Secure data environments

Secure data environments provide a safe and controlled way for approved users to access health data. They keep data protected while supporting research, planning and analysis that benefit the health and well-being of patients and communities across NSW.

On this page

  1. What is a secure data environment?
  2. How secure data environments work
  3. When is a secure data environment required?
  4. Requirements for secure data environments
  5. SDE provider review
  6. Frequently asked questions
  7. Need help?

What is a secure data environment?

A secure data environment (SDE) is a protected virtual space where health data can be stored, accessed, and analysed safely. It uses strong security controls to keep the information private and prevent misuse.

SDEs are also known as trusted research environments (TREs), clean rooms or digital research environments (DREs), and have previously been called secure access environments (SAEs).

Diagram explaining secure access environments and roles. Inputs and outputs from Curated Gateway are curated and logged by approved users. Project-approved data, applications and services and analysis and outputs are hosted in a contained environment. End users can securely access the contained environment. Requests for outputs are transmitted from the contained environment via the curated gateway.
Secure data environment.

How secure data environments work

SDEs bring data and analysis tools together in one protected location. Approved users complete their work inside the environment, and the granular data stays there. When ready, users can then bring out their results in a summary form via a door (gateway) that is monitored and requires extraction approvals.

A short video from NHS UK explains the concept:

NSW Health is sharing this video with NHS UK permission to support public understanding of Secure Data Environments.


​​​​​​When is a secure data environment required?

A secure data environment is required when a Five Safes assessment of a request for data held by NSW Health identifies:

  • Safe data: When detailed, highly specific data that represents individual events, transactions or people, rather than high-level aggregated summaries, is shared outside of NSW Health.
  • Safe projects: Data are to be accessed for a purpose secondary to the purpose of the collection, and it is to be used for:
    • ​​​research
    • health service funding, management, planning or evaluation.
  • Safe people: The individuals with access to the data will be:
    • people not employed by NSW Health
    • NSW Health employees accessing data for purposes not directly related to their role, including NSW Health employees accessing data for a project as a part of secondary employment outside of NSW Health
    • NSW Health employees working with data that requires an SDE (e.g., highly sensitive data where the data custodian requires access within an environment to assist in managing risk)

Requirements for secure data environments

NSW Health has established Minimum Requirements for Secure Data Environments. These requirements are technology-agnostic and designed to ensure best-practice data security and governance across five key areas:

  • Input and output gateway (curation) - Checkpoint for data/files moving in and out with approved user review and immutable logging.
  • Contained environment - Project data and tools are kept in isolated spaces, separated by project.
  • Secure platform - Meets best-practice security standards (for e.g., ISO 27001, IRAP, eHealth NSW PSAF, Essential Eight, NIST) with encryption, Australian hosting, and regular testing.
  • Analytics-enabled - Provides tools and resources analysts need.
  • Platform governance - Well governed with clear roles, responsibilities and operational procedures.

SDE provider review

To be listed as meeting NSW Health requirements, an SDE provider completes a review that shows how their environment aligns with NSW Health’s minimum standards. This review considers documentation and evidence to confirm that key privacy, security and governance principles are in place

Secure data environment review process

  1. Prepare your submission - Download the requirements and response template, complete and gather supporting evidence showing how the environment meets relevant NSW Health minimum standards.
  2. Submit for Review- Email your completed template and evidence to moh-datagovernance@health.nsw.gov.au, with the SDE name in the subject line.
  3. NSW Health Review - NSW Health Enterprise Data Governance Enablement (in collaboration with eHealth NSW Cybersecurity) will assess the submission. This typically takes 8-12 weeks and additional detail may be requested during the review.
  4. Agreement and Listing - If the environment meets the minimum requirements, an agreement is established outlining ongoing obligations. This agreement confirms that the provider will maintain ongoing adherence to NSW Health's minimum requirements and promptly notify NSW Health of any material changes or incidents. This confirms that the provider would maintain ongoing adherence to NSW Health's minimum requirements and promptly notify NSW Health of any material changes or incidents. Once in place, the environment would be listed on this page.

