Project discussion: Would a systematic approach to data risk classification be helpful?#

Chair: Will Crocombe (RISG Consulting)

Prompts#

  • Risk - how much and what sort? Personal/sensitive, commercial, political, IP…

  • Why classify risk and how might it help?

  • What type and level of controls might be practicable and proportionate?

Notes#

  • Could there be a common language around risk?

  • Classify based on the ease of identifiability, plus ‘payload’ - what would we know about them?

  • Proportionate controls - Tiered. Gatekeepers and access points (where). E.g.

    • 0 - public

    • 1 - anonymised

    • 2 - strong pseudo

    • 3 - weak pseudo

    • 4 - public

  • Dropping down tiers, things become easier. Turing paper on this - Sheffield used this as the basis of their system for assessing risk.

  • Alan Turing Institute paper

  • Importance of agreed risk classification with federation, and agreement on risk appetite

  • NIST RMF

  • NCSC

  • Harvard DataTags

  • UK Data Service data types

  • Doing this work at King’s similar classification to Turin paper

  • Dundee operate on a blanket tier

  • My question was going to be around risk classification, based on my understanding of Goldacre, pseudonymisation should not be relied on. I agree researchers should only be presented data required for their project, but the risk of de-anonymisation particularly when combining datasets means this should be treated cautiously at best.

  • Automation - reduces risk of error

  • Scottish Open Data

  • HIC RDMP