Tag: five safes nhs

  • Five Safes Framework: FAIR Access vs Privacy

    The Five Safes framework is a governance model — Safe People, Safe Projects, Safe Settings, Safe Data and Safe Outputs — that lets trusted research environments grant researchers FAIR access to sensitive data while keeping disclosure risk under continuous, auditable control. Rather than treating openness and privacy as opposing goals, it turns each into a checkable dimension, so a dataset can be findable and reusable in principle while remaining tightly access-controlled in practice.

    The five safes framework is a risk-management taxonomy, originated by the UK’s Office for National Statistics (ONS) and formalised in the 2010s, that decomposes data-access decisions into five independent dimensions of risk rather than a single accept/reject gate. It is the governance logic underneath most UK trusted research environments (TREs), including the UK Data Service SecureLab, ONS’s Secure Research Service, Research Data Scotland, and the network of TREs coordinated by Health Data Research UK (HDR UK).

    What is the Five Safes framework?

    The Five Safes framework was set out formally by ONS statisticians Felix Ritchie and Tanvi Desai, whose 2016 working paper “Five Safes: designing data access for research” is the primary methodological source most secondary explainers omit. It reframes data access as five separable risk dimensions rather than a binary “share or withhold” decision.

    Each dimension is assessed independently, then combined. A weakness in one — for example, less rigorously screened outputs — can be offset by tightening another, such as restricting the setting to an air-gapped enclave. This modularity is what allows the same underlying dataset to support both a low-risk aggregate release and a high-risk record-level research project, governed by different combinations of the same five controls.

    The five dimensions explained

    Each “safe” answers a distinct governance question. Together they form the checklist that a trusted research environment applies before, during and after a project.

    Dimension Core question Typical TRE control
    Safe People Is the researcher trustworthy and trained? Accreditation, Safe Researcher Training, signed data-access agreements
    Safe Projects Is the proposed use ethical, lawful and in the public interest? Independent approvals panel, ethics review, public-benefit test
    Safe Settings Is the technical environment controlled? Air-gapped enclave, no local downloads, logged sessions
    Safe Data Has disclosure risk in the dataset itself been reduced? De-identification, pseudonymisation, statistical perturbation
    Safe Outputs Could anything leaving the environment re-identify someone? Manual/automated output-checking against small-cell disclosure rules

    No single safe carries the whole burden. Under the Five Safes model, a dataset that cannot be fully anonymised can still be used safely if the setting, people and outputs are controlled tightly enough to compensate — the logic that underwrites most modern TRE design.

    Five Safes in NHS secure data environments

    The 2022 Goldacre Review, Better, Broader, Safer: Using Health Data for Research and Analysis, recommended that NHS data for research move away from dissemination of pseudonymised extracts and into Five Safes-governed trusted research environments by default. NHS England’s subsequent secure data environment (SDE) policy, published as part of the Data Saves Lives strategy, requires that access to NHS health and care data for research and planning purposes take place inside approved SDEs rather than through bulk data transfers.

    This is Five Safes applied at national scale: Safe Settings replaces the old model of emailing or shipping extracts; Safe People and Safe Projects are enforced through SDE accreditation and project approval panels; Safe Outputs is enforced through statistical disclosure control before any result leaves the environment. HDR UK’s federated TRE network and NHS England’s regional sub-national secure data environments both operate on this same five-dimension logic.

    Reconciling FAIR access with disclosure control

    The FAIR principles — Findable, Accessible, Interoperable, Reusable — were published by Wilkinson et al. in Scientific Data (2016) to improve the value of research data for both humans and machines. FAIR’s “Accessible” criterion is frequently misread as “open”; the original principles explicitly state that access can require authentication and authorisation, provided the conditions are clearly documented.

    The Five Safes framework is the mechanism that satisfies that condition for sensitive data. It does not compete with FAIR — it operationalises the “A” in FAIR for data too sensitive to release openly.

    FAIR principle Five Safes dimension that operationalises it Practical mechanism
    Findable Safe Data (metadata layer) Catalogued metadata is public even when the underlying data is not
    Accessible Safe People + Safe Projects Documented accreditation and approval routes, not open download
    Interoperable Safe Settings Standardised formats and tooling inside the controlled enclave
    Reusable Safe Outputs Disclosure-checked results and code released for onward reuse

    Under GDPR Article 89, processing special-category data for research purposes is permitted subject to appropriate safeguards. In UK practice, a Five Safes-governed trusted research environment is the safeguard: it lets institutions claim the research exemption while still meeting data-protection obligations, which is why TREs — not open repositories — are now the default access route for identifiable or quasi-identifiable datasets.

    Assessing maturity: from principles to governance

    Because the five dimensions are qualitative by design, data custodians need a way to compare TREs consistently. Administrative Data Research UK (ADR UK) has developed a Five Safes maturity model that scores environments against each dimension, moving the framework from a descriptive checklist to an auditable governance standard. Many TREs also pursue ISO/IEC 27001 information-security certification to provide independent evidence for the Safe Settings dimension specifically.

    • ONS Secure Research Service — the original Five Safes implementation
    • UK Data Service SecureLab — Five Safes applied to social science and economic microdata
    • Research Data Scotland — devolved administrative-data TRE built on the same model
    • HDR UK’s TRE network and NHS England’s sub-national SDEs — Five Safes at health-data scale

    For research administrators negotiating data-sharing agreements, the maturity model matters more than the framework name: a self-declared “Five Safes-aligned” environment is not equivalent to one independently assessed against all five dimensions.

    Common questions about the Five Safes framework

    What are the five dimensions of the Five Safes framework?

    The five dimensions are Safe People, Safe Projects, Safe Settings, Safe Data and Safe Outputs. Each is assessed and controlled separately, so weaknesses in one dimension can be offset by stricter controls in another, rather than requiring every dimension to reach maximum safety independently.

    How does the Five Safes framework work in the NHS?

    NHS secure data environments apply Five Safes by requiring accredited researchers, approved projects, and controlled technical settings instead of releasing pseudonymised data extracts. Following the 2022 Goldacre Review, NHS England’s secure data environment policy makes this the default access route for NHS health and care data used in research.

    Is a trusted research environment the same as the Five Safes framework?

    No. A trusted research environment is the technical and organisational setting — the “Safe Setting” — while the Five Safes framework is the broader governance logic covering people, projects, data and outputs as well. A TRE is one implementation of the Safe Settings dimension, not the whole model.

    How does the Five Safes framework relate to the FAIR data principles?

    The Five Safes framework operationalises FAIR’s “Accessible” principle for sensitive data that cannot be openly released. It makes metadata findable and reusable outputs disclosure-checked, while authorisation and accreditation — rather than open download — satisfy the accessibility requirement.

    Implications and outlook

    The direction of UK policy is unambiguous: dissemination of raw or lightly de-identified extracts is being phased out in favour of Five Safes-governed environments, first in health data and increasingly across administrative and social datasets held by ADR UK partners. For institutions, this means data-sharing agreements, ethics approvals and researcher training pathways increasingly need to be designed around the five dimensions from the outset, not retrofitted once a TRE is chosen.

    For publishers and funders assessing data-availability statements, understanding which of the five safes underpins a stated access route — rather than treating “available in a trusted research environment” as a single undifferentiated category — is becoming a necessary part of due diligence. The framework’s real value is not that it makes data open; it is that it makes the terms of controlled access explicit, auditable and consistent across institutions, which is the precondition FAIR access needs when the data itself cannot be.