Tag: secure data environment nhs

  • ADR UK Explained: Administrative Data Access for Social Scientists

    ADR UK (Administrative Data Research UK) is a UK-wide partnership that gives accredited researchers secure access to de-identified, linked government administrative data — held not in a conventional downloadable repository, but inside supervised Trusted Research Environments (TREs). For social scientists, this matters because it is a distinct access route: the data never leaves government custody, and the researcher, not the dataset, is what gets vetted and admitted.

    ADR UK is a partnership of four national bodies — ADR England, ADR Scotland, ADR Wales and ADR Northern Ireland — together with the Office for National Statistics (ONS), coordinated by a UK-wide Strategic Hub and funded by the Economic and Social Research Council (ESRC), part of UK Research and Innovation (UKRI).

    What is ADR UK?

    ADR UK is the mechanism by which public sector administrative data — records originally collected for tax, benefits, education, health or justice administration, not for research — is linked, de-identified and made available for social science research in the public interest. It commissions flagship linked datasets, funds research using them, and maintains a public data catalogue describing what is available and to whom.

    The partnership operates under the Digital Economy Act 2017, which created the legal gateway allowing UK government bodies to share de-identified data with accredited researchers for statistical research purposes. This is the statutory basis that distinguishes ADR UK access from a voluntary data-sharing agreement between two universities.

    How does ADR UK access differ from conventional repository deposit?

    Most research data infrastructure — repositories, DataCite-indexed archives, institutional data stores — is built around deposit and download: a dataset is prepared, described with metadata, and released for reuse under a licence. ADR UK’s model inverts this. The data is never released to the researcher’s own machine; instead, the researcher is admitted into a controlled environment where the data already resides.

    This is best understood as “FAIR-adjacent” rather than FAIR-compliant in the open-repository sense: the data is findable (via the catalogue) and, under approval, accessible, but interoperability and reusability are deliberately constrained by design, because the underlying records are personal and sensitive at source. The table below maps the three routes UK researchers commonly encounter.

    Route Access model Typical data Governing framework
    ADR UK Supervised Trusted Research Environment (TRE); no download Linked cross-government administrative data (education, benefits, justice, tax) Digital Economy Act 2017; Five Safes
    NHS Secure Data Environments Supervised SDE; “dissemination by exception” NHS health and social care records NHS England’s 2022 Secure Data Environment policy
    UK Data Service Deposit/download under end-user licence Social surveys, census, cross-national socioeconomic data ESRC-funded repository terms

    The practical consequence for a social scientist: an application to ADR UK is an application for supervised admission to a workspace, not a request for a file transfer.

    What is the Five Safes model and what is a Trusted Research Environment?

    ADR UK access is governed by the Five Safes model, a risk-management framework originally developed by the ONS and now used across UK administrative data infrastructure, including NHS Secure Data Environments. It manages disclosure risk across five dimensions rather than relying on a single control.

    • Safe people — only accredited, trained researchers gain access.
    • Safe projects — proposals are approved for public benefit and ethical soundness.
    • Safe data — records are de-identified before linkage.
    • Safe settings — analysis happens only inside a Trusted Research Environment, a monitored, non-internet-connected computing environment.
    • Safe outputs — every result is disclosure-checked before it can leave the TRE.

    Each of the four UK nations operates its own TRE, accessed in person at a designated safe location or via a secure remote connection, using approved statistical software such as R, Python, SPSS or Stata.

    Who is eligible, and how does accreditation work?

    Eligibility runs through the researcher, not the institution. Under the Digital Economy Act 2017 accreditation process, an applicant must complete Safe Researcher Training and pass an assessment before an accreditation panel will approve them; this status is valid for five years. Accreditation alone does not grant data access — a specific research project must then be separately approved against public-benefit, feasibility and ethics criteria before a TRE account is issued.

    For institutions supporting early-career or interdisciplinary social scientists, this two-stage gate (accredit the person, then approve the project) is the single most common point of delay administrators should plan for, since neither step can be skipped or run in parallel with data linkage preparation.

    How is ADR UK funded and governed?

    ADR UK began as an ESRC investment running from July 2018. In September 2020, UKRI, the Department for Business, Energy and Industrial Strategy and HM Treasury approved £15.3 million for the 2021/22 financial year — the first year of a planned five-year investment. In September 2021, the remaining £90.12 million of that investment was secured from UK government to extend the programme to March 2026. In July 2025, UKRI confirmed a further £168 million investment to continue the programme beyond 2026, securing its next phase.

    Governance sits with the UK-wide Strategic Hub, which coordinates the four national partnerships, engages with government departments to secure data access agreements, and administers the dedicated research grant fund — distinct from the accreditation function, which remains with the statutory panel under the Digital Economy Act 2017.

    Frequently asked questions

    Is ADR UK the same thing as “alternative dispute resolution”?