SDEs meeting NSW Health minimum requirements

NSW Health is currently in the process of reviewing a number of SDEs to determine whether they meet the NSW Health minimum requirements for an SDE.
This page will be updated as soon as any SDE completes the review process and is confirmed to meet the NSW Health minimum requirements.

For now, organisations and researchers should continue using their existing approved environments.

Frequently asked questions


  • What types of analysis can I perform in an SDE?

    Statistical analysis, machine learning, data visualisation, natural language processing, and other analytical tasks using approved tools.

    How does an SDE help me manage risk?

    SDEs enforce governance rules through technical and procedural controls. They, provide comprehensive audit trails, and reduce the risk of unauthorised data sharing.

    Who should I contact for guidance?

    Contact moh-datagovernance@health.nsw.gov.au for guidance on SDEs, the assessment process or requirements.

    Can you provide examples of when SDEs are being used to keep NSW Health data safe?

    Many programs use SDEs to share NSW health data, two current examples of programs that enable projects for public benefit are:

    • The Enduring Cancer Data Linkage (CanDLe) program
      • CanDLe enables Cancer Institute NSW to share data with trusted researchers to improve cancer care.
    • Bureau of Health Information (BHI) NSW Patient Survey Data Asset
      • BHI uses the Secure Unified Research Environment (SURE), run by Sax Institute, to provide access to  NSW Patient Survey Program data for research. This allows researchers to develop new and original insights to improve patients' experiences and outcomes, BHI maintains oversight of the outputs to ensure privacy and validity of findings.

  • Does listing mean an SDE is certified or endorsed?

    No. The listing shows that the provider met the minimum requirements based on evidence submitted during the review. It is not a certification or endorsement by NSW Health.

    What happens if an SDE provider fails to maintain requirements?

    NSW Health will review the SDE and may remove them from the list if requirements are not maintained.

    What are example scenarios where an SDE is required?

    • University Researcher analysing specific health data.
    • A university PhD student is using emergency department data for their thesis.
    • A consultant evaluating health service performance using patient records.
    • A NSW Health clinician conducting personal research outside their role as part of an approved research team.

  • How do I access an SDE as a researcher?

    Access is available to approved users who meet governance and ethical requirements. Typical users, include researchers, consultants, universities, government agencies, charities/NGOs, and supervised students.

    Approved users can choose their own SDEs and discuss with the provider how their requirements are met, and if costs and governance are appropriate. The environment within which data will be stored and analysed must be defined in the approved study protocol. The SDE included can be chosen from the listed SDEs on this page.

    I'm a NSW Health clinician also conducting research outside of my role. Do I need to use an SDE to access and analyse data for this research project?

    Yes. If you are doing research outside your NSW Health role, you need to  use SDE that meets NSW Health requirements. This applies even if you work for NSW Health.

    Can a data user export raw data from an SDE?

    No. Individual-level data cannot leave the environment. Only approved, aggregated outputs that have passed disclosure control checks can be exported.

    What training is required before accessing an SDE?

    Before accessing SDE, users must complete mandatory privacy and security training. This training covers key areas such as privacy obligations, security protocols, data handling, output review, and incident reporting. Specific requirements may vary by SDE provider, so check with your chosen provider for details.

    How long does it take to get access to an SDE?

    This varies by SDE provider and depends on the completeness of your application, approvals and training. Contact your chosen provider for their timeline.

    Can a data analyst use their own software or tools in an SDE?

    Most SDEs provide multiple analytics software. Some may allow bring your own licensed software at their discretion if it doesn't compromise security. Check with your provider.​​

    What if the data I need for my project cannot be analysed within an available SDE?

    Projects that are assessed as requiring an SDE, must use an SDE. A data disclosure decision maker can only consider sharing data outside an SDE in a few specific cases. Examples of projects where the ADO may agree that an exception is warranted following a Five Safes assessment, include:

    • the computing power required to process the data is not available within any listed SDE (e.g. genomic or imaging data analysis)
    • the analysis requires specific software that requires access to the internet, and there is no equivalent software that can operate within an SDE.
      • Here, additional assessment of the software is needed, to ensure data stays within the environment and is not released publicly.

