Skip to main content
Guidance

Safeguarding UK human genomic data

Published 2 July 2026

Summary

The UK is a global leader in the collection, collation and understanding of human genomic data (HGD). Its use in research and development contributes significantly to global scientific and medical benefit as well as economic growth. However, keeping health data safe and secure is important for maintaining public trust. HGD if shared without due care can present risks to the UK.

This guidance sets out the UK government’s expectations on how HGD can be made available in a way that maximises scientific benefit while reducing risks. It is intended for major UK government-funded holders of HGD that make it available to external users. This applies to Genomics England, Our Future Health, UK Biobank and NIHR BioResource. It supplements existing legislation and guidance already in place (see annex). This guidance will be kept under review.

This guidance uses the Five Safes framework, developed by the Office for National Statistics, to set recommendations for how HGD can be made available safely and securely to external users. This guidance also sets a framework to support major holders of HGD when considering whether to make data available to users outside of the UK and expectations on protective security.

Safe settings

Major holders of HGD should only make data available through one or more secure data environments (SDEs) (see definition under Terminology) designed and operated to enforce security controls by default.

Where major holders of HGD are unable to meet a user’s needs in their own SDE, they can approve a third party SDE to hold their data for approved projects. This third party SDE should meet at least the recommendations set out in this guidance.

Major holders of HGD may be part of federations of linked SDEs, which allow users to analyse data across multiple SDEs without data leaving an individual SDE. SDEs involved in this federation should meet at least the recommendations set out in this guidance.

Major holders of HGD should consider how to identify anomalous activity by users for example unexpected volumes of activity or repeated failed actions.

Major holders of HGD should have robust cyber security arrangements in place to manage cyber risk and protect services from cyber threats.

Safe data

All information, including HGD, made available should be recorded, handled and stored appropriately, while protecting the confidentiality of participants.

All HGD should have direct identifiers (that allow a user to directly identify an individual, such as name or full date of birth) removed.

Relevant legal and regulatory requirements, and professional standards, must be complied with. This includes the UK General Data Protection Regulation (GDPR) principle of data minimisation, meaning the minimum amount of personal data needed for the intended purpose should be used.

Safe people

Major holders of HGD should have robust policies and processes in place to assess individuals who are potential users, and the organisation or organisations sponsoring the project. This is to check that access is justified before a user is allowed to access HGD in the SDE.

At the start of the project, all those who will be accessing the HGD should be approved by the holder of the HGD before access is allowed for that project. There should be processes in place to formally add or remove access for users, when these change.

Careful consideration should be given where a holder has information that shows that users or their sponsoring organisation have a previous history of data breaches or misuse of data. Our expectation is that a history of serious data breaches or misuse of data means that a user should not be approved to access HGD.

Safe projects

Only projects that are intended to benefit human health or deliver wider public benefit should be approved.

We will consider arrangements for sharing appropriate information with major holders of HGD on the risks in this area, with a view to enabling them to make more informed decisions on whether to approve specific projects.

Safe outputs

Major holders of HGD should only make HGD available through an access environment that has an appropriately robust ‘airlock’ (see definition under ‘Terminology’ below) in place, with checks on the information or tools being brought into the SDE or removed by the user.

Each holder should have a documented process for controlling inputs to and outputs from the SDE, that should set out expected risks and how to mitigate them.

If an automated output checking process is used, it should be able to identify higher risk outputs (for example, anomalous volume or file sizes) for manual checking.

Considerations for access by users based outside the UK

Given the sensitive nature of HGD and the potential for serious harms associated with its misuse when combined with other data, major holders of HGD should take into account additional factors when assessing whether and how to transfer this data internationally, what risks might exist and what safeguards might be needed to sufficiently protect that data. This includes when considering whether to allow access by users outside the UK. UK GDPR sets out rules when considering these transfers.

Major holders of HGD should first consider if there are UK adequacy regulations that cover the recipient in the destination country (territory or sector). If there are, major holders of HGD do not need to put any additional transfer safeguards in place and they can make the transfer.

If there are no adequacy regulations covering the recipient in the destination country, data holders are required to put in place ‘appropriate safeguards’ and carry out a transfer risk assessment (TRA). Major holders of HGD could use the Information Commissioner’s Office (ICO) TRA tool to complete their TRA.

