Not fit for Purpose: A critical analysis of the 'Five Safes'
This is an incremental critique of a policy framework affecting government data sharing practices in Australia, New Zealand, and the UK.
The paper critically analyzes the 'Five Safes' framework used for managing data sharing risks, arguing it is fundamentally flawed due to disconnection from legal protections and static risk assessment, resulting in low confidence in safety and public interest alignment.
Adopted by government agencies in Australia, New Zealand and the UK as policy instrument or as embodied into legislation, the 'Five Safes' framework aims to manage risks of releasing data derived from personal information. Despite its popularity, the Five Safes has undergone little legal or technical critical analysis. We argue that the Fives Safes is fundamentally flawed: from being disconnected from existing legal protections and appropriation of notions of safety without providing any means to prefer strong technical measures, to viewing disclosure risk as static through time and not requiring repeat assessment. The Five Safes provides little confidence that resulting data sharing is performed using 'safety' best practice or for purposes in service of public interest.