Risk Assessment Process

Process

Pre-mitigation risk assessment

The first stage of the process involves the data custodian undertaking consultation with stakeholders. Key stakeholders are data custodians, integrating authority and data users. A data custodian compiles the pre-mitigation risk assessment. This assessment follows the assessment guidelines set out in Appendix A of this paper. In compiling this assessment, the data custodian needs to consider whether the information in Appendix A is relevant to the context of the particular project. For example, a project that is working with data that are culturally sensitive may need to consider the cultural impact of the research.

Mitigation strategies

Mitigation strategies lower the risk of a data breach. To analyse mitigation strategies, their impact on the overall risk of a project is assessed over the duration of the project. The data custodian leads this work, although other key stakeholders may play an active role in this process. The positive and negative effects of any mitigation strategies need to be assessed. For example, using expert contractors to undertake the integration decreases the technical complexity risk, yet it increases the managerial complexity of the project. As the aim of the Guidelines is to enable the research while managing risks, there should be a focus on what satisfies data custodians that data will be managed appropriately.

Post-mitigation risk assessment

Once it has been decided which mitigation strategies will be used, a post-mitigation assessment is compiled by the data custodian. This justifies the mitigation strategies and explains how they lower the risk of a breach. The risk assessments are then submitted to the Oversight Board as part of the project registration process. The post-mitigation risk assessment may need review as the project progresses. Risk assessments are an ongoing responsibility for the data custodians and integrating authority. If the project’s risk changes significantly during the life of the project, then the risk assessment will need to be updated by the integrating authority inconsultation with the data custodians and data users.

Integrating decision

The risk assessment process establishes whether an accredited integrating authority is required. If a project remains ‘high’ risk after mitigation strategies have been applied, then an accredited integrating authority is required. Where appropriate, the data custodian may assist the integrating authority in applying the best practice for integration (Endnote 1).

Next steps

The next steps for the project involve data custodians making a final decision to proceed with the project, based on public benefit and acceptance considerations, the risk assessment and the ability to mitigate that risk. If the data custodians approve the project, they will appoint an integrating authority, which may also be one of the data custodians, who will be responsible for the ongoing risk management of the project. The integrating authority, in consultation with the data custodians and data users, will finalise the details of the project and prepare agreements to formalise relationships between the parties involved in the integration project where required.

Oversight Board review

Registration of a data integration project occurs after the project is approved by the data custodians and agreements signed. The risk assessment for an integration project must be submitted to the Oversight Board when the project is registered.

The Oversight Board has ten working days to raise any concerns about or suggest improvements to the project with data custodians and the integrating authority. This step is not a road block to a project and the project may proceed immediately. The Oversight Board will work with data custodians and integrating authorities to resolve any issues relating to unacceptably high systemic risks or inadequate risk mitigation. The Oversight Board may delegate this role to another body. If the issues cannot be resolved or managed to the satisfaction of the Oversight Board, then the Chair of the Oversight Board will engage in direct discussion and negotiation with the agency head of each data custodian that is party to the project to resolve the matter. Where there is a conflict of interest for the Chair of the Oversight Board to engage in direct discussion with the head of each the agency concerned, the matter will be referred to another member of the Oversight Board and where resolution cannot be achieved, to the Secretaries Board.

The Oversight Board may also change the risk assessment process in future, in consultation with stakeholders, if it finds that the process does not accurately assess the true risk of projects.