Given the potential personal impacts that could be associated with HGD, it is likely to be considered a ‘high harm risk’ category of data transfer. UK GDPR requires supplementary measures to be put in place if, after risk assessment, relevant tests are not likely to be met. Under these circumstances, major holders of HGD could consider the criteria and indicators set out in this guidance for non-UK GDPR adequate countries when assessing whether the data protection test is met.

Major holders of HGD should consider whether any transfers may breach UK sanctions, including whether there is a risk of data being sent on to sanctioned destinations through third countries.

Protective security

Major holders of HGD should have robust physical and personnel security measures in place to manage insider risk and to protect their physical environment. Holders are recommended to follow the guidance already issued by the National Protective Security Authority and at a minimum are expected to have conducted role-based risk assessments and have a well-developed insider risk mitigation programme.

Introduction

The UK is a global leader in the collection, collation and understanding of human genomic data. Its use in research and development contributes significantly to global scientific benefit and economic growth. Such use helps scientists understand the causes and drivers behind disease and accelerates the discovery of new treatments from industry and academia. The 10 Year Health Plan sets out how science and technology will support the reinvention of the NHS and how genomics will be crucial to delivering personalised pre-emptive care. Harnessing the UK’s world-leading genomics capabilities is an important ambition of the Life Sciences Sector Plan.

However, maintaining public trust in how their health data is used is important - keeping data safe and secure is part of this. We also know that HGD, if shared without due care, has the potential to present national, economic and biological security risks to the UK. The 2023 UK Biological Security Strategy outlines how the UK will become resilient to a spectrum of biological threats and a world leader in responsible innovation. Over the last year, the UK government has been considering how the UK can maximise the benefits of global access and use of HGD, while managing security risks. This has involved engagement with holders of HGD and industry, as well as an external review of the risks and benefits. This guidance is the result of that work.

Legislation and guidance are already in place in the UK to reduce many of the risks (see annex). This guidance seeks to supplement this by setting clear expectations for how HGD is made available to approved users.

This guidance sets out recommendations and expectations for making human genomic data available in the future. We recognise that, in the past, some users may have downloaded HGD because the technology needed to provide access through SDEs was not sufficiently developed. This guidance does not make recommendations on how major holders of HGD should manage data that has already been downloaded. However, we expect major holders of HGD to have arrangements in place to identify and manage the risks associated with previously downloaded data.

Who this guidance is for

This guidance is intended for major holders of HGD funded by UK government that make that HGD available to external users. This applies to Genomics England, Our Future Health, UK Biobank, and NIHR BioResource.

It sets out how the UK government expects them to make decisions on how to make HGD available to external users, including those based outside the UK.

The Department of Health and Social Care (DHSC) is committed to moving to a system of ‘data access by default’ (with exceptions when justified) for secondary uses of health data including research. This change is supported by the implementation of SDEs. SDEs allow organisations to control:

  • who can access the data in the SDE as a user
  • the data in the SDE that users can access
  • what users can do with the data in the SDE
  • what information users can remove from the SDE

This guidance uses the ‘Five Safes framework’, developed by the Office for National Statistics, to set recommendations for how HGD can be made available safely and securely to external users. This guidance complements - and does not replace - existing guidance and frameworks for how HGD can be made available for and used by external users.

Holders of HGD should ensure that their processes for making data available accurately reflect the consent their participants have given (when this is applicable to them).

How human genomic - and other health - data can be made available safely and securely for a range of uses beyond direct care is rapidly developing as technology advances. Therefore, we will keep this guidance under review and update when required.

Terminology

The following terms are used throughout this guidance.

Airlock

A secure gateway that controls what data and tools can be allowed into or removed from a secure data environment.

Adequate

A status granted by the UK government to countries (territories or sectors) which provide a standard of protection for personal data that is ‘not materially lower’ than in the UK, in accordance with Article 45A of UK GDPR.

Health data

Personal data related to the physical or mental health of an individual, including the provision of health care services, which reveal information about that individual’s health status.

