How to Master the Five Safes Data Governance Framework

Why the Five Safes Data Governance Framework Matters for Secure Research

The five safes data governance framework is a structured approach for managing access to confidential or sensitive data in research. It breaks down complex data governance decisions into five key dimensions that work together to enable secure, ethical data use while supporting open science.

The Five Safes Framework consists of:

1. Safe Projects – Is this use of the data appropriate, ethical, and lawful?
2. Safe People – Can the users be trusted to use the data responsibly?
3. Safe Settings – Does the access environment prevent unauthorized use?
4. Safe Data – Is there disclosure risk in the data itself?
5. Safe Outputs – Are the results non-disclosive?

These five dimensions work as scales, not limits—meaning you can adjust controls across each dimension to achieve overall “safe use” without requiring maximum protection in every area.

From UK Statistics Office to Global Standard

The framework originated at the UK Office for National Statistics in 2003, initially as a four-safe model called the “VML Security Model.” The fifth dimension, “safe data,” was added by 2008 as data access needs expanded beyond secure research environments. Since then, the framework has been adopted by national statistical institutes across Australia, Canada, New Zealand, Norway, and beyond. Academic citations grew from just 2 in 2014 to 96 in 2022, reflecting its rapid adoption—particularly during COVID-19 research when secure data sharing became critical.

What makes the Five Safes powerful is its flexibility. Unlike rigid compliance checklists, it treats data governance as a balancing act. A public use file might have all protection built into the data itself (high safe data, low other controls), while a secure research lab might allow access to sensitive data by certified users in controlled settings (high safe people and settings, lower safe data requirements). This “graphic equalizer” approach lets organizations design solutions that fit their specific context while maintaining overall security.

I’m Maria Chatzou Dunford, CEO and Co-founder of Lifebit, where we’ve spent years implementing the five safes data governance framework across federated genomics and biomedical data platforms for public sector and pharmaceutical partners. Through building Trusted Research Environments and secure data collaboration tools, I’ve seen how this framework enables breakthrough research while protecting patient privacy—and where organizations struggle to implement it effectively.

What is the Five Safes Data Governance Framework?

At its core, the five safes data governance framework is a principles-based model designed to help data custodians make decisions about making effective use of confidential or sensitive data. It was devised by Felix Ritchie at the UK Office for National Statistics (ONS) in 2003. Unlike older models that focused almost entirely on “anonymizing” the data itself, this framework acknowledges that safety is a product of the entire environment in which data is used.

As outlined in the seminal paper The ‘Five Safes’: a framework for planning, designing and evaluating data access solutions, the framework provides a common language for researchers, data owners, and regulators. It moves away from “yes/no” access decisions toward a more nuanced assessment of risk. By addressing five distinct dimensions, organizations can ensure that the “residual risk” of data disclosure is managed to an acceptable level.

The Evolution of the Five Safes Data Governance Framework

The framework didn’t appear overnight. It evolved from the “VML Security Model,” used to manage the ONS Virtual Microdata Laboratory. Initially, it comprised four safes: Projects, People, Settings, and Outputs. “Safe Data” was formally added later to describe a wider range of activities, such as creating licensed datasets for download where the data itself had to carry more of the “safety” burden.

Read The Five Safes Framework Description to see how it has transitioned from a niche statistical tool to a global best practice. Today, it is the overriding framework for designing new secure facilities in the UK for public health and social sciences. It has been adopted by major entities like the Australian Bureau of Statistics (ABS), Health Data Research UK (HDR-UK), and the National Institute for Health Research (NIHR).

The Five Dimensions of Secure Data Access

To master the framework, we must understand that these dimensions are “joint but several.” This means we evaluate each one individually, but the final “safety” score is determined by how they interact.

We often categorize these into Managerial Controls and Statistical Controls. A key insight from the research is that managerial controls (who, why, and where) should generally be addressed before statistical controls (what and how). If you have high trust in the person and the setting, you may not need to strip as much detail from the data, preserving its research utility.

Control Type	Dimension	Focus Question
Managerial	Safe Projects	Is this use appropriate, ethical, and lawful?
Managerial	Safe People	Can the users be trusted?
Managerial	Safe Settings	Does the facility limit unauthorized use?
Statistical	Safe Data	Is there disclosure risk in the data?
Statistical	Safe Outputs	Are the final results non-disclosive?

By balancing these, we solve the “risk-utility” trade-off. For more on how these controls scale in complex environments, check out our federated governance complete guide.

Managerial Controls: Safe Projects, People, and Settings in the Five Safes Data Governance Framework

Managerial controls are about the context of the research.

