Access to business data: Is the balance of risks right? Felix Ritchie John Deutsch Institute: Access to Business Data

The contention Access to confidential NSI data is poor because Incentives don’t encourage it Limited understanding of risk John Deutsch Institute: Access to Business Data May 2010 Felix Ritchie

Incentives Benefits of use Risks of use Risks of non-use More information available to the public Risks of use Loss of confidentiality Risks of non-use Less information circulates Benefit to public Cost to NSI Cost to public Benefits of use also accrue to NSI – better info on stats, free consultancy etc. Important for internal politics but not for the wider aspect so ignore here Risks of use could also include bad policy making due ot poor understanding of data – ignore. Assumption is that more info is good and bad policy will be made with or without evidence Risks of non-use as missing evidence – higher chance of bad policy making (but not necessarily) John Deutsch Institute: Access to Business Data May 2010 Felix Ritchie

Problems with risk assessment Worst-case scenarios Reliance upon theory, not experience Overstatements of impact Silo mentality Fear of the new Worst-case scenario example: IT specialist arguing that intruder would spend four years getting a stats degree as a way of getting access to my lab Theory not experience example: Discussion group email thread about the need to model the real world “Yes! How can we mathematically model these real world scenarios?” - Second example: lots of examples of academics doing stupid things; no evidence of malicious conduct Impact example: little impact from release of business data, although could be significant from personal data Silo mentality: our lovely IT friend creating increasingly complex remote job system, ignoring the possibility of training researchers/output checking Fear of the new example: abandoning the VML in favour of the Longitudinal Study, a system which let support officers log on visiting researchers using the SO’s own user name and password, giving them access to email, internet, interal ONS files etc John Deutsch Institute: Access to Business Data May 2010 Felix Ritchie

Risk assessment: way forward? Focus on practical risks Focus on practical impacts Accept non-negligible risk Explicitly multi-dimensional model for risk management Risks: assume eg researchers are foolish and lazy but well-intentioned Impacts: will the world collapse if this data gets out? Accept risk example: not planning to do anything in the VML to stop researchers writing down form the screen Multi-dimensional model: use VML example John Deutsch Institute: Access to Business Data May 2010 Felix Ritchie

Cost & benefits: ways forward? Open approach to risk management Buy-in by NSI clients Explicit acceptance of need to make value judgements about public good Risk management: NSI take user needs and own objectives much more into account; treat risk as a something to be managed, not a target to be achieved Buy-in: Other govt depts (eg) need to sahre NSI’s view on data release: share info about needs, no mudslinging Public good: NSI (with support) takes a stand on public benefit – of which confidentiality is only a part John Deutsch Institute: Access to Business Data May 2010 Felix Ritchie

Summary: is the balance of risks right? No …probably What’s needed? NSI: more understanding of the real world Researchers: more understanding of NSI Joint acceptance of residual risk John Deutsch Institute: Access to Business Data May 2010 Felix Ritchie