‘Safe Use’ as a systems approach
The ‘five safes’ can be misleading. It is not that a data access solution must be ‘safe’ on every control factor. It is that the combination of controls makes for overall ‘safe use’; and this is achieved efficiently by considering the safes separately and jointly.
Because there is a very large amount of evidence on how to make all of these decisions effectively, you can consider each ‘safe’ separately. For example, when designing a safe setting can make assumptions about the training or incentives of researchers confident your assumptions can be met. Similarly, when designing a project you can safely assume that a dataset can be appropriately de-identified to any relevant level, and analysed in an appropriate environment.
However, all five ‘safes’ must be considered jointly to evaluate whether a data access system provides an ‘acceptable’ solution. This gives confidence in ‘safe use’. Safe projects, people and settings fall under managerial control, whereas data and outputs fall under statistical control. The combination of managerial and statistical controls is what matters.
For example:
- A public use file (PUF) is a file designed for open sharing. As you cannot limit, by design, who will use the data, where, or for what purpose or outcome, all the protection must go into the ‘safe data’ – in other words, you fully anonymise the data and forget about the other safes
- In a trusted research environment (TRE), the data owner retains full control over the data, and the researcher can analyse the data but not remove or copy it; in addition to the safe setting, a TRE typically has a detailed application process, compulsory training for researchers and checks on all outputs; as a result of strong controls on projects, people, settings and outputs, the data in the TRE can be very ‘unsafe’ (i.e. highly detailed) and yet overall this is ‘safe use’
- Scientific use files (SUF) are files where the researcher can download under license to analyse on her own machine; the license typically specifies that the data can only be used for certain purposes and must be kept in a restricted-access environment; but because researchers can sometimes be careless or forgetful, data owners have to assume that things can go wrong, and accordingly put a lot of protection in the data, albeit no as much as for a PUF; so SUFs use a combination of controls on projects, people, settings and data
Uses of the Five Safes
The Five Safes have been used in a number of ways:
- Describing data access systems: the Five Safes has increasingly been used to describe different data access solutions; as it spread amongst the community, it became a handy framework to describe data access solutions even where the solution was not designed this way; it is now the closest thing the field has to a standard framework; examples of this would be the retrospective adoption of the framing in France and Germany
- Designing data access systems: this was the original purpose in 2003, but has only become significant in the last ten years or so, when the existence of a standard framework started to influence new designs; examples of this would be the development of new secure systems in Australia or the UK public health research organisations; the grandfather is the data lab at Statistics New Zealand, which was both earliest adopter and came up with the name ‘five safes’
- Teaching, training and explaining: the Five Safes is a fairly simple concept and leads itself well to training users; it has become even more important in public engagement, which regularly shows the public understands and appreciates the portfolio approach; it has been used in teaching since 2004
- Evaluation: when carrying out formal or informal evaluations of data access solutions, the five safes provides a ready-made structure allowing evaluators to consider the parts and the hole effectively; this has been the model followed by the DRAGoN evaluation team since 2016