Human genomic data (HGD)

Personal data relating to the inherited or acquired genomic characteristics of a natural person which can give unique information about the physiology, characteristics or the health of that person and which result, in particular, from an analysis of the interplay of the genetic information of a natural person and their environment. For the purposes of this guidance, only whole genome sequences and genotypic data are in scope.

Insider risk

Insider risk is the likelihood of harm or loss to an organisation, and its subsequent impact, because of the action or inaction of an insider. An insider is a person who has, or previously had, authorised access to or knowledge of the organisation’s resources (including people, processes, information, technology and facilities).

International data transfer

The transfer of personal information to a person or organisation in a third country outside the UK. This includes making personal information accessible to a person or organisation in a third country (for example, through an SDE). For a detailed definition and further guidance, see the ICO website.

Research

The use of health data to attempt to derive generalisable or transferable new knowledge to answer or refine relevant questions with scientifically sound methods for reasons including, but not limited to, developing and testing new medicines and technologies, or understanding more about the diagnosis, care and management of disease.

Secondary uses (of data)

The use of health data for purposes alongside or beyond an individual’s direct care, such as planning and commissioning services or research. Although much of the data that is made available by holders of HGD will have been collected directly by them and not as part of an individual’s direct care, this guidance continues to use the term ‘secondary uses’ for clarity and because it is widely understood.

Secure data environment (SDE)

A data storage and access platform that allows an organisation to make data available to approved users for analysis without data that enables the identification of participants leaving the environment. For the purposes of this guidance, the SDE should not allow these types of data to be released. Some organisations use the term ‘trusted research environment’ - in this guidance, references to an SDE should also be read as references to a trusted research environment.

UK GDPR

The UK General Data Protection Regulation.

User

Individuals who are approved to use the HGD for research that is intended to benefit human health or has a wider public benefit. This includes people working in an academic institution, an NHS organisation, a charity, a pharmaceutical company or another commercial organisation such as a tech company.

Recommendations

Major holders of HGD should take account of the recommendations in this guidance across all 3 parts:

  • Five Safes
  • what to consider when making data available to users outside the UK
  • expectations on protective security

Five Safes

Safe settings

Major holders of HGD should only make HGD available through one or more SDEs (sometimes referred to as trusted research environments). The SDE should be designed and operated to enforce security controls by default, to avoid reliance on user behaviour or contractual compliance.

Increasingly, major holders of HGD may be part of federations of linked SDEs (which will allow researchers to analyse data across multiple SDEs without data leaving an individual SDE). This guidance is not intended to stop this from happening, but its recommendations should be taken into account when developing these federations.

In most cases, access to HGD will be through each holder’s own SDE. However, major holders of HGD can, subject to compliance with the relevant data protection legislation and any wider legal considerations, share their HGD outside of their SDE with a third party’s SDE for approved research projects, provided that the third party SDE has been assessed and approved in advance. This is because we recognise that in some instances a holder’s SDE may not be able to meet specific research requirements - for example, a user may have developed complex software or analytical tools that would be hard to recreate in the HGD holder’s own SDE. Where a major holder of HGD wishes to do this, that approval should be against standards that meet at least the minimum requirements set out in this guidance and should take account of:

  • the scale of access
  • the organisational controls in place
  • the ability of the environment to support secure, governed use of the data for the duration of the project

Once the relevant approved research project has been completed, the holder of HGD should ensure that the HGD is appropriately and securely removed from that third party SDE, or where retention is necessary, for example due to regulatory requirements, it is made inaccessible to users. Confirmation should be provided (for example, a data destruction certificate) that this has happened.

Major holders of HGD should consider how to identify anomalous activity by users, for example unexpected volumes of activity or repeated failed actions. This should be in addition to monitoring of inputs and outputs (for more detail, see below under ‘Safe outputs’).

Major holders of HGD should have robust cyber security arrangements in place to manage cyber risk and protect services from cyber threats. Following publication of the 2023 to 2030 health and care cyber strategy, Genomics England, Our Future Health, UK Biobank and NIHR BioResource are required to provide an annual return against the Cyber Assessment Framework-aligned Data Security and Protection Toolkit (CAF-aligned DSPT), demonstrating compliance with the minimum achievement level set through the CAF profile. In line with the evolving threat landscape, the minimum achievement level set through the CAF profile is due to increase up to 2030. Where organisations do not meet all contributing outcomes in the CAF profile, organisations must submit a time-bound, resourced and realistic improvement plan. Once confirmed with DHSC, the plan is subject to progress updates at agreed intervals.

