The Five SAFEs model is an internationally recognized framework for evaluating access to privacy-sensitive data. The basic premise of the model is that data access requests are evaluated against a set of five ‘risk’ (or access) dimensions:
- SAFE Projects – Is this use of the data appropriate?
- SAFE People – Can the Researchers be trusted to use the data in an appropriate manner?
- SAFE Data – Is there a disclosure risk in the data itself?
- SAFE Settings – Does the access facility limit unauthorised use of the data?
- SAFE Outputs – Are the statistical results non-disclosive?
All data access requests MUST meet the data provider’s requirements for ALL of the FIVE Safes elements in order to be approved.
Access to data for research purposes under the Freedom of Information and Protection of Privacy Act is approved by the Data Steward of the Public Body responsible for the data. Each application is assessed on its own merits.
A data access request must:
- Be for the time-limited purpose of addressing a specific set of research questions
- Not involve use of data for administrative or any other non-research purpose, or for ongoing programs of research, unless specifically approved
- Be in the public interest, for example, improves the welfare of the population
- Not be proprietary research, such as research done for commercial marketing purposes
- Have scientific merit
- Have approval from a recognized Research Ethics Board, as defined by the Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans
Scientific merit is met if the research is funded by a recognized granting agency, such as Social Sciences and Humanities Research Council of Canada, Canadian Institutes of Health Research, or Natural Sciences and Engineering Research Council of Canada. In the case of graduate students, a letter from the supervisor supporting the research must be provided, and serves the purpose of proof of scientific merit. In the absence of peer review funding, the relevant Data Steward(s) may request a one-off peer review to determine eligibility, at its discretion.
It should be noted that the above requirements are necessary for review, but may not be sufficient, in and of themselves, for approval by the Data Steward of the Public Body. Additional requirements may arise that are project specific.
Only authorised Researchers are eligible to submit a data access request. A Researcher is defined as:
- Either a student, teacher, or other individual enrolled, appointed or employed by any of the following:
- A university, where the university status is defined under the BC University Act o A college, university college or provincial institute as defined under the Colleges and Institute Act R.S.B.C. 1996, c. 52
- The Open Learning Agency as continued under the Open Learning Agency Act R.S.B.C. 1996, c. 34
- Royal Roads University continued under the Royal Roads University Act R.S.B.C. 1996, c. 409
- Another equivalent educational institution in another jurisdiction outside BC but within Canada
- Any other individual agreed to by the relevant Data Steward of the Public Body
In addition, only authorised Research Team Members are permitted to access the data. Authorised Researchers must:
- Sign an Oath of Confidentiality
- Sign user agreements stipulating the terms and conditions of their data access and use
- Take privacy training and pass an exam
Linkage at Population Data BC (PopData) is done following strict guidelines and within a high-security environment. As personally identifying information, such as names, dates of birth, Personal Health Numbers (PHNs) or Personal Education Numbers (PENs) may be used in linkages, a number of precautions are taken to maximize security and privacy.
- Identifying information (identifiers) which are used only for linkage is removed from the content data at the earliest possible time.
- Identifier information is securely stored separately from the content information.
- All information is stored in the “Red Zone” – a highly-secure space accessible only to PopData personnel.
- Programmers work on “Red Zone” terminals which have no direct connection to the outside world. The Red Zone is separated and secured by both physical and electronic measures.
- Identifier information is handled by trained programmers, who have successfully completed privacy and information security training, and who have signed confidentiality agreements.
- When content data is released to Researchers for approved research projects, the PopData ID is replaced with a Study ID – a person specific number unique to each Research Extract. In this way, records for one research project cannot be linked to records for the same individual from another research project.
For more detail on PopData’s linkage processes, visit the Data linkage section of our website.
PopData provides a Secure Research Environment (SRE) for Researchers to analyse the data. The SRE provides a central location for access to and processing of research data, secure storage and backup of data extracts and free software for data analysis.
The SRE is a secure private cloud accessible only via an encrypted Virtual Private Network (VPN) through a firewall and use of a YubiKey® for two-factor authentication. Research Extracts are housed on the SRE unless otherwise authorised.
Only named Researchers, who have successfully passed a privacy exam, are permitted to access the SRE.
While Researchers are not permitted to download Research Extracts on the SRE to any local drive, downloading research outputs, scripts etc. from the SRE (e.g. for the purpose of incorporation into a paper for publication) is allowed.
In order to balance ease of use, protection and accountability, PopData has developed a system which facilitates and monitors transfers into and out of the SRE. This process allows PopData to keep an audit trail for transfers, and the explicit action required by the Researcher to minimize accidental releases of data. The log information is reviewed by PopData regularly and upon request by the applicable Data Steward(s) to ensure conformity with the Research Agreement(s). For more detail on PopData’s SRE, visit the SRE section of our website.
In signing a Research Agreement with a public body for access to data, Researchers commit to sending Research Outputs (or "pre-publication materials") to the public body in advance of public dissemination. Data Stewards, as those responsible for ensuring appropriate uses of the public body’s data, check that:
- Privacy/confidentiality requirements are upheld, including minimum cell sizes, and there is no inadvertent or unapproved identification of specific individuals, populations or communities.
- There is no gross misuse of the data.
- There is a clear connection to the Project and alignment with the stated and approved purpose.
- The data is appropriately referenced and a disclaimer is included. This also provides an opportunity for Data Stewards to learn of, and brief internally on, the research findings.
- For more details, visit the Publishing Research Materials section of our website.
If you would like to know more about the Five SAFEs framework, see: Five Safes: designing data access for research by Tanvi Desai, Felix Ritchie and Richard Welpton