Part of Introduction to the Secure Data Environment
Safe outputs
Overview
This chapter will introduce you to safely outputting from NHS England’s Secure Data Environment (SDE).
Safe outputs are the fifth of the five safes that provide confidence in the security of the SDE. Requested outputs go through our Output your Results service to ensure that they do not contain anything personally identifiable and to reduce the risk to an acceptable level.
You can access the Output your Results service from the shortcut icon on your SDE desktop.
Output your Results rules
There are a lot of different data sets within the SDE, and many types of files can be output. What constitutes personally identifiable data can be very broad and so the rules and principles of the output service are also quite broad.
Nothing personally identifiable can be output from the SDE. You will be limited on the number of outputs you can request each day and the length of these outputs . This is to ensure outputs can be handled by the Output Checking Service in a timely manner. These limits are specified in the Output your Results guidance.
Before continuing, you should read the Output your Results guidance for detailed rules on what can and can not be output from the SDE, how long it will take and what happens if an output is rejected.
Additional notes
Version controlled folders
Be cautious with submitted folders that come from GitLab version-controlled research projects stored in the virtual desktop home folder or collab drive. Version control adds a folder called '.git' that includes many small files, each of which will need to be checked by the Output Checking Service.
You should remove the '.git' folder from your output before you place it in the 'data out storage' drive.
Undeclared data outputs
There must be no undeclared data in outputs. For example, writing the output of a query storing potentially identifiable data in your code without mentioning it to the Safe Output Service. This must be mentioned in the context and you will need to ensure it follows the output rules.
For example: df.where(‘age = 30, gender = 1, ethnicity = J, heartdisease_flag=1, LSOA = E00000003’) # 3 people
This would be unacceptable as the conditions of the query contains specific details about individuals and then the comment # 3 people after the query indicates a smaller number count that could be used to identify that a person of that ethnicity, in that location, of that age and gender had heart disease.
The Safe Output Services’ sole responsibility is to ensure no personal data leaves the SDE. It is against the law to re-identify de-identified data.
Common problems
- data which has not been suppressed
- data that has not been rounded
- not submitting context alongside your output
- unreasonably long outputs and no forewarning or justification (context) given
- undeclared data included in code
- '.git' folder left in an output
If you are in any doubt about what can and cannot be output, we strongly recommend you contact the Output Checking Service by emailing [email protected].
How do I output?
Our guidance details how to output tables, images and code from the SDE. These should then be submitted through the Output your Results service, ensuring appropriate context and justification for the output is provided.
Output from the SDE by other means
It is forbidden to remove data from the SDE by means other than the Safe Output Service, as per section 7.5 of the end user access agreement.
This includes:
- screenshots
- screen sharing
- manually transcribing data
- any other method which attempts to circumvent the output checking service
If you intentionally or otherwise circumnavigate the output checking service and (therefore disclosure control), this will lead to penalties including the removal of your access to the SDE.
If you have any questions on what methods are acceptable to share data from within the SDE, email us at [email protected].
Last edited: 15 November 2024 2:33 pm