Executive Summary

Current privacy regulations struggle to balance protecting confidentiality with enabling data use for social benefits, lacking frameworks to govern evolving risks. Laws like the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA), while establishing baseline confidentiality protections, can be insufficiently flexible in balancing risks against potential social benefits of responsible data sharing. Originally developed decades ago under a compliance regime not focused on evolving privacy risks, these laws lacked farsighted conceptual frameworks to assess and calibrate controls that could achieve necessary thresholds of data safety while enabling responsible data sharing. The passage of the Foundations for Evidence-Based Policymaking Act (Evidence Act) introduced new authorities for secure data access and sharing for statistical activities, including a presumption of accessibility. To fully realize the promise of expanded data use under the Evidence Act, a conceptual privacy framework must find a way to account for the complex realities of the modern data ecosystem and evolving privacy challenges. The Five Safes model offers a framework for calibrated controls across people, projects, settings, data, and outputs to expand access for social benefits where appropriate through transparent decisions. Data-as-a-service (DaaS) systems can retain control while increasing access under oversight. Aligned policies can embed the Five Safes into auditable protocols, honoring baseline regulations and laws like HIPAA, while responsibly implementing the vision of the Evidence Act.

Author

Disclaimer 

This paper is a product of the Data Foundation. The findings and conclusions expressed by the authors do not necessarily reflect the views or opinions of the Data Foundation, its funders and sponsors, or its board of directors.

Copyright © 2024 Data Foundation. All rights reserved.