Independent report

Researchers’ access to information from regulated services: executive summary

Published 9 July 2025

Presented to Parliament pursuant to section 162(5) of the Online Safety Act 2023.

July 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at www.gov.uk/official-documents.

Any enquiries regarding this publication should be sent to us at Researcheraccess@ofcom.org.uk.

ISBN 978-1-5286-5878-2

E03395491 07/25

Overview

Access to high-quality information about the digital ecosystem is vital for empowering people with greater knowledge about online safety matters. This information can provide important insights about how harms manifest (both online and offline), enable users to make informed decisions about their digital habits as well as support researchers and policymakers in assessing the efficacy of measures intended to mitigate those harms.

Researchers can also act as a powerful mediator between services and users by highlighting online safety issues in the public interest and of societal importance. However, researchers face increasing barriers to accessing information held by services. Recent years have seen restrictions on information access and consequently a growing information asymmetry between researchers and services has emerged. This has led to reduced availability of data access tools including application programming interface (APIs) and public insight tools, increased legal risk for activities like scraping, and a low-trust environment between researchers and services.

This has reduced the scope for independent research and evidence based on service data. This undermines our collective ability to grasp the dynamics of our digital environment, potentially obscuring risks and allowing harms to go unmitigated. Other sectors have addressed similar challenges through clearer standards, independent oversight, and regulatory mandates. Comparable interventions may be needed in online safety to enable safe, secure, privacy-protecting and meaningful access to information for the purposes of research into online safety matters.

Different researchers across academia and civil society may have varying information needs. Some work with large-scale historical data, while others seek real-time access to data. Current access models often fail to accommodate this diversity. While some services highlight voluntary transparency efforts, and compliance with emerging legal requirements including the Online Safety Act, researchers remain concerned about the lack of timeliness, consistency, and specificity of information access. Researchers also argue that access to individual-level data is essential to understanding online harms and safety, introducing privacy, data protection, and business risk challenges. Both researchers and services face infrastructure and resource constraints. Smaller organisations, in particular, risk exclusion from access schemes with high barriers to entry.

We have sought views from a diverse range of stakeholders in preparing this report. We requested evidence of how researchers have overcome information-sharing constraints in sectors beyond online safety, where such cases might illustrate effective data governance or data-sharing mechanisms. This is discussed in more detail in Section 3 ‘About this report’.

This report outlines three potential policy options that can facilitate greater researcher access to information about online safety matters, which the UK government may consider as part of the design of any future access framework.

Achieving greater researcher access

1. Clarify existing legal rules

Relevant authorities could provide additional guidance on what is already legally permitted for researcher access on important issues, such as data donations and research-related scraping.

This could help researchers understand what data they can collect and aids services in defining their sharing obligations, which could promote more consistent practices and potentially increase access to individual-level data. However, it places the technical and financial burden of data collection on researchers, potentially disadvantaging those with fewer resources or technical skills and creating risk of misinterpretation. Additionally, since access would remain limited to public and donated data, the diversity and depth of research outcomes may be constrained, and significant expansion of access to non-public data^{[footnote 1]} remains unlikely.

2. Create new duties, enforced by a backstop regulator

Services could be required to put in place systems and processes to operationalise data access. This could take the form of a direct access model, which could include standardised service-led procedures for researcher accreditation and data handling, with the backstop regulator responsible for enforcement. Services themselves would be responsible for the tasks of accrediting researchers, providing researchers with data directly or providing the interface through which they can access it and offering appeal and redress mechanisms. A new regulatory body would need to be established, or an existing organisation would need to be given new powers.

A direct access model could reduce security and legal risk by offering a formal mechanism for researchers to access information. In theory, this approach could have limited administrative costs as it would not require an intermediary to perform complex accreditation processes and enable timely access to mandated data types or categories without requiring tailored datasets. However, its effectiveness depends on what data is in scope. The model could require significant technical investment and offer limited research flexibility, as researchers have no input into data selection, timing or structure. The likely limited scope in data could limit research depth and diversity, and the absence of an intermediary could weaken dispute resolution mechanisms which may be relied upon in the absence of intermediary-led accreditation.

3. Enable and manage access via independent intermediary

New legal powers could be granted to a trusted third party which would facilitate and manage researchers’ access to data. This could be done through facilitators who vet researchers and provide secure access (for example through ‘clean rooms’ or application programming interfaces (APIs)), through researchers submitting requests directly to an intermediary which then liaises with services, or through intermediaries which host or manage data access services (either locally or virtually). There are three ways an independent intermediary could operate – direct access intermediary, notice to service intermediary and repository intermediary models.

Direct access intermediary. Researchers could request data with an intermediary facilitating secure access. Services could retain responsibility for hosting and providing data while the intermediary could create an interface by which researchers could request access. This process and the data in scope would be similar to a direct access model but with an intermediary that could set and enforce eligibility criteria and accredit researchers. The intermediary could act as a mediator if disputes arise.

Notice to service intermediary. Researchers could apply for accreditation and request access to specific datasets via intermediaries. Notably, this access request could involve public data, private data and/or special category data (which can be public or private). Services could retain responsibility for hosting and providing data. Proposals could include the scope of research, such as requests for tailored data held by a service, and the preferred data access modality. The intermediary and the relevant service could work together to assess proposals and offer alternatives should original requests be denied. The intermediary could act as a mediator if disputes arise.

Repository intermediary. The intermediary could itself provide direct access to data, including taking responsibility for data governance and providing an interface for data access and/or hosting the data. This could include maintaining an interface for data access and/or hosting the data directly. The intermediary would facilitate access to the relevant and appropriate data, which could include data that would not be accessible in direct access models. This model could take the form of a virtual or local repository. In a virtual repository model, an intermediary would be responsible for an interface that facilitates access to data hosted by services (e.g. via a portal to access APIs). In a local repository model, an intermediary would be responsible for a repository in a centralised, physical location (e.g. a data centre).

Despite variations in design, at a high level, intermediary models share some common strengths and challenges. Intermediary models could help overcome technical and non-technical barriers to data access by providing clear rules and processes, managing accreditation processes, and mediating disputes between researchers and services. They could help foster trust between stakeholders and unlock secure and controlled access to private and sensitive data. Intermediaries could support more diverse research methods and encourage strategic research coordination among researchers, easing the burden on services. However, implementing these models also gives rise to significant cost, expertise, data protection, and other complexity challenges. It is unclear whether any existing authority has the required competencies to perform this intermediary role effectively and/or whether a new body would need to be established.

Through our analysis, it has become evident that no single model is likely to meet the full range of researcher needs. A layered, flexible approach – combining legal clarity, technical safeguards, and independent oversight – offers the best chance of enabling responsible, timely and useful information access. The policy options (clarifying existing rules, creating new duties enforced by a backstop regulator, and enabling and managing access via an independent intermediary) and models within them (direct access, direct access intermediary, notice to service intermediary and repository models) presented in this report do not need to be considered in isolation and could be regarded as complementary.

Elements from different models, combined with enabling measures, may present more effective means of facilitating researcher access depending on policy objectives. Where needed, responsibilities for management of a researcher access regime could be shared between technical and governance-focused bodies to manage complexity, support trust-building, and reduce burdens on any single institution. Meaningful data access in support of making people safer will also require a shift in culture – one built on trust, transparency, and a shared commitment to ethical standards.

1. In the context of this report, public data refers to information that is readily accessible to the general public and does not require special permissions or authorisation to access. Private data refers to information that is not readily accessible to the public and requires special permissions or authorisation to access. Special category data, often referred to as sensitive data in this report, can be public or private and is subject to data protection laws due to its personal nature. ↩