Data Risk Assessment Tool (DRAT) for industry-academic collaborations

Joanna Sikorska
University of Western Australia

Sam Bradley
Commonwealth Scientific and Industrial Research Organisation (CSIRO)

Ryan Fraser
Commonwealth Scientific and Industrial Research Organisation (CSIRO)

Melinda Hodkiewicz
University of Western Australia


 
Abstract
The Data Risk Assessment Tool (DRAT) assists data owners to determine the risk posed by providing datasets to research institutions for the purposes of improving hardware, software and processes pertaining to engineering system health and asset management and establish appropriate controls.

For research in the fields of engineering asset management and system health, relevant data resides in the corporate systems of asset owners, typically corporations or government bodies. The process for obtaining a required dataset from these asset owners can be challenging, even when undertaking approved industry-academic projects. Not only do the approval processes differ between organisations, but employees from the same organisation may have vastly different attitudes towards provisioning data. Even when data is provided to the researcher, unilateral restrictions on subsequent publication of results and/or data are often imposed, irrespective of the type of data that was used. In the past, these issues have delayed research commencement, limited the pool of academics willing to work on these projects and degraded research outcomes. Yet in reality, for many asset management research projects, the risk associated with the requested dataset can be adequately managed. Therefore, a more consistent approach is required to help employees of asset owning organisations determine what data can be released to researchers. This process needs to assess the source of the risk and how these risks can be managed to an acceptably low level so that results can be published and/or data sets released. Risk controls are based on the Five Safes framework. The resulting process map ensures that (a) restrictions and controls are based on the actual risk posed by a dataset (rather than a one size fits all approach) (b) the data owner’s needs for confidentiality are appropriately managed and (c) the potential for research value is maximized. The map has been instantiated in a web-based tool to enable ease of access to, and use of, the process. The tool is freely available online and the code available on GitHub.

We describe the issues considered when developing the DRAT tool, present the DRAT process and associated exemplar management controls that data owners and researchers could implement based on each level of potential risk. The process has been tested on a number of actual research projects that used data provided by industry and these examples are included in this paper. The control measures proposed are coherent the measures adopted to both the work and the dissemination of the final results.
The DRAT tool has been adopted by industry and academic partners of an Australian government funded industrial research training centre. Finally, the tool could be applied more generally for projects that require confidential information as opposed to ‘data’ and adapted for industry to assess what information to be provided for technical discussions under confidentiality agreements, or contract research.