Data sharing is where NSW government agencies provide authorised access, usually within government or to research institutions, to the data they hold in a controlled manner, to help deliver better outcomes to the people of NSW.
The ‘Five Safes’ is an internationally recognised risk management model designed to help identify and manage data sharing risks. Under this framework, data sharing risks are managed across five 'safety' dimensions: people, projects, settings, output and data.
For each of the safe dimensions, there are a set of questions that you should ask the Data Requester that will help you identify and manage any risks. You can do this by asking them to complete a data sharing request / access form or by having a conversation with them directly.
Safe People
Sharing data only with authorised users
Government agencies may only share data with users who are able to use the data appropriately and keep the data safe.
Safe people have the knowledge, skills and incentives to store and use the data appropriately.
Key questions to assess this dimension:
- Are they appropriately equipped, and do they possess the relevant skills and experience to effectively use the data for the proposed purpose?
- Will they restrict data access to only specified persons with the appropriate security clearance/s?
- Will they engage with the agency providing the information to support the use of the data for the proposed purpose?
- Are other persons or bodies invested in the outputs of the project
Safe Settings
Using data only in a safe and secure environment
Government agencies need to ensure that data will only be accessed and used within an appropriately safe and secure environment.
Safe settings in the Five Safes model refer to the practical controls on how data is accessed.
Key questions to assess this dimension:
- Is the physical location where the data will be stored and used appropriate?
- Is the location of any linked data sets appropriate?
- Does the agency receiving the data have appropriate security/technical safeguards to ensure data remains secure and not subject to unauthorised access and use?
- What is the likelihood of deliberate or accidental disclosure or use occurring?
- How will data be handled after it has been used/shared for the specified purpose?
Safe Projects
Sharing data only for appropriate and authorised purposes
Government agencies may only share data for appropriate projects, where they are authorised to do so and there are clear public benefits.
Safe projects in the Five Safes model refer to the legal, moral and ethical considerations surrounding the use of data.
Key questions to assess this dimension:
- What is the proposed use of the data and is the data necessary for the purpose?
- Will the purpose be of value to the public?
- Does positive public interest outweigh negative public interest?
- Is there a risk of loss, harm, or other detriment to the community if the sharing and/or use of the data does not occur?
Safe Outputs
Ensuring public outputs from data sharing projects do not identify people or organisations
Government agencies must put in place clear conditions of access and use to ensure that when results from data sharing projects are released, the identity of the people or businesses that provided the data remains private and confidential.
Key questions to assess this dimension:
- What is the nature of the proposed publication or disclosure?
- Who is the likely audience of the publication or disclosure?
- What is the likelihood or extent to which the publication or disclosure may contribute to the identification of a person to whom the data relates?
- Will the results of the data analytics work or other data for publication or disclosure be audited and/or will that process involve the provider agency?
Safe Data
Applying appropriate protections
Government agencies need to understand how sensitive their datasets are before they can decide on whether and how to share the datasets.
Key questions to assess this dimension:
- Is the data of the necessary quality for the proposed use (e.g. sufficiently accurate, relevant and timely)?
- Does the data relate to people?
- If data containing personal information is to be de-identified, how will de-identification occur and how will subsequent re-identification be prevented?
Last updated 23 Sep 2024