Intro to public sector data
Learn more about what public sector data is and how it's used in research.
What is the Five Safes framework?
Discover what the Five Safes framework is and how it's used to keep data secure.
About the Five Safes framework
The Five Safes framework is a set of principles designed to ensure safe and secure access to data for researchers. Originally developed by the Office for National Statistics and other data providers in the 2010s, the framework enables data providers to deliver controlled access to data.
Trusted Research Environments (TREs) across the UK have adopted the Five Safes framework to guide their data security processes.
To find out more about Trusted Research Environments, read our explainer: What are Trusted Research Environments?
What are the Five Safes?
-
1
Safe People
Researchers accessing the data are trained and accredited.
Before accessing any sensitive data, researchers are subject to an application process and must be approved by the data provider. Requirements to access data may include being part of an approved academic institution or research organisation, undertaking training and signing a user agreement to protect confidential data at all times.
-
2
Safe Projects
Data must be used ethically, for research that delivers clear public benefit.
As part of their application, researchers are asked to provide an overview of their project, including how the data will be used and what outputs will be achieved. This allows data providers and privacy panels (who are responsible for approving data access requests) to make an informed decision about whether they are comfortable sharing sensitive data with the researcher and ensure that the data will be used for ethical purposes.
-
3
Safe Settings
The physical and digital settings used to access data are controlled and secured.
Physical settings for data access can include locations like SafePods – secured rooms that use controlled door access, CCTV and secure technology to ensure that sensitive data cannot be mishandled or removed from the safe setting. Researchers can analyse the data in these secure rooms, but do not have access to the internet, external devices (such as printers), or any other way of removing protected data from the space.
Digital safe settings provide secure access to data from a remote location. In order to be approved for remote data access, researchers will need to prove that their organisation meets physical and IT security standards.
-
4
Safe Data
Researchers can only access the data they require.
It’s important to ensure that the data itself is secure and that researchers cannot inadvertently learn sensitive personal information about data subjects during their analysis. Data providers will ensure that researchers are only able to access data that’s required in order to answer the project’s research questions.
One way to achieve this is the process of de-identification, in which identifiable information (such as names and addresses) are either removed or replaced with a random code – known as pseudonymisation. Find out more about de-identification.
-
5
Safe Outputs
All research outputs are checked to ensure individuals cannot be identified.
Before data is published, it is checked to make sure nobody can be identified. Data providers will apply confidentiality standards before aggregated data can be released from the Trusted Research Environment. By ensuring that any outputs from the TRE are aggregated, the data providers ensure that the data subjects cannot be identified, and the analysis can be published safely.
The Five Safes in action
This video by the UK Data Service explains how the Five Safes can be used in practice.
How do data providers implement the Five Safes?
The Five Safes are a useful set of guiding principles, but as long as they meet the relevant legal standards, it is up to each data provider to decide how they will keep the data they hold secure. Some datasets are more sensitive than others, and the Five Safes framework is designed to be applied to the different requirements of different data.
For example, open data is highly anonymised and usually aggregated, and has usually previously been published in other forms, meaning that the risk associated with sharing open data is low. Because open data strongly fulfils the ‘Safe Data’ principle, it can be shared freely on public platforms without increasing the risk. Less consideration is needed for the other principles, such as Safe People and Safe Projects, as these won’t impact open data’s security.
To learn more about open data, read our explainer: Intro to public sector data
In contrast, very sensitive data such as person-level health data is high risk and could have serious consequences if mishandled. It would therefore require a stronger emphasis on all of the Five Safes principles to ensure data security.
It is the legal responsibility of data providers and data users to ensure that data is secure at all times.
Discover more about data
What are Trusted Research Environments?
Learn about Trusted Research Environments and how they help researchers access data.
What is data de-identification?
One way of keeping data confidential is to remove personal information. Learn more about this process, known as de-identification.
Subscribe to our updates
To stay updated with Research Data Scotland, subscribe to our mailing list and follow us on X (Twitter) and LinkedIn.
