Not fit for Purpose: A critical analysis of the 'Five Safes'
Chris Culnane, Benjamin I. P. Rubinstein, David Watts
TL;DR
This paper critically examines the 'Five Safes' framework used in data sharing policies, highlighting its legal, technical, and practical flaws that undermine its effectiveness in protecting personal data.
Contribution
It provides the first comprehensive legal and technical critique of the 'Five Safes' framework, revealing fundamental shortcomings and proposing the need for improved data safety measures.
Findings
The 'Five Safes' is disconnected from legal protections.
It assumes static disclosure risks over time.
The framework lacks mechanisms for repeat risk assessment.
Abstract
Adopted by government agencies in Australia, New Zealand and the UK as policy instrument or as embodied into legislation, the 'Five Safes' framework aims to manage risks of releasing data derived from personal information. Despite its popularity, the Five Safes has undergone little legal or technical critical analysis. We argue that the Fives Safes is fundamentally flawed: from being disconnected from existing legal protections and appropriation of notions of safety without providing any means to prefer strong technical measures, to viewing disclosure risk as static through time and not requiring repeat assessment. The Five Safes provides little confidence that resulting data sharing is performed using 'safety' best practice or for purposes in service of public interest.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsPrivacy, Security, and Data Protection · Regulation and Compliance Studies · Healthcare innovation and challenges