Home | Contact | Print-friendly page



SECURE DATA SERVICE
SDS logo - link to SDS home page

About SDS 

Data 

Registration and access 
Application process 
User journey 
Secure technology 
Terms and conditions 
Security philosophy 

Resources and links

News, events, publications 




Security philosophy

During its development phase for the pilot service, SDS staff spoke with a number of secure data enclaves around the world, to find out how and why security breaches occur. It became clear that the weakest link is not the technology, nor the data handling and procedural issues (UK Data Archive is conformant to ISO 27001 for information security and is an official Place of Deposit under the Public Records Act). Rather the potential for a security breach lies, as always, in human beings.

In talking to our sister services, it became clear that the tabloid image of the intentional malicious stealing and disclosure of personal data by some kind of master techno-criminal is simply not a real-life issue in the experience of secure data enclaves.

In real-life breaches, there have essentially been two kinds: one stems from ignorance of proper statistical disclosure control and data handling, and the other stems from a user's desire to escape the limitations of restricted onsite access for convenience's sake.

The SDS philosophy is to attack these two weaknesses directly: one with requiring SDS users to undergo explicit training on data security, data handling, statistical disclosure control and the use, where appropriate, of disclosure assessment tools before they can gain access to the system; and the other by creating a positive comfortable 'home away from home' analytical environment accessible at their convenience from the user's institution, if not their desktop, so that they will have no motivation to smuggle data out for use at home.

We maintain that providing remote secure access, far from being riskier than onsite data enclaves, actually increases service security, by removing the most common motivation for breaches.

And these considerable carrots are backed up with sizeable sticks: the ESRC has implemented a breaches policy which includes penalties of up to five years sanction against individuals and their institutions from receiving ESRC research funding, as well as potential criminal proceedings should the user be in breach of the Statistics and Registration Services Act 2007 (SRSA allows for up to two years custodial sentence and £1500 fine for disclosure of personal data).

The key to strengthening this weakest link is to get the users to buy into security as their own project - by ensuring they have the knowledge and tools, by making it easy and convenient, and by making sure they understand the significant and substantial penalties for security breaches. All of this is underpinned by a licensing arrangement which establishes the individuals as 'fit and proper' persons (ONS Approved Researchers or ESRC Accredited Researchers), and their intended research uses as appropriate for the data they wish to access, and outlines the users' responsibilities in law.






SDS home page > access > Security philosophy
UKDA logo
Page last updated 11 December 2009
© Copyright 2009-2010 University of Essex. All rights reserved.
Contact | Statements | Accessibility Valid XHTML 1.0!
University of Essex logo ESRC logo