Safe data

All information (including HGD) should be recorded, handled and stored appropriately, as the Health Research Authority (HRA)’s UK Policy Framework for Health and Care Research sets out. The framework makes it clear that this should be in such a way and for such time that the data can be accurately reported, interpreted and verified, while the confidentiality of individual research participants remains appropriately protected. These requirements apply alongside applicable data protection and confidentiality requirements.  

In addition, we expect that all HGD should have direct identifiers (that allow a user to directly identify an individual, such as name or full date of birth) removed. We recognise that the characteristics of HGD can make pseudonymisation challenging. However holders should consider how to reduce the risk of reidentification, taking into account all of the means reasonably likely to be used, before it is made available to users.

Relevant legal and regulatory requirements and professional standards must be complied with. This includes ensuring that:

  • personal data is processed securely, accurately and in accordance with data protection principles under the UK GDPR
  • obligations of confidentiality are met when applicable
  • relevant research governance requirements are met

Users should carefully consider the minimum amount of data required for their project, as one of these principles is to use the minimum amount of personal data needed for the purpose intended. Chapter 8A of UK GDPR specifically covers data processed for research and this stipulates that data processing must be subject to appropriate safeguards including technical and organisational measures to ensure respect for data minimisation principles such as the use of pseudonymised data. The Caldicott Principles are also clear that only the minimum necessary information should be used. The amount of data necessary for a project will vary according to the nature of that project and it is for major holders of HGD to put in place policies to comply with these legal requirements and principles, including whether the data request is justified. Careful consideration should be given in particular to the breadth or scale of information requested from users, in general.

Safe people

Major holders of HGD should have robust policies and processes in place to assess individuals who are potential users, and the organisations sponsoring the project, to check that access is justified, before a user is allowed to access HGD in the SDE. Access should not be allowed until both user and organisation have been assessed and approved.

In general, organisations and users should have a demonstrable track record of research or projects intended to improve human health. However, we recognise that more recently established organisations and users at the start of their career may have less of a track record. Major holders of HGD may wish to take a risk-based approach, where organisations or users with less evidence of previous experience receive different or additional scrutiny so that holders can be satisfied of their suitability to access HGD.

At the start of a project, all those who will be accessing the HGD should be approved by the holder of HGD before access is allowed for that project. We recognise that who will require access can change over the lifetime of a project and there should be processes in place to formally add, as well as remove, users from a project by the holder.

Careful consideration should be given where a holder has information that shows that users or their sponsoring organisations have a previous history of data breaches or misuse of data. This can include asking applicants for any breaches they have been involved in or are responsible for, or checking the ICO’s list of enforcement action taken. Our expectation is that a history of serious data breaches or misuse of data means that a user should not be approved to access HGD. If a holder of HGD considers that access may be justified, then this should only be granted after carefully considering the nature and scale of previous breaches or misuse and be confident that actions have been put in place to prevent it happening again.

Organisations in which users are able to access HGD can include commercial organisations (such as pharmaceutical or other life sciences companies) where their purpose is to benefit human health. NHS England does not allow NHS data to be shared with insurance companies or marketing and this applies to NHS data shared with major holders of HGD.

Safe projects

As the policy guidelines on SDEs for NHS health and care data make clear, only research projects that are intended to benefit human health or deliver wider public benefit should be approved, and users should clearly describe the nature and extent of this in their application to access HGD. Major holders of HGD should be able to demonstrate they have appropriately weighed the risks of a project proceeding against its estimated benefits, to support public trust in the consistency and quality of decision making around who can access data.

The National Data Guardian has published guidance on assessing the overall public benefit of research, including relevant commercial considerations - major holders of HGD are encouraged to draw on this guidance. Projects should always have the relevant ethics approval when required (and provide proof of this) and projects that could be considered unethical - for example, are intentionally discriminatory - should never be approved. Approved projects should always be in line with the consent given by people who have shared or given their data.

