Secure access environments

​​​Who is this page intended for?

This page is for those seeking guidance on secure access environments, including when to use them and which environments are suitable. It also provides details on NSW Health's minimum requirements and the process for submitting a document addressing those requirements.

What is a secure access environment?

Secure access environments (SAEs), also known as trusted research environments (TREs), clean rooms, or digital research environments (DREs) provide a single location to access and analyse health datasets. The data and analytical tools are all in one place, a one -stop-shop for data access and analysis in a securely managed environment. SAEs help streamline access to data and allow multiple people to work on a single project, while increasing the confidence of patients and data custodians that data will be kept safe. Use of SAEs helps ensure health data and information is accessibl​e to those who need it, and the data is stored and used safely.

An image that represents a Secure Access Environment, showing data flows from end users and approved curators.

Secure access environments consist of two key features:

  • Curated gateway: a checkpoint for data and files moving in and out of the environment
  • ​Contained environment: project data, tools and software are kept in a single space, seperated by project​​.

When is a secure access environment recommended?

NSW Health approved secure access environments are recommended when:

  • Who: People not employed by NSW Health (for example researchers, consultants, system partners) or NSW Health employees for which the purpose is not directly related to their role, require access to:
  • What: NSW Health Unit Record Data that contains health information (meaning files with patient data, for example spreadsheets, databases, SAS files, EMR records):
  • Why: For a 'secondary purpose'1 (for example research, health service evaluation and planning). Excluding: secure transfers for mandatory reporting and data submissions (for example State, National and statutory reporting or submissions, GIPAA requests, Minimum Data Set submissions), directly related secondary purposes, primary purposes (for example providing care, transferring care, referrals), the provision of data to NSW Health
  • Where: Outside of NSW Health technology, information systems and assets.
  1. ‘Secondary use’ of data refers to any application of data beyond the reason for which they were first collected (known as the primary use or purpose). For example, the primary use of data collected to treat a patient in a hospital is to provide the patient with the care they need in that hospital episode; a secondary use could be to aggregate patients’ data to compare hospital performance across Australia. AIHW - Secondary use of health information.

NSW Health minimum requirements for secure access environments

NSW Health developed a set of minimum requirements to determine appropriate secure access environments for safely disclosing sensitive data, covering five key areas:

  1. Curated gateway: a checkpoint for data and files moving in and out of the environment.
  2. Contained environment: project data, tools and software are kept in a single space, seperated by project (like a secure hotel with secure rooms).
  3. Secure platform: the environment meets best-practice security standards.
  4. Analytics enabled: the environment provides all the tools and resources analysts need.
  5. Platform governance: the environment is well governed with clear roles and responsibilities.

Appropriate environments

When a Secure Access Environment has provided evidence of meeting the minimum requirements they will be listed below. If your preferred environment is not on this list, please refer to the requirements document below.

Requirements in detail

There are many secure access environments available, each with different purposes and technology. Accordingly, the NSW Health minimum requirements for SAEs have been developed to be comprehensive yet technology agnostic. The requirements will be updated in response to emerging needs.

Frequently asked questions

When will policy come into effect?

Changes will be reflected in policy in 2024. In the interim, many Data Custodians will be implementing changes to ensure future data disclosures will be compliant with policy.

I am concerned about the costs of these environments, what options are available?

Many Australian jurisdictions require the use of Secure Access Environments and is becoming the norm for many projects. End users will need to plan for the cost of the environment, including any requirements for long term archiving in their grant proposals or project budget. Each environment has their own pricing structure which depends on a multitude of factors, such as the number of users, performance required and software available. This means projects can pay for what they need. The cost of utilising these environments is far lower than the costs of a data breach: financial, reputational, and to patient privacy. Contact an approved environment to discuss pricing options.

I am a clinician employed by NSW Health that is also conducting research outside of my NSW Health role, do I still need to use a SAE?

Yes. Research that is conducted separately to your NSW Health role requires the use of secure access environments.

How do I find out more information?

Contact moh-datagovernance@health.nsw.gov.au.

Current as at: Thursday 30 November 2023