Skip to content

Domain C: Governance & Access

Focus: Legal, regulatory, and procedural frameworks; UK-wide coordination

Indicators: 11 (9 Core, 2 Enhancement)

The business question

How fast can we approve safe research? This is the primary friction point for industry.

Governance is the largest single determinant of whether a health data service can attract and retain users. Time-to-data metrics vary from weeks to years across the UK. This domain assesses the legal foundations, access committee efficiency, and UK-wide interoperability that determine whether researchers experience a streamlined pathway or an opaque bureaucracy. Three of the five Foundational Requirements sit in this domain.

Contains 3 Foundational Requirements

Indicators C.1.1, C.2.2, and C.4.1 are Foundational Requirements requiring a minimum of Level 3 for baseline participation.


Indicator Summary

ID Indicator Type Class Unit Foundational
C.1.1 Legal Basis for Processing Core B0 System ⚠
C.1.2 Legislative Environment Enhancement O System
C.2.1 Time-to-Data Core B0 Both
C.2.2 Data Access Committee Core B0 Both ⚠
C.2.3 Ethics Pathway Integration Core B0 Both
C.3.1 Mutual Recognition & Standards Core B0 Both
C.3.2 Cross-Border Legal Alignment Enhancement O System
C.3.3 Cross-sector Linkage Governance Core C6 System
C.4.1 Statistical Disclosure Control Core B0 Service ⚠
C.4.2 Researcher Accreditation Core B0 Both
C.4.3 Consent, Permissions & Restrictions Core B0 Both

CORE · B0 · System · ⚠ FOUNDATIONAL REQUIREMENT (minimum L3)

Level Description
L1 Legal basis unclear. Reliance on consent for all research. No systematic review.
L2 Framework developing. Review initiated. GDPR options assessed.
L3 Primary basis established. Controller/processor defined. Review process exists. Some ambiguity.
L4 Comprehensive basis. Clear documentation per dataset. Agreements in place. Timely guidance.
L5 Robust framework. Proactive horizon scanning. Contributing to national guidance. UK-wide and international support.

C.1.2 Legislative Environment

ENHANCEMENT · O · System

Level Description
L1 Significant barriers. Key statutes block secondary use. No reform pathway.
L2 Barriers identified. Policy engagement initiated. Interim approaches defined.
L3 Permits research under conditions. Constraints remain. Active in legislative review.
L4 Enabling environment with safeguards. Clear pathway. Compatible with UK-wide operation.
L5 Actively enables research. Legislation updated. Supports innovation within ethics.

C.2 — Access Efficiency

C.2.1 Time-to-Data

CORE · B0 · Both

Level Description
L1 No standard process. Case-by-case. >12 months where successful.
L2 Central function exists. Documentation drafted. Median 6-12 months.
L3 Operational process. Single application. Median 3-6 months. SLAs defined but not consistent.
L4 Single-gateway. Median <90 days. SLAs met >= 80%. Applicant support.
L5 Median <45 days. Tiered/fast-track approvals. Automated workflows. Top-quartile UK.

C.2.2 Data Access Committee

CORE · B0 · Both · ⚠ FOUNDATIONAL REQUIREMENT (minimum L3)

Level Description
L1 No formal DAC. Ad-hoc decisions. No criteria. No public benefit assessment.
L2 DAC established/forming. Terms defined. Public benefit criteria developing. Infrequent meetings.
L3 Operational DAC meeting monthly. Published criteria including NDG public benefit. Decisions documented. Lay members initiated.
L4 Efficient with clear criteria. Public benefit per NDG for every decision. Lay >= 25% with voting. Decisions within 2 weeks.
L5 Streamlined with risk-proportionate pathways. Public benefit methodology shared. Appeal process. Lay co-governance.

C.2.3 Ethics Pathway Integration & Proportionality

CORE · B0 · Both

Level Description
L1 Ethics pathway unclear or duplicative. Handled ad-hoc.
L2 Pathway mapped and documented. Proportionality intent stated.
L3 Standard ethics triage for common studies. Variable duplication remains.
L4 Integrated, risk-proportionate pathway. Tiered routes and SLAs tracked.
L5 Optimised pathway. Reuse/mutual recognition where lawful; learning loop and benchmarking.

C.3 — UK-Wide Integration

C.3.1 Mutual Recognition & Standards

CORE · B0 · Both

Level Description
L1 No UK-wide engagement. Organisation-specific agreements.
L2 Standards reviewed. Gap analysis. Participation initiated.
L3 Partial adoption (Alliance DAA). Mutual recognition of some approvals. Additional steps for UK-wide.
L4 Full adoption of UK-standard DAA. Mutual accreditation recognition. Single approval for UK-wide. Participating in governance.
L5 Leading contributor. Full interoperability. Supporting others. Contributing to Alliance standards.

ENHANCEMENT · O · System

Level Description
L1 No consideration of cross-border issues.
L2 Issues identified (NI-Ireland, Scotland common law). Initial assessment.
L3 Complexities documented with workarounds. Some friction.
L4 Arrangements address cross-border. Controller agreements enable UK-wide. Manageable overhead.
L5 Framework designed for UK-wide. Proactive resolution. International arrangements where relevant.

C.3.3 Cross-sector Data Sharing & Linkage Governance

CORE · C6 · System

Capability module

This indicator is mandatory only if claiming HDRS Capability 6 (Cross-sector linkage).

Level Description
L1 No cross-sector pathway. Roles, decision rights and feasibility unclear.
L2 Priority sectors identified. Draft principles/templates; DPIA/TRA approach emerging.
L3 Governance operational for >=1 sector. Templates in use; pilot linkage delivered.
L4 Repeatable pathway for multiple sectors. Defined accountabilities; performance tracked.
L5 Scaled and assured cross-sector linkage. Quality/bias monitored; good practice shared.

C.4 — Governance Assurance

C.4.1 Statistical Disclosure Control

CORE · B0 · Service · ⚠ FOUNDATIONAL REQUIREMENT (minimum L3)

Level Description
L1 No systematic control. Outputs released without review.
L2 Policy drafted. Training identified. Manual checking for some.
L3 Policy operational. Trained checkers. Manual review. Some delays.
L4 Systematic with guidelines. Trained team with capacity. SLA met. Semi-automated tools.
L5 Advanced with automated tools. Risk-based. Contributing to standards. Rarely delays.

C.4.2 Researcher Accreditation & Training

CORE · B0 · Both

Level Description
L1 No requirements. Access without competency demonstration.
L2 Requirements defined. Curriculum developing. Enforcement not systematic.
L3 Accreditation required. Training available. Status tracked. Some legacy gaps.
L4 Comprehensive with mandatory training, renewal, enforcement. Aligned with ONS RAS. Integrated.
L5 Advanced pathway. Tiered accreditation. Contributing to UK standards. Mentorship.

CORE · B0 · Both

Level Description
L1 Permissions/restrictions not captured. Applied inconsistently or discovered late.
L2 Inventory initiated. Key restrictions documented; enforcement mainly manual.
L3 Most restrictions documented and used in decisions. Manual checks common.
L4 Restrictions captured and enforced end-to-end. Audit trail and change control in place.
L5 Automated policy enforcement. Routine audits; scalable reuse (e.g., standard models where applicable).