• Safe Projects: This asks if the project has a clear public benefit. Is the use of data ethical and lawful? We don’t just ask “can we do this?” but “should we do this?” In modern contexts, this involves ai-enabled data governance to ensure project goals align with data use registers and patient consent.
• Safe People: This focuses on the researchers themselves. Are they accredited? Have they undergone training in handling confidential data? We treat researchers as “active” participants in security, not just passive users.
• Safe Settings: This is where technology like Lifebit’s Trusted Research Environment (TRE) comes in. Safe settings ensure that data is stored securely and that the IT environment prevents unauthorized exports. For example, an “airlock” system might allow researchers to work on data but prevent them from downloading raw files to their personal laptops.

Statistical Controls: Safe Data and Safe Outputs in the Five Safes Data Governance Framework

Statistical controls focus on the data itself and what leaves the secure environment.

• Safe Data: This involves de-identification and the creation of anonymization pipelines. The goal is to remove or mask identifiers to reduce the risk of re-identification. However, the framework suggests “safe data” should be the residual—only as much detail should be removed as is necessary given the strength of the other four safes.
• Safe Outputs: This is the final check. Before a researcher takes their results (like a graph or a table) out of the secure setting, the data custodian checks them to ensure no individuals can be identified from the results. For instance, a table with a cell size of “1” might be blocked because it reveals too much about a specific person. You can find detailed recommendations for disclosure control in recent academic literature to help automate this process.

Why the “Scales, Not Limits” Concept is a Game Changer

The most common misunderstanding of the five safes data governance framework is that it’s a “box-ticking” exercise where every safe must be “maxed out.” In reality, the framework functions like a graphic equalizer on a stereo system.

If you turn up the “Safe Settings” (by using a highly secure, locked-down TRE) and “Safe People” (by using only vetted, senior academics), you can turn down the “Safe Data” control. This allows researchers to access more granular, detailed data that provides better insights. Conversely, if you want to release data as “Open Data” for the general public (Low Safe People, Low Safe Settings), you must turn the “Safe Data” and “Safe Outputs” controls all the way up, heavily anonymizing the information to ensure safety.

This flexibility is essential for decentralized data governance. It allows organizations to be context-sensitive. Rather than a “one-size-fits-all” security policy that often blocks valuable research, we can design custom access tiers that maximize data utility without compromising privacy.

Implementing the Framework in Modern Research

In the era of Big Data and AI, the five safes data governance framework has moved from policy documents into actual law. In the UK, the Digital Economy Act 2017 provides a legal gateway for research using the Five Safes principles. In Australia, the Data Availability and Transparency Act 2022 renamed them the “Five Data Sharing Principles” but kept the core logic intact.

For organizations handling complex multi-omic and biomedical data, implementing these principles requires advanced technology. Our Lifebit approach to data governance and security utilizes federated AI to keep data where it resides, fulfilling the “Safe Settings” requirement while allowing global collaboration.

By using a data governance platform, agencies can automate the “Safe People” and “Safe Projects” checks through digital accreditation and automated data use registers. This principles-based regulation is much more effective than rigid rules, as it allows governance to evolve alongside new threats like AI-driven re-identification.

Frequently Asked Questions about the Five Safes

Is the Five Safes framework legally binding?

While the framework itself is a set of principles, it has been incorporated into several laws. It is explicitly mentioned in the South Australian Public Sector (Data Sharing) Act 2016 and forms the basis of the research provisions in the UK Digital Economy Act 2017. In 2022, Australia’s Data Availability and Transparency Act codified these principles as the mandatory standard for federal data sharing.

How does it differ from the Data Access Spectrum?

The ODI Data Spectrum describes who can access data (Open, Shared, or Closed). The Five Safes describes how that access is managed. They are complementary; you might use the Five Safes to determine exactly where a specific dataset sits on the spectrum. For example, “Shared Data” usually requires a balance of all five safes, whereas “Open Data” relies almost exclusively on “Safe Data.”

What are the main criticisms of the framework?

Some critics, such as those in the 2020 paper Critical analysis of the Five Safes, argue the framework can be seen as a “box-ticking” exercise if not implemented with technical rigor. Others suggest it has a “static” view of disclosure risk and may not fully account for how easily data can be linked across different platforms in the modern world. However, proponents argue that the subjectivity of the framework is its strength, allowing humans to make ethical judgments that algorithms cannot.

Conclusion: Secure Your Research with Lifebit

Mastering the five safes data governance framework is no longer optional for organizations that handle sensitive human data. It is the gold standard for balancing the urgent need for medical breakthroughs with the absolute necessity of patient privacy.

At Lifebit, we’ve built our federated AI platform to be the ultimate implementation of the Five Safes. Our Trusted Research Environment (TRE) provides the “Safe Settings,” our TDL ensures “Safe Data” through harmonization, and our federated governance model enables “Safe Projects” and “Safe People” to collaborate across borders without the data ever moving.

Ready to see how we can transform your data governance? Secure your research with Lifebit Trust Center and join the ranks of global leaders using the Five Safes to power the future of medicine.