    No. ADR UK in a research-administration context refers exclusively to Administrative Data Research UK, the government-data access partnership described here. “ADR” also commonly abbreviates alternative dispute resolution in a legal context — an unrelated field covering mediation and arbitration — and searchers should check context before assuming which meaning applies.

    What kind of data does ADR UK provide access to?

    ADR UK provides access to linked, de-identified administrative data generated by government departments — including education records, benefits and employment data, and justice-system data — rather than data collected specifically for research, such as surveys. Its public data catalogue and flagship datasets list what is currently available to accredited researchers.

    Is ADR UK data FAIR or open access?

    ADR UK data is not open access and is only FAIR-adjacent: it is findable through the catalogue and accessible to accredited, approved researchers, but it cannot be freely downloaded, reused or redistributed, because the source records are personal and disclosive. Outputs, not raw data, are what eventually leave the Trusted Research Environment.

    How long does the ADR UK access process take?

    Timelines vary, but researchers should expect two sequential approval stages: Safe Researcher Training and accreditation first, then a separate project-specific approval before a Trusted Research Environment account is issued. Institutions should budget for both stages when planning grant timelines, since data linkage itself begins only after project approval.

    What this means for research administrators and institutions

    For institutions supporting quantitative social science, ADR UK access is a compliance and planning question as much as a technical one. Research offices should treat Safe Researcher Training and accreditation as a standing institutional capability — something built into PhD and postdoctoral training pipelines — rather than a one-off hurdle discovered mid-grant. Because accreditation is personal and portable across five years, institutions that pre-accredit staff gain a durable advantage in bidding for ADR UK-linked funding calls.

    The broader signal is that “FAIR-adjacent” access, governed by statute and a risk framework rather than a licence, is becoming a parallel track alongside conventional repository deposit — one that other data-holding sectors, including health, are converging on through NHS Secure Data Environments. Research administrators who understand both tracks are better placed to route projects to the correct infrastructure the first time.

  • Trusted Research Environments Make NHS Data FAIR

    A trusted research environment (TRE) is a secure, access-controlled computing platform that lets approved researchers analyse sensitive data — such as NHS patient records — without ever copying, downloading, or exporting the underlying data. Analysts log in remotely, run their code against the data inside the environment, and only pre-checked, aggregated outputs leave the boundary. This is the mechanism that lets sensitive health datasets stay FAIR-findable and reusable while the data itself never crosses a governance line.

    A trusted research environment is: a governed digital space in which pre-approved researchers query sensitive data under the Five Safes framework, with disclosure-checked outputs as the only route out. TREs are also known as secure data environments (SDEs), data safe havens, or secure research environments (SREs) — functionally synonymous terms, though NHS England now prefers “secure data environment” in public-facing policy as more intuitive than the technical “TRE”.

    What is a trusted research environment and how does it work?

    A TRE inverts the traditional data-sharing model. Instead of sending a dataset to a researcher’s own machine, the researcher comes to the data. Code, statistical software, and disclosure-controlled outputs move; identifiable records do not.

    • No data extraction: raw records cannot be downloaded, copied, or emailed out of the environment.
    • Pre-installed analytical tooling: statistical packages and secure workspaces sit inside the perimeter, so researchers never need a local copy.
    • Output checking: a human or automated disclosure-control review screens every result before it is released, to confirm no individual can be re-identified.

    Peer-reviewed literature describes a TRE as “an environment supported by trained staff and agreed processes… to access sensitive data” — a framing echoed across UK academic TRE documentation.

    What is the Five Safes framework?

    The Five Safes framework is the governance model almost every UK TRE uses to structure access decisions — from the Office for National Statistics’ Secure Research Service to NHS regional secure data environments. It originated at the ONS and is now standard across the UK’s public-sector research data infrastructure.

    Safe Question it answers Typical control
    Safe Projects Is the research in the public interest? Independent research/ethics review of the proposal
    Safe People Can this researcher be trusted? Accreditation, training, background checks
    Safe Settings Is the technical environment secure? No internet egress, monitored virtual desktops, audit logging
    Safe Data Is the data adequately de-identified? Pseudonymisation, aggregation, statistical disclosure control
    Safe Outputs Could the results re-identify anyone? Manual or automated output review before release

    ADR UK notes that each of its national partnerships, as well as the ONS, operates a dedicated TRE built on Five Safes principles — the de facto standard, not one option among several.

    How does the NHS secure data environment programme work?

    NHS England’s SDE policy requires that access to NHS health and social care data for research and planning be provided through accredited secure data environments, rather than by disseminating extracted, pseudonymised datasets to individual organisations. This followed the 2022 Goldacre Review, “Better, Broader, Safer: Using Health Data for Research and Analysis,” which recommended TREs become the default route for accessing NHS data rather than the exception.