    If an SDE is not feasible, meaning there are no available SDEs for data analysis, the requestor must provide supporting information to the relevant data disclosure decision maker for review. The requestor must demonstrate that an SDE cannot be used. They also need to confirm that qualified people such as NSW Health Cyber-Security and Enterprise Architects have reviewed the alternative environment for compliance with NSW Health guidance, policies and legislation.


  • How do I know if an SDE meets requirements?

    Check the list of assessed providers on this page. If not listed, the provider must complete the assessment process first.

    Can I load data directly to an SDE?

    Yes. SDEs that meet NSW Health requirements support data custodians (or trusted delegates) loading data directly through secure gateways.

    What happens after a project is completed?

    • Confirm data disposal per retention policies,
    • request disposal confirmation,
    • review final outputs if needed,
    • update your records.

    How long should data be retained in an SDE?

    Data retention should be determined at the start of the project and documented within the approved study protocol. Retention periods are not fixed for all projects. They depend on multiple factors, including requirements under

    • the State Record Act,
    • national research guidelines (NHMRC),
    • institutional research/data governance policies,
    • Human Research Ethics Committee (HREC) endorsement and 
    • any specific legal or funding conditions.

    Retention may be extended if required by legislation, funding arrangements, or other compliance obligations.

  • How long does the assessment process take?

    Typically 12+ weeks depending on submission completeness and complexity.

    What if my SDE uses different technology?

    Our requirements are technology-agnostic. Demonstrate how you meet the principles and standards regardless of specific technology choices.

    Can I submit updates to my SDE review?

    Yes. If your environment changes significantly, notify NSW Health and you may need to submit updated evidence.

    What ongoing obligations do I have after the review process is completed?

    • Maintain adherence to requirements,
    • notify NSW Health of material changes or incidents,
    • ​participate in periodic reviews,
    • provide required reporting.

    Does the SDE provider need an agreement with NSW Health?

    Yes. You need to sign an Agreement after a successful review. Then, your SDE can be listed on the NSW Health website.

  • What is input and output checking in SDE?

    Input and output checking are controls used in SDEs to manage what data enters and leaves the environment.

    Input checking ensures that data loaded into an SDE is approved, appropriate for the project, and transferred safely through a secure gateway.

    Output checking ensures that the results leaving the SDE do not contain identifiable or disclosive information. Only approved outputs - such as aggregated tables, statistics or graphs can be released.

    Output checking is donesuch as a human reviewer or a designated output checker. They follow documented rules and approvals. Automated tools may support the process, but human review is needed if there is a risk of re-identification.

    SDE providers may have different approaches to checking inputs and outputs. However, all reviewed environments must show they have the right checks to protect privacy and lower disclosure risks.  

    What security standards are acceptable?

    Some of the security standards include ISO 27001, IRAP, eHealth NSW PSAF, ASD Essential Eight, NIST SP 800-37, and other recognised standards. See the requirement document for the complete list.

    Why is two-way penetration testing required?

    Break-in testing ensures external threats can't access data. Break-out testing ensures data can't leave unauthorised. Both are critical for SDEs.

    Can SDEs be accessed from outside Australia?

    Infrastructure and data must be hosted in Australia. Remote access from overseas may be permitted under strict controls. These controls will be documented in the  Data Disclosure Agreement between the project lead and NSW Health.

    What encryption standards are required?

    Data must be encrypted at rest and in transit.Use strong encryption such as AES 256-bit minimum manage encryption keys carefully.

  • I'm concerned about costs. What are my options?

    SDEs are becoming standard across Australian jurisdictions. Costs vary by provider. They depend on factors such as the number of users, performance requirements, and software needs. Most providers offer flexible pay-for-what-you-use models, so projects only pay for the resources they need.

    To manage costs:

    • include SDE expenses in grant proposals and project budgets early,
    • talk to providers about pricing options. Many offer scalable solutions and discounts for larger projects.

    Are there economies of scale for larger projects?

    Many SDE providers offer volume discounts or negotiated pricing for larger or longer-term projects. Discuss your needs with providers.

Need help?

Whether you're ​a researcher, data custodian, or SDE provider, our team is here to support you. Email moh-datagovernance@health.nsw.gov.au.

Current as at: Monday 2 March 2026
Contact page owner: Enterprise Data Governance Enablement