The OSDI is a 15-month project commissioned by the Department of Digital, Culture, Media & Sport (DCMS) to improve the quality and availability of data for the Safety Tech sector, to support the development of technology that identifies and removes harmful and illegal content from the internet. One of our core principles is our commitment to data privacy and security, which is supported through our data security workstream.
The challenge and purpose of our data security workstream
We recognise that when working with sensitive online harms datasets, data security and privacy has to be paramount, to protect data owners, data processors and the public. To ensure data security is a central tenet to anything we develop, we set up a specific workstream to define the standards to which the rest of our project will be held.
Our approach to addressing data security concerns
We’re engaging with a range of experts on data security and privacy across government, the private sector and third sector. We aimed to consider data security holistically and early to build solid foundations and also explore emerging technologies that can enhance privacy.
The data security workstream assessed a range of data security frameworks and principles, privacy enhancing technologies, as well as legal and data governance considerations and built some of these into our recommendations.
Reviewing Data Security Frameworks and Principles
Our initial work has involved reviewing and assessing best practice cybersecurity frameworks, that can help provide principles for data security. The National Cyber Security Centre Cyber Assessment Framework provides important principles for managing security risk, protecting against cyber attacks, detecting cyber security events and also minimising the impact of cyber security incidents.
We’ve also analysed the National Institute of Standards and Technology’s Cyber Security Framework. This helps to guide data security day-to-day security work with repeatable, consistent, best practice processes.
Zero Trust implementation principles could also be practically applied to any project we develop later in this programme. These are an approach to security focused on ensuring that only people who are authorised to do so get access to network systems. As the specific technical solutions for this initiative get defined, we will refine the specific data security frameworks and principles needed.
Investigating the potential of Privacy Enhancing Technologies
We’re researching emerging Privacy Enhancing Technologies (PETs). These technologies have exciting potential as they help make it possible to derive insight from data while maximising data security and personal privacy.
PETs are currently being tested in the online harms space, including in academia by the Research Centre on Privacy, Harm Reduction and Adversarial Influence Online [UCL, 2020]. We’ll continue to explore whether we can use these technologies as part of this initiative.
Exploring data governance and legal considerations
To ensure that personal rights and freedoms are protected as safety tech innovators build technology to solve online harms challenges, we’re looking closely at the legal, privacy and ethical factors that will need to govern data access.
It’s also incredibly important to make sure that data processing during this initiative is lawful, fair and transparent. Compliance with legislation on data protection must be integrated into our approach, with the guidance of the Information Commissioner’s Office.
Conclusion and next steps
We started work on data security early to make sure it gets the proper attention it needs from the start and before any technology is built. The next steps are to continue our research and then refine an approach for the rest of the project.