data security and controlling access managing research data well workshop london, 30 june 2009...
TRANSCRIPT
Data security and controlling access
Managing research data well workshop London, 30 June 2009
Manchester, 1 July 2009
Data security
Protection of data from unauthorised access, use, change, disclosure and destruction
• physical security
• security within the data– editing/redacting the data– ensuring security by controlling access
Physical security
• appropriate access to buildings/rooms/computer systems where data held
• strengthen IT-specific security to reduce danger of breach – firewalls, security testing, regular anti-virus checks
• control access to restricted materials with encryption and/or password protection
• secure data transfer between centres/to UKDA
Encryption
• consider data encryption to maintain security during transmission
• now a requirement for deposit of Government data• ONS use self-extracting encryption software
Safeguard PrivateCrypto – advanced security algorithms (AES128 and AES256)
• Pretty Good Privacy (PGP) – open source (GnuPG), or commercial versions– create Private Key and passphrase, download and
install UKDA Public Key so that only UKDA can decrypt file
Security within dataDuring the research project/prior to deposit at the UKDA:
• gain informed consent from respondents – protect them but do not preclude sharing– see Managing and Sharing document and web pages, contact UKDA for advice
• anonymisation: reduce risk of disclosure of respondent’s identity– remove/redact direct identifiers, or hold them separately
• consider indirect identifiers – possible disclosure in combination with other information, including public files – quantitative data: occupation, geography, unique or exceptional values
(outliers) or characteristics– qualitative data: pseudonymisation, information in text
• document any changes made
• consider access restrictions rather than over-edit data
Government data
• Statistics and Registration Services Act 2007 • Special Licence data/Approved Researcher• ONS have Microdata Release Panel to advise• UKDA helping to facilitate this advice for other
UK Government departments• smaller-scale researchers may not have support or
experience, UKDA can advise
Confidentiality vs. research usability
• aim for reasonable/appropriate level of anonymity
• maintain maximum meaningful information to enable worthwhile research
• End User Licence - users agree to maintain confidentiality and not to try to identify respondents
• combination of effective anonymisation and access restriction
Useful references
• UKDA information: http://www.data-archive.ac.uk/sharing/consentinform.asphttp://www.data-archive.ac.uk/sharing/anonymise.asphttp://www.data-archive.ac.uk/sharing/security.asphttp://www.data-archive.ac.uk/sharing/encrypted.asp
• ISO 27002 – user-friendly guidelines to ISO 27001, Information Security standard
• Grinyer, A. (2002) The Anonymity of Research Participants: Assumptions, Ethics and Practicalities, Social Research Update, 36, University of Surrey. http://sru.soc.surrey.ac.uk/SRU36.html
• Clark, A. (2006) Anonymising Research Data, NCRM Working Paper Series 7/06, ESRC National Centre for Research Methods. http://www.ncrm.ac.uk/research/outputs/publications/WorkingPapers/2006/0706_anonymising_research_data.pdf
Examples
• UKDA works with depositor to maximise data sharing• quantitative data:
– APS and LFS - Special Licence and End User Licence versions– BHPS – subsets of geographical variables available via conditional access
alongside main survey– SN 5827 Rape in the 21st Century: Old Patterns, New Behaviours and
Emerging Trends, 2000-2002:• some removal of variables, rounding of dates, combined with
permission-only access• qualitative data:
– SN 5407 Health and Social Consequences of the Foot and Mouth Disease Epidemic in North Cumbria, 2001-2003 • anonymisation, pseudonyms, conditional access to particular set of
interviews and diaries, embargo for another set