We will consider arrangements for sharing appropriate information with major holders of HGD on the risks in this area, with a view to enabling them to make more informed decisions on whether to approve specific projects. The Research Collaboration Advice Team (RCAT) can provide support with advice to research institutions on the national security risks linked to international research.

Safe outputs

Major holders of HGD should only make HGD available through an access environment that has an appropriately robust airlock in place with checks on the information or tools being brought into the SDE or removed by the user. Airlocks are an important feature of the SDE access environment as they put in place controls on the data that is allowed to enter and leave the environment. For data leaving the SDE, these controls can include output statistical disclosure control.

As well as data and results, care should be taken with models trained on HGD in an SDE to ensure they do not inadvertently leak data or information. In general, only the results of analysis should be released - data that can identify participants should never be released. The exception to this is where HGD is being provided to a third party SDE that has been approved by the holder of HGD (as set out above).

Each major holder of HGD should have a documented process for controlling inputs to and outputs from the SDE, that should set out expected risks and how to mitigate them. All outputs should be subject to this process before they are allowed to leave the SDE. Outputs should be limited to the minimum required for sharing results of any analyses.

Output checking is currently manual but has the potential to be automated, at least in parts. Where an automated process is used, it should be able to identify higher risk outputs for manual checking. For example, this could include anomalous volume or file sizes, certain types of file formats or behavioural indicators of attempted exfiltration. We recognise that in the long term an automated process may be the only practical method for major holders of HGD that have large numbers of users.

Considerations for access by users based outside the UK

The protection of HGD has unique considerations compared to other kinds of data and so organisations may need additional support to ensure it is appropriately protected. These considerations relate to the sensitivity of this data and the potential for harms to arise if this data is misused. While this sensitivity should impact any organisation’s handling of HGD and how it approaches regulatory compliance, with respect to transferring personal HGD internationally, this will entail a need for robust transfer mechanisms, appropriate safeguards and careful due diligence to ensure the UK’s high standards of data protection remain if the data transfers across borders.

In many circumstances, HGD is likely to be personal data as defined in the UK GDPR, and, more specifically, special category data. For further guidance on special category data and the rules governing its processing, see the ICO For organisations page.

Given the sensitive nature of HGD and the potential for serious harms associated with its misuse, the UK government considers that major holders of HGD should take into account additional factors when:

  • assessing whether and how to transfer this data internationally (where this is personal data)
  • what risks might exist
  • what safeguards might be needed to sufficiently protect that data

UK GDPR sets out rules about transfers of personal data to separate organisations outside the UK. This includes where that data is made accessible to a separate entity outside the UK, including by access to data held in an SDE.

This section of the guidance is intended to help major holders of HGD who are processing personal HGD data for health research purposes and seeking to make restricted transfers from the UK to a separate organisation (or individual) outside the UK. For the avoidance of doubt, given the specific sensitivity and potential for harm described, this guidance should only be considered in the context of processing personal HGD for health research purposes and not have read-across to other personal data processing.

Under UK GDPR, data holders may be considered as ‘data controllers’ or ‘data processors’. This will vary depending on the specific circumstances. Major holders of HGD should map relevant contracts and personal data flows to clarify these roles, as part of their regulatory compliance for restricted transfers.

Major holders of HGD should first consider if there are UK adequacy regulations that cover the recipient in the destination country (territory or sector). If there are, major holders of HGD do not need to put any additional transfer safeguards in place and they can make the transfer. The ICO has guidance on using adequacy regulations. Data holders should also consider whether the measures they are taking to fulfil their UK GDPR obligations are appropriate in the context of the data being sent.

If there are no UK adequacy regulations covering the recipient in the destination country, major holders of HGD are required to put in place ‘appropriate safeguards’ and carry out a TRA. Article 46 of UK GDPR sets out a list of safeguards. Each safeguard is designed to ensure that both the sender and the receiver are legally required to protect people’s personal data. Given the sensitivities and potential for harms indicated, it is unlikely that transfers using derogations, under Article 49 of UK GDPR would be appropriate for this context.

