The Five-Safes provides a framework for planning data access, but it still depends on a human (as a proxy for the organisation) to interpret and consider how the dimensions can be addressed.
We observe organisational stances taking one of two distinct forms:
Default closed: ‘We must not allow access to data unless we can demonstrate it is safe’
Default open: ‘We will allow access to data unless we cannot find a demonstrably safe solution’
The Five-Safes framework can be used in both a ‘default open’ and ‘default closed’ organisation. Positioning of approach can differ at both organisational and individual levels; the organisation might commit to be ‘default open’ however a particular staff member may hold a ‘default closed’ approach.
Holding a ‘default open’ approach does not automatically equate to blindly given data access; it simply implies that the process is focused on enabling research as opposed to protecting data.
By focusing on minimizing risk through restricted access, data custodians typically employ a ‘default closed approach,’ only granting access when it can be unequivocally shown to be safe.
In contrast, the ‘default open approach’ advocates providing access unless it can be clearly shown to be unsafe. There are significant incentives within the public sector to adopt a highly risk-averse stance when making decisions about confidential data. But by taking a default closed stance the organisation narrows the scope for research- ultimately limiting the potential good.
In a default open company, staff behaviours are geared toward maximizing data utility and collaboration, with a strong focus on ethics and responsible sharing. Employees are supported in sharing knowledge and working with external developers and researchers, leading to faster innovation cycles and the continuous improvement of data-driven solutions.
At the core of this approach is a commitment to ethical data-sharing frameworks, ensuring that openness does not come at the expense of privacy or security.
However, in a default closed company, staff operate in a risk-averse environment, where data protection is prioritized over external engagement.