    The result is a two-tier structure now operating across England:

    • NHS England’s national SDE, holding national datasets for approved research uses.
    • Sub-national secure data environments (SNSDEs), regional environments aligned to Integrated Care Systems, giving researchers access to more granular, regionally linked data.

    Devolved nations run equivalent infrastructure: the Scottish National Safe Haven, Wales’ SAIL Databank at Swansea University, and Northern Ireland’s Honest Broker Service each function as a jurisdictional TRE under comparable governance.

    How do TREs make sensitive data FAIR without moving it?

    The FAIR data principles — Findable, Accessible, Interoperable, Reusable, formalised by Wilkinson et al. in Scientific Data (2016) — were designed for open datasets that can be freely retrieved. Sensitive health data cannot satisfy FAIR in its literal, open-access sense; a TRE lets each principle apply to the metadata and governance layer instead of the raw record. This is the architectural insight most explainer content on this topic misses: FAIR does not require open data, it requires a documented, machine-actionable pathway to reuse — and a TRE supplies exactly that for data which must stay closed.

    • Findable: TREs publish dataset-level metadata in public catalogues — for example, the HDR UK Innovation Gateway — with persistent identifiers, so a dataset’s existence, structure, and provenance are discoverable even though the records inside are never exposed.
    • Accessible: “accessible” is redefined as a documented, auditable application and accreditation process (Safe People, Safe Projects) rather than an open download link — the process itself is transparent even where the data is not.
    • Interoperable: common data models and coding standards (such as OMOP or SNOMED CT mappings used across NHS TREs) let approved analyses run consistently across multiple environments, enabling federated analysis without pooling raw data in one place.
    • Reusable: version-controlled analytical code, output logs, and data dictionaries are retained and, increasingly, shared openly by researchers even when the underlying data cannot be — supporting reproducibility and future reuse of the method, if not the dataset.

    This mapping is the load-bearing argument of the TRE model: sensitive data sharing and open FAIR data are not opposites. The TRE is the governance boundary that lets FAIR’s discovery and reuse guarantees operate at the metadata and code layer while Five Safes controls operate at the record layer.

    How does OpenSAFELY demonstrate the model in practice?

    OpenSAFELY, built by researchers at the University of Oxford and the Bennett Institute for Applied Data Science in response to the COVID-19 pandemic, is the most cited working example of this architecture. Rather than extracting GP records, OpenSAFELY runs analytical code inside the secure environments of the electronic health record software suppliers themselves, executing studies against the pseudonymised primary-care record for a very large proportion of England’s registered patients — without the data ever leaving NHS-contracted infrastructure.

    Its methods and code repositories are published openly, so the analytical logic is fully FAIR — reusable and auditable by anyone — even though the patient-level data it runs against never is. That split is the clearest public demonstration of “FAIR governance, closed data” in UK health research.

    Common questions about trusted research environments

    What is the difference between an SDE and a TRE?

    An SDE and a TRE describe the same underlying architecture; SDE is the term NHS England now favours as clearer for non-specialist audiences, while TRE remains standard in academic and technical documentation, including workspace-level “research TREs” built for a single project inside a broader SDE.

    Is a data safe haven the same as a trusted research environment?

    Yes — data safe haven is an earlier, still widely used UK term for the same model, applied to environments such as the Scottish National Safe Haven. All three terms describe a controlled computing space governed by comparable accreditation, de-identification, and output-checking controls, typically under a Five Safes-style framework.

    What is required to build a trusted research environment?

    Building a compliant TRE requires an on-premises or cloud-hosted secure computing platform with no unmonitored internet egress, encrypted data at rest and in transit, role-based access controls, and a formal output-checking process — King’s College London’s CREATE TRE, for example, operates under ISO 27001 certification to evidence these controls externally.

    What does “trusted research” mean in UK government usage?

    Separately from the TRE data-access model, the UK government’s “Trusted Research” guidance is a framework protecting intellectual property and research security in international collaborations, distinct from — but sometimes confused with — the data-governance meaning of “trusted research environment” discussed here.

    What this means for research administrators and funders

    For institutions handling sensitive datasets, FAIR compliance and data protection obligations are no longer competing priorities. A properly governed TRE lets a research office satisfy funder FAIR-data mandates — citing metadata, persistent identifiers, and documented reuse pathways — while meeting UK GDPR, common-law confidentiality, and NHS information-governance duties simultaneously. Research administrators evaluating data-access requests should treat “does this dataset sit behind an accredited TRE with Five Safes controls” as a first-order question, not an afterthought.

    As sub-national secure data environments mature across England’s Integrated Care Systems, and equivalent infrastructure federates across the devolved nations, the interoperability layer — common data models, shared metadata standards, cross-TRE federated analysis — is the area most likely to determine whether the FAIR promise of these environments is fully realised.