The following legal gateways allow accredited and approved researchers to access data for research and statistical purposes. The Digital Economy Act 2017 (DEA) (Part 5, Chapter 5) includes an important statutory framework to support the UK research community, both within government and beyond, that permits public authorities to share de-identified information with accredited researchers for the purposes of public good research. The Statistics and Registration Service Act (SRSA) 2007 at s.39(4)(i) allows access to unpublished data held by the Office of National Statistics by approved researchers for the purpose of statistical research.
Both gateways aim to broaden the capacity of research to deliver direct and indirect public benefits, including the production of valuable new research insights about UK society and the economy. All projects involving access to data for research purposes using the SRSA Approved Researcher gateway and the DEA Research power are consistently accredited using the Research Code of Practice and Accreditation Criteria, which was approved by the UK Parliament in July 2018.
The UK Statistics Authority is the statutory accrediting body responsible for the accreditation of processors, researchers and their projects.
Responses to frequently asked questions relating to the way in which the Digital Economy Act (2017) Research power and the Statistics and Registration Service Act (2007) work are listed below.
The ‘Research powers’ refer to Part 5 Chapter 5 of the Digital Economy Act 2017, and allow public authorities to make the data they hold available for public good research through a research framework that is compatible with Data Protection Legislation. However, the data has to first be ‘de-identified’ so that it is no longer reasonably likely to allow the identification of a person or business. Researchers and their projects must be accredited and the research itself can only take place in accredited safe environment.
All of the data held by public authorities in connection with their own purposes, and that has first been processed so that it is no longer reasonably likely that a person can be identified, can be made available through the DEA Research powers. The only exception is data held by public authorities for the provision of health services or adult social care. Research use of data under the Research powers is always at the data owner’s discretion; a data owner must agree for their data to be made available for the purpose of the accredited research project.
Should researchers want to request access to public authority data that is not yet available in an accredited processing environment’s data catalogue, the researcher should contact the processing environment directly. Details of potential data acquisitions and fees for such activities should be discussed with the accredited processing environment. The list of accredited processing environments is available here.
The Statistics and Registration Service Act (SRSA) 2007 at s.39(4)(i) allows access to unpublished data held by the Office of National Statistics by approved researchers for the purpose of statistical research.
This gateway aims to broaden the capacity of research to deliver direct and indirect public benefits, including the production of valuable new research insights about UK society and the economy.
The UK Statistics Authority is the statutory accrediting body responsible for the accreditation of processing environments, researchers and their projects. The overall accreditation approach for potential processors, as well as those for researchers and research projects, is set out in the statutory Research Code of Practice and Accreditation Criteria which was approved by Parliament in July 2018.
The UK Statistics Authority has established a Research Accreditation Panel to oversee the accreditation of processors, researchers and research projects. The Panel provides independent assurance that the Research powers in the DEA are being operationalised in a way that is consistent with the Research Code of Practice and Accreditation Criteria.
A secure data processing environment is a technical infrastructure within an organisation which enables the safe and secure processing, storing, and hosting of data. The technical infrastructure is often supported by specialist data processing and data access teams. An accredited processing environment is a secure data processing environment which has been accredited by the Research Accreditation Panel to make de-identified data available under the DEA Research power. Any organisation may apply to be an accredited processing environment. To receive accreditation from the UK Statistics Authority, processing environments must:
- Meet appropriate cross-government standards for the secure holding of sensitive data (personal information);
- Make use of appropriate technical infrastructure;
- Agree to publish and maintain appropriate data policies;
- Have appropriate skills and experience; and,
- Agree to inclusion on a public register.
More information on the framework used to accredit data processing environments is available here.
Data processing environments can be accredited for either, or both, of the following functions under the Research power in the DEA:
- Linking, matching, curating and de-identifying of data;
- Storing and provision of researcher access to de-identified data.
The Research Code of Practice and Accreditation Criteria sets out the conditions that processing environments must meet to receive accreditation. The UK Statistics Authority has developed an accreditation process to fulfil these conditions, which assesses potential processors against the security controls required for the security standard of ISO27001. Potential data processors will need to complete evidence-based compliance assessments to ensure they can demonstrate sufficient security and technical controls, that staff have the appropriate skills and experience, and it is willing to be included on a public register.
Access to data under the DEA Research power is modelled on the Five Safes framework, which is an established set of safeguards and measures to ensure data is kept safe and secure. These include:
- Safe data: Data is processed by an accredited processing environment before it is disclosed to accredited researchers so that it cannot be used to identify an individual.
- Safe people: All researchers accessing data in an accredited project via an accredited processing environment must be trained and accredited under the DEA.
- Safe project: The research project must be accredited using the framework set out in the Research Code of Practice and Accreditation Criteria, which is overseen by the Research Accreditation Panel.
- Safe place: The processing environment used by the researcher to access the secure de-identified data must be accredited under the DEA.
- Safe outputs: All outputs requested from the accredited processing environment are checked thoroughly so that any potentially re-identifiable outliers are removed.
Before data can be accessed by an accredited researcher for research purposes, the research project in which the data will be used must be accredited. Once the research project is accredited, the data can be made available to the accredited researcher for the specified accredited purposes, via an accredited processing environment. An accredited processing environment must process the data so that it is not reasonably likely for an individual person or business to be identified from the data, either by itself or in combination with other data. Subsequently, the data can be made available to an accredited researcher in an accredited secure processing environment. The accredited processing environment will ensure that any data (or any analysis based on the data) retained or published by the researcher are disclosure controlled to prevent data subjects being re-identified, or the data being potentially misused. Data can only be made available to accredited researchers for the purposes of their accredited research project.
A list of accredited processors can be found here.
Only researchers that are accredited under the DEA Research power can access data, which must be for the purpose of accredited research project(s) that they are named on. To become accredited, the researcher must provide evidence of suitable research qualifications and/or experience and may be required to pass a training course on the safe use of data. All accredited researchers undertaking work through the DEA Research powers are published here.
To be able to use the DEA Research power, research projects must be accredited using the UK Statistics Authority’s research framework, which is overseen by the Research Accreditation Panel. Researchers submit an application form to the accredited processing environment in which they plan to undertake the research. The accreditation decision is based on the evidence provided in the application form. Guidance on how to complete the application form can be found here. In an application form, researchers are asked to provide evidence that the research meets the criteria for accreditation set out in the Research Code of Practice and Accreditation Criteria:
- The research is in the public interest;
- The research complies with all aspects of UK law;
- The research is transparent;
- The research is ethically appropriate;
- The data requested is appropriate for the research that is proposed; and,
- All researchers are accredited researchers.
All research projects accredited and allowed to proceed under the DEA Research powers can be found here.
Yes, the UK Statistics Authority will accredit projects that use data available through the DEA Research powers and data available through other means. This accreditation will be dependent on the research, researcher and processing environment meeting all the criteria set out in the Research Code of Practice and Accreditation Criteria. Access to non-DEA data may require approval from the appropriate governance bodies supporting access through alternative legal gateways.