Data Protection: Access control

Regulating access to data

Sensitive and confidential data can be safeguarded by regulating or restricting access to, and use of, the data. Access controls should always be proportionate to the kind of data and level of confidentiality involved.

When regulating access, consider the following:

• Who would be able to access your data?
• What might they be able to do with it?
• Are any specific use restrictions are required?
• How long do you want the data to be available?

Advice for depositors

Researchers wishing to deposit confidential research data should get in touch if they think additional access restrictions to the data they are depositing are required.

Three-tiers of access

The UK Data Service facilitates three levels of access for data:

• Open data: for data that contain no personal or disclosive information.
• Safeguarded data: For data that contain no personal information, however, is considered to contain a residual risk of disclosure.
• Controlled data: for data that may be disclosive.

Open data are licensed under an open licence, such as an Open Government Licence or a Creative Commons Licence, and users do not need to register to access the data.

Safeguarded data are licensed under the End User Licence and users need to be registered. Users agree to certain conditions, such as not to disseminate any identifying or confidential information on individuals, households or organisations, and not to use the data to attempt to obtain information relating specifically to an identifiable individual. Safeguarded data may have additional conditions, such as requiring data owner permission or prohibiting commercial use.

Controlled data are only available to users who have been trained and accredited and their data usage has been approved by the relevant Data Access Committee. Access is through a physical or virtual secure environment and the Five Safes principles apply (see below).

Some data collections are made available under different access levels, with confidential data available under controlled access and non-confidential data available under standard access.

There can be a need to delay access to data in time, to allow time for publication. An embargo of 12 months may be agreed to allow the primary investigators to publish findings.

More details are available on our licensing and access framework page.

Five Safes framework

For safe use of controlled data, the UK Data Service uses the Five Safes framework, which is a set of principles adopted by a range of secure labs, including the Office for National Statistics.

The five simple protocols are discussed in detail in our blog Access to sensitive data for research: ‘The 5 Safes’ and provide complete assurance for data owners and researchers by using:

• safe data
• safe projects
• safe people
• safe settings
• safe outputs

View our 5 Safes animation explaining the process:

As the names suggests, the Five Safes is a rigorous system of data access requiring: Project vetting, researcher training, secure environments, output checking and more. It will not be relevant for the majority of research data.

Visit our Who can apply to access Secure Lab pages for information on accessing controlled data.