If major holders of HGD plan to use one of these safeguards, they should first complete a TRA. Completing a TRA helps data holders ensure that the standard of protection for people’s information is “not materially lower” than in the UK after they transfer it.

Major holders of HGD could use the ICO’s TRA tool to complete their transfer risk assessment. In line with the ICO’s TRA tool it is likely to be considered as a ‘high harm risk’ category of data transfer. Question 2 of the ICO’s TRA tool asks about the level of risk to people in the personal data being transferred. Question 4 asks whether the transfer is significantly increasing the risk of a human rights breach in the destination country for the people the transferred information is about.

Given the potential significant personal impacts that could be associated with HGD, it is likely to be considered as a ‘high harm risk’ category of data transfer. UK GDPR requires supplementary measures to be put in place if after risk assessment relevant tests are not likely to be met.

Under these circumstances, major holders of HGD could consider the below criteria and indicators for non-UK GDPR adequate countries when assessing whether the data protection test is met.

These factors are non-exhaustive and are intended to support, but not replace, the data holder’s own reasonable and proportionate assessment of the consideration of the risks. They should be considered alongside other relevant factors and should not be relied on as standalone factors. They do not create additional legal obligations.

When assessing whether and how to transfer this data internationally, major holders of HGD should consider whether any transfers may breach UK sanctions, including whether there is a risk of data being sent on to sanctioned destinations through third countries. Major holders of HGD are encouraged to seek independent legal advice where appropriate.

Criteria and/or indicators for non-UK GDPR adequate countries

When assessing the risks associated with transferring data to non-UK GDPR adequate countries, you should consider whether there are risks to people’s rights arising:

  • in the destination country from third parties accessing the information when they are not bound by the safeguards data holders put in place - these third parties include governments and public bodies
  • from difficulties enforcing any safeguards

With respect to this specific processing use-case, ensuring appropriate protection for personal HGD transfers, given the sensitive nature of this data, examples of indicators that may support these criteria include, but are not limited to:

Positive indicators:

  • countries that are ‘Five Eyes’ partners (Australia, Canada, New Zealand, United States)

Negative indicators:

  • whether countries have government access laws that compel access to personal data by government bodies, including law enforcement and national security agencies - you should consider whether the laws have appropriate limitations and oversight, and whether individuals have access to effective legal remedies
  • countries that have not ratified or acceded to the Biological and Toxin Weapons Convention
  • countries that have not ratified or acceded to the Chemical Weapons Convention

Major holders of HGD remain responsible for ensuring their own compliance with all aspects of UK GDPR, where applicable, including all data protection principles and data security requirements (including, but not limited to, the security of processing requirements in Article 32 of UK GDPR). In particular, with respect to chapter 5 of UK GDPR, reaching their own reasonable and proportionate assessments, taking into account the specific circumstances of each personal data transfer and, where applicable, relevant guidance from the ICO.

Protective security

We expect major holders of HGD to have robust physical and personnel security measures in place to manage insider risk and to protect their physical environment. They should be able to demonstrate effective security governance, risk assessments and have mitigations in place to manage them, that are approved by their board. Holders are recommended to follow the guidance already issued by the National Protective Security Authority (NPSA), and at a minimum are expected to have conducted role-based risk assessments and have a well-developed insider risk mitigation programme.

There is extensive advice and guidance on the NPSA website and NPSA is available to consult with HGD holders to direct them to the most appropriate guidance to meet their needs. The advice and guidance includes:

All employment contracts used by each holder should have clear requirements on data security and security more broadly. There should also be relevant training and awareness activities that are part of organisational mandatory learning requirements.

Implementation and next steps

Major holders of HGD should be meeting these recommendations already. Where they do not, we will work with them to ensure they are able to as early as possible.

This guidance will be reviewed at least every 6 months and updated when required.

Major holders of HGD should contact hgd.guidance@dhsc.gov.uk if they have any queries.

Annex: existing policy statements, guidance and frameworks

There are already existing policy statements, guidance and frameworks that set out how major holders of HGD should make data they hold available in a way that is safe and secure. These include but are not limited to:

DHSC:

Office for National Statistics:

HRA:

ICO:

National Data Guardian:

Other resources

Major holders of HGD can also consider the following resources: