Regulating access to data

Sensitive and confidential data can be safeguarded by regulating or restricting access to and use of the data. Access controls should always be proportionate to the kind of data and level of confidentiality involved.

When regulating access, consider who would be able to access your data, what they are able to do with it, whether any specific use restrictions are required, and for how long you want the data to be available.

Advice for depositors

Researchers wishing to deposit confidential research data should get in touch if they think additional access restrictions to the data they are depositing are required.

Three tiers of access

Three tiers of access

The UK Data Service facilitates three levels of access for data:

  • open data: for data that contain no personal or disclosive information
  • safeguarded data: for data that contain no personal information, but the data owner considers there to be a risk of disclosure resulting from linkage to other data
  • controlled data: for data that may be disclosive

Open data are licensed under an open licence such as Open Government Licence or Creative Commons Licence and user do not need to register to access the data.

Safeguarded data are licensed under the End User Licence and users need to be registered. Users agree to certain conditions, such as not to disseminate any identifying or confidential information on individuals, households or organisations, and not to use the data to attempt to obtain information relating specifically to an identifiable individual. Safeguarded data may have additional conditions such as requiring data owner permission or prohibiting commercial use.

Mixed levels of access control may be put in place for some data collections, combining controlled access to confidential data with standard access to non-confidential data.

Controlled data are only available to users who have been trained and accredited and their data usage has been approved by the relevant Data Access Committee. Access is through a physical or virtual secure environment and the 5 Safes principles apply.

There can be a need to delay access to data in time, to allow time for publication. An embargo of 12 months may be agreed to allow the primary investigators to publish findings.

More detail is available in the UK Data Service Data Access Policy.

Five Safes

Back to top