy risks for data managed by multiple organisations. Engaging experts and members of the public in research use cases, a privacy risk assessment framework has been developed and demonstrated using a security decision support tool. The framework and evaluation of usability and efficiency has been published, ensuring widespread impact.

Principal investigator: Professor Michael Boniface, University of Southampton

Project partners: University of Southampton, University of Warwick and Privitar Ltd

Funded amount: £249,499