Data Protection: Access control
Access Control
Regulating access to data
Sensitive and confidential data can be safeguarded by regulating or restricting access to, and use of, the data. Access controls should always be proportionate to the kind of data and level of confidentiality involved.
When regulating access, consider the following:
- Who would be able to access your data?
- What might they be able to do with it?
- Are any specific use restrictions are required?
- How long do you want the data to be available?
Advice for depositors
Researchers wishing to deposit confidential research data should get in touch if they think additional access restrictions to the data they are depositing are required.
Three-tiers of access
The UK Data Service facilitates three levels of access for data:
- Open data: for data that are neither classified as Personal Data nor Personal Information and with no residual risk of disclosure or where consent to share Personal Data or Personal Information as Open Access is in place.
- Safeguarded data: for data that are neither classified as Personal Data nor Personal Information and where the risk of identification is considered sufficiently remote. These data are effectively anonymised.
- Controlled data: for data classified as Personal Information or Personal Data and data that are particularly sensitive, commercially or otherwise.
For further information, find out more about our licensing and access framework.
Open data are licensed under an open licence, such as an Open Government Licence or a Creative Commons Licence, and users do not need to register to access the data.
Safeguarded data are licensed under the End User Licence and users need to be registered. Users agree to certain conditions, such as not to disseminate any identifying or confidential information on individuals, households or organisations, and not to use the data to attempt to obtain information relating specifically to an identifiable individual. Safeguarded data may have additional conditions, such as requiring data owner permission or prohibiting commercial use.
Controlled data are only available to users who have been trained and accredited and their data usage has been approved by the relevant Data Access Committee. Access is through a physical or virtual secure environment and the Five Safes principles apply (see below).
Some data collections are made available under different access levels, with confidential data available under controlled access and non-confidential data available under standard access.
There can be a need to delay access to data in time, to allow time for publication. An embargo of 12 months may be agreed to allow the primary investigators to publish findings.
More details are available on our licensing and access framework page.
Five Safes framework
For safe use of controlled data, the UK Data Service uses the Five Safes framework, which is a set of principles adopted by a range of secure labs, including the Office for National Statistics.
The five simple protocols are discussed in detail in our blog Access to sensitive data for research: ‘The 5 Safes’ and provide complete assurance for data owners and researchers by using:
- safe data
- safe projects
- safe people
- safe settings
- safe outputs
View our 5 Safes animation explaining the process:
As the names suggests, the Five Safes is a rigorous system of data access requiring: Project vetting, researcher training, secure environments, output checking and more. It will not be relevant for the majority of research data.
Visit our Who can apply to access Secure Lab pages for information on accessing controlled data.