Frequently Asked Questions

The Safe People Registry does not, itself, host any of the secure data from the Data Custodians. All datasets remain with the Data Custodians. The Safe People Registry does collect personal information in the profiles of Users and Organisations, which can be seen when added to projects by Data Custodians. The security in our system ensures that specific User and Organisation details remain strictly viewable by the account owners themselves, their Organisations, and the Data Custodians.

Users must approve/deny access to their Safe People Registry data should a Data Custodian wish to implement software measures within their own systems. These requests will only ever come from known Data Custodian’s within the Safe People Registry, and all API access enforces signed requests/responses to ensure data isn’t tampered with in transit.

Penetration testing: We have automated vulnerability testing weekly, which feed immediately into our development cycle.

In the Safe People Registry, Organisation validation if performed by the Data Custodian, and confirms that an organisation is legitimate and has sufficient security accreditation for its Users (staff, students) to access sensitive data. The ‘safe setting’ in the Five Safes framework refers to the technical and security controls of the environment where data is accessed, such as cybersecurity protections and data handling policies. Sometimes, that environment is managed by the User’s Organisation - necessitating Organisation validation. But increasingly, data stays within a secure platform managed by the Data Custodian, and Users access it remotely.

Not at all. The Safe People Registry is designed to work with any type of data. While it was developed by Health Data Research UK, we collaborated with experts from a range of fields, including health, education, social science, economics, and more, to ensure it’s flexible and widely applicable.

A Senior Responsible Officer (SRO) from the Organisation creates a profile in the Safe People Registry and uploads the necessary documents (including signed approval from their Organisation that the SRO has the relevant authority to undertake the role). Once submitted, each Data Custodian can review the information and decide whether they recognise the Organisation as ‘safe’.

Validation: A Data Custodian confirms that a User or Organisation meets their requirements to be considered ‘safe’.

Approval: A Data Custodian records that approval has been given for a specific project. Project approval processes take place outside of the Safe People Registry often by a Data Governance Approval Committee. The Safe People Registry enables a Data Custodian to record a project approval.

Affiliation: An Organisation takes legal responsibility for a User, often as their employer or sponsor.

The Data Custodian uploads project details using information gathered from processes outside the Safe People Registry, such as data access requests. Once a project is created, the Data Custodian can then add Users to the project.

No. The Safe People Registry is used by Data Custodians to record validation decisions only. It does not automatically grant access to data. Projects must be provided separately and recorded as approved by the Data Custodian. A project could potentially be recorded as approved by a Data Custodian, but an individual User not validated to work on the project.

Yes, both are possible! The Safe People Registry keeps track of these decisions separately. Some Data Custodians review and record approvals on projects and validations of Users one after the other, while others do both at the same time. Our platform is flexible to support either approach.

You can find helpful information and important resources in the ‘key references’ section on our About page and the explainer video(opens in a new tab).

Yes! You can be linked to multiple organisations in the system, making it easy to manage your roles across different teams.

Using your personal email lets you keep your Safe People Registry profile no matter which Organisation you work with. When you join or change Organisations, you simply link your professional email to your profile to complete the affiliation process.

The Safe People Registry stores your ‘safe people’ credentials in one secure, standard profile. This means when you apply to access sensitive data, Data Custodians can quickly verify your details, speeding up the whole process. Some additional time-saving benefits include: ORCiD integration, automatic notifications, and optional identity verification done once.

Yes! The Safe People Registry can connect with your internal HR systems, by using automated API links.

The SRO is responsible for setting up the Organisation’s record and making sure all the information stays accurate and up to date.

Yes. Once setting up the Organisation’s profile, the SRO can appoint trusted Organisational administrators (termed Delegates in the Safe People Registry) who can manage User affiliations on their behalf.

Yes! The Organisation can also see in real time if/when the Data Custodian records project approval.

The Organisation creates their profile and fills in important information like their SRO details, as well as submitting a signed SRO declaration. This is checked by members of the Safe People Registry Team (which usually takes <1 week), before full Organisation access is granted.

No. The Safe People Registry does not decide whether a project is approved or whether a User or Organisation is validated. All decisions are made solely by the Data Custodian responsible for the data.

The Safe People Registry itself doesn’t decide whether someone is a ‘safe’ User. That decision is always made by a person. To help with this, Data Custodians can use a manual checklist to review each criterion, marking pass or fail and adding comments as needed.

Automated flags speed up the process by highlighting certain information automatically, such as a User’s location or whether they have completed specific training. These flags don’t make the decision for you, they simply make it quicker and easier to review the relevant details during validation.

The ‘safe people’ validation check can happen at the same time as a data access request. By using the Safe People Registry, you can speed things up, for example, by including a Safe People Registry ID field in your data access request form (or the equivalent process used by your Data Custodian). If you use the Health Data Research Gateway(opens in a new tab), there are built-in integrations to make this even easier.

Only Data Custodians can add Users to projects. If your Organisation needs you to be added, they can make a request to the Data Custodian on your behalf. Users cannot add themselves to projects.

The Safe People Registry keeps a record of all User actions for security and transparency. Data Custodians can view logs showing any updates to User profiles, as well as changes in their affiliation made by their Organisation.

Yes. You can add colleagues as Team Members in your Data Custodian profile. They can be assigned as:

Administrators: able to update your profile settings and configurations

Approvers: able to review and record approval of projects, and validate Users or Organisations.

No. To get started, you only need to add a project title and summary before you can begin adding Users. however, the additional project information fields are there to match the UK Health Data Research Alliance’s Data Access Transparency standards(opens in a new tab). Completing these fields will allow you to automatically create a public-facing Data Use Register without extra work.

The Safe People Registry keeps all the key information, validations, and decisions about a User’s or Organisation’s ‘safeness’ in one secure, central place. This means fewer emails, less chasing, and faster validations. Some additional benefits include:

User and Organisation profiles in a clear, standard format

Automatic generation of a public Data Use Register, instantly generated from project information

Notifications for validations status changes and expiring training certificates

Automatic flags to make validations quick and easy

This is highly unlikely to happen, as we have long term funding as an institute to support the system. Nevertheless, there is no vendor lock-in. You can use the API to pull out all your information, and detailed assistance for how to do this will be supplied if ever the service had to shut down, or if you wish to change systems due to your own preferences.