
Intro to public sector data
Learn more about what public sector data is and how it's used in research.
Discover what the Five Safes framework is and how it's used to keep data secure.
The Five Safes framework is a set of principles designed to ensure safe and secure access to data for researchers. Originally developed by the Office for National Statistics and other data providers in the 2010s, the framework helps data providers manage risks when giving access to data.
Trusted Research Environments (TREs) across the UK have adopted the Five Safes framework to guide their risk management processes.
To find out more about Trusted Research Environments, read our explainer: What are Trusted Research Environments?
The Five Safes framework helped shape the Digital Economy Act provisions for the use of data in research. The Digital Economy Act requires researchers, research projects, and access facilities to be accredited. It also requires data to be de-identified before use so that it is unlikely to identify an individual, resulting in research outputs that are safe in the public domain.
The access service provider may require the researcher to sign a statement that they know and understand the regulations of the TRE.
As part of their application, researchers are asked to provide an overview of their project, including how the data will be used and what outputs will be achieved. This allows data providers to make an informed decision about whether they are comfortable preparing data for the researcher to use for ethical purposes serving a public good.
These settings also prevent the deliberate disclosure of data to others.
Physical settings for data access can include locations like SafePods – secured rooms that use controlled door access, CCTV and secure technology to ensure that sensitive data cannot be mishandled or removed from the safe setting. Researchers can analyse the data in these secure rooms, but do not have access to the internet, external devices (such as printers), or any other way of removing protected data from the space.
Digital safe settings provide secure access to data from a remote location. To be approved for remote data access, researchers will need to prove that their organisation meets physical and IT security standards.
In compliance with the Digital Economy Act, data is effectively anonymised within TRE environments.
This means any sensitive information that might lead to an individual being identified, such as names and addresses, is either removed or replaced with a random code. Researchers are not processing personal data when using data prepared in this way and when the other Safes are in place. Find out more about de-identification.
This means the other four Safes no longer apply.
Before outputs are released from the TRE, they are checked to make sure it is reasonably unlikely that any individuals can be identified on publication. Compliance with the Digital Economy Act also requires that the TRE applies methods and standards for output checking that are accredited by the UK Statistics Authority.
Learn more about the Five Safes framework in this short video, supported by funding from Health Data Research UK (HDR UK) and the Medical Research Council (MRC):
Click here to watch this video with British Sign Language (BSL) interpretation.
The Five Safes are a useful set of guiding principles, and it is up to each data provider to decide how they will keep the data they hold secure. Data providers may comply with the Digital Economy Act and seek the independent accreditation of the Five Safes arrangements they implement. Accreditation under the Digital Economy Act provides assurance that there has been independent examination of the Five Safe standards of a TRE.
It is important to appreciate that the Five Safes Framework is designed to ensure governance of research use of data is done proportionately. As long as a minimum standard is reached, a TRE should not impose excessive constraints by balancing the five risk management measures.
For example, open data, such as published Official Statistics, is designed to be safe even in the public domain, with no risk of individuals being identified. As this fulfills the Safe Data principle, there is no additional requirement for safe project, safe place, or safe person settings. Similarly, a TRE with high organisational and technical data management controls may allow a researcher to prepare their own datasets from detailed records held within the walls of the TRE if they do so within the Five Safes Framework.
To learn more about open data, read our explainer: Intro to public sector data
In contrast, very sensitive data such as person-level health data is high risk and could have serious consequences if mishandled. It would therefore require a stronger emphasis on each of the Five Safes principles to ensure data security.
It is the legal responsibility of data providers and data users to ensure that data is secure at all times.
Learn more about what public sector data is and how it's used in research.
Learn about Trusted Research Environments (TREs) and how they help researchers access data.
One way of keeping data confidential is to remove personal information. Learn more about this process, known as de-identification.
To stay updated with Research Data Scotland, subscribe to our monthly newsletter and follow us on X (Twitter) and LinkedIn.