Secure Data Environments

Legally Trained Consultants

Leveraging the power of health data while maintaining public trust and confidence in the health services

Whilst there are increasing opportunities for data-driven innovation and technology to support the management of healthcare services and the delivery of health-related research, public outcries in the recent years have demonstrated how certain members of the public are not comfortable with the idea that their personal health data, which was originally shared with doctors in confidence, being used and/or shared with third parties for purposes beyond the provision of direct care. A recent example of this was NHS’ large scale project entitled ‘GP Data for Planning and Research’ (GPDPR), which faced such resistance when originally proposed that it had to be suspended for further consideration.

Striking a balance between leveraging the power of health data for the mentioned purposes, preserving patient confidentiality and ensuring the security of data is therefore fundamental for healthcare organisations to effectively discharge their statutory obligations whilst maintaining public trust and confidence in the health services. And the use of Secure Data Environments (SDEs) is currently regarded as the gold standard for achieving that balance.

“Secure data environments are data storage and access platforms, which uphold the highest standards of privacy and security of NHS health and social care data when used for research and analysis. They allow approved users to access and analyse data without the data leaving the environment.”[1]

Where effectively implemented, SDEs present numerous advantages to the current practice of routine sharing of data for purposes beyond the provision of care, including the following:

  • protects the data under robust technical and organisational controls;
  • allows access to the environment only to users who obtain prior approval;
  • restricts access to only the data strictly necessary for the approved project;
  • controls the form in which the data is presented to approved users;
  • limits what approved users can do with the data in the environment;
  • prevent approved users from extracting data from the environment;

For these reasons, the implementation of SDEs has received strong support from industry experts and is now recommended by the government in its policy paper. The Department of Health and Social Care, in its policy paper “Data saves lives: reshaping health and social care with data”[2], highlights the central role that SDEs will play in allowing analysis to take place within a secure online platform while also building public’s trust that their health and care data are kept safe. To this end, the paper states that the SDEs will be the default route for NHS and adult social care organisations to gain access to de-identified data for research and analysis without engaging in any data distribution.

The policy paper echoes the recommendations of Professor Ben Goldacre made in his independent report, ‘Better Broader, Safer: Using Health Data for Research and Analysis’ (also known as the ‘Goldacre Review’).[3] According to Professor Goldacre, SDEs also present an opportunity to modernise data analysis by removing the IT constraints arising from having multiple platforms which may not always support the use of modern data analysis tools.

[1] Department of Health and Social Care’s (DHSC) policy paper “Secure data environment for NHS health and social care data – policy guidelines”, updated 23 December 2022.

[2] ‘Policy Paper: Data saves lives: reshaping health and social care with data’ (GOV.UK, 15 June 2022) accessed 10/07/2023.

[3] ‘Better, Broader, Safer: Using Health Data for Research and Analysis (Secretary of State for Health and Social Care, April 2022)  accessed 10/07/2023.

How can we help your organisation?

We can help private and public providers of health and care services adapt to a changing health and care industry by leveraging data-driven technologies and systems. Our team of experts has a track record of working with clients to design and implement effective information governance models that are tailored to their needs and capable of supporting the successful implementation of SDEs in compliance with data protection regulation and information governance principles, whilst preserving public trust and confidence in the process.

It might be tempting to think that simply creating a database in a cloud environment the supplier of which has obtained all relevant industry standard accreditations would suffice to regard it as a SDE. However, the reality is that the effective implementation of SDEs is substantially more complex, as it requires considerations that extend far beyond the choice of a storage solution and involves putting in place an array of technical and organisational measures around it.

The ”Six Safes” Framework, originally developed by the Office for National Statistics (ONS), is a set of principles that determine the layers of protection that must be implemented in order for an environment to be considered an SDE.

Safe PeopleSafe ProjectsSafe SettingSafe DataSafe OutputsSafe Return

Understanding all requirements around the “6 Safes” and tailoring their application to the needs of the project in a robust manner during the implementation of SDEs is undoubtedly a challenging task.

Legally Trained Consultants

The challenges of implementing Secure Data Environments

We are here to assist:

Our Services

We provide a full data protection and information governance consultancy service to all our clients who engage with us. We provide flexible packages and services to make sure that you only pay for what you need, so you aren’t paying for unnecessary services. Whatever you and your organisation need, we are here to help.

Data Protection Advice and Consultancy

Data Protection Impact Assessment (DPIA)

External Independent Reviews


Data Protection Officer Services

Fair Processing Materials

Data Protection Health Check

Assistance with Policy Development

Data Security and Protection Toolkit (DSPT)

Record of Processing Activities (ROPA) & Information Asset Registers (IAR)

Packaged Services

Other Services